LUNAR SPIDER is a financially motivated cybercriminal group best known for developing and operating IcedID, also called BokBot, a banking Trojan first observed in 2017. Over time, the group’s role appears to have shifted from classic online banking fraud toward a broader cybercrime service model, supplying malware, access, and infrastructure that can enable ransomware and data theft operations. CrowdStrike identifies LUNAR SPIDER with the community names IcedID, BokBot, and GOLD SWATHMORE, and places its activity around Russia, Eastern Europe, and Europe.
From banking fraud to the ransomware economy
IcedID began life as a banking Trojan built to steal credentials and support wire fraud, including through web-inject techniques. That made LUNAR SPIDER part of a well-established Eastern European cybercrime pattern: malware developers build specialized tools, affiliates distribute them through phishing or other infection channels, and the ecosystem monetizes stolen credentials, fraudulent payments, or access to larger victim networks.
The more important story is how IcedID evolved. Security researchers have increasingly described IcedID as more than a banking Trojan. It became a loader and initial-access tool, giving criminals a foothold inside victim environments that could then be used for reconnaissance, credential theft, lateral movement, data exfiltration, and ransomware deployment. Cybereason documented an IcedID case where attackers moved from initial infection to lateral movement in less than an hour, compromised Active Directory in under 24 hours, and began exfiltration two days after the first infection.
That evolution matters because it places LUNAR SPIDER in the middle of the modern cybercrime supply chain. The group is not only relevant because of the malware it created. It is relevant because its tools can become the entry point for other criminal actors.
The IcedID connection
Most public reporting on LUNAR SPIDER centers on IcedID. CrowdStrike says the group is behind the core development of BokBot, also known as IcedID, and also connects the group to Lotus, a loader first seen in late 2023.
IcedID’s persistence is partly due to its usefulness. It can steal information, establish command-and-control communication, and act as a delivery mechanism for additional malware. In practical terms, this means an IcedID infection may begin with a phishing email or malicious file, but the real damage can come later, when attackers use that foothold to deploy tools such as Cobalt Strike, Brute Ratel, stealers, or ransomware-related payloads.
This “loader” role is one reason law enforcement targeted IcedID as part of Operation Endgame in May 2024. The FBI described the operation as a multinational disruption of malware infrastructure responsible for hundreds of millions of dollars in damages, targeting malware groups including IcedID, Smokeloader, Pikabot, and Bumblebee.
Latrodectus, Lotus, and the post-IcedID transition
After years of IcedID activity, researchers began tracking newer malware families linked to the same ecosystem. Proofpoint and Team Cymru reported that Latrodectus appeared in email threat campaigns in late November 2023, increased in use in February and March 2024, and was likely created by IcedID developers due to similarities and infrastructure overlap.
Elastic Security Labs also described Latrodectus as a possible IcedID replacement, noting behavioral and developmental similarities, including a command handler capable of downloading and executing encrypted payloads.
EclecticIQ later assessed that LUNAR SPIDER shifted away from IcedID toward Latrodectus and Brute Ratel C4, and reported that the group resumed operations after Operation Endgame disrupted parts of the malware ecosystem. Its research also linked LUNAR SPIDER to more than 200 malicious infrastructure elements associated with IcedID and Latrodectus.
This pattern is typical of resilient cybercrime groups. When defenders and law enforcement disrupt one tool, operators rebrand, retool, or move to adjacent malware families. The brand changes, but the underlying business model often survives.
How LUNAR SPIDER attacks work
A typical LUNAR SPIDER-linked intrusion starts with social engineering. Victims may receive malicious email attachments, links, fake business documents, or files masquerading as legitimate forms. The goal is to get the user to execute a first-stage payload.
The DFIR Report analyzed a May 2024 intrusion in which a user ran a heavily obfuscated JavaScript file disguised as a tax form. That script downloaded an MSI package, which deployed a Brute Ratel DLL through rundll32. The Brute Ratel loader then injected Latrodectus into explorer.exe, connected to Cloudflare-proxied command-and-control domains, and retrieved a stealer module. Reconnaissance began about one hour after initial access.
That case illustrates the modern LUNAR SPIDER risk: the initial payload is only the door opener. Once inside, the operators or their partners can move quickly to map the network, steal credentials, deploy remote access tooling, and prepare for broader compromise.
Relationships with the wider cybercrime ecosystem
LUNAR SPIDER appears to operate inside a larger criminal marketplace rather than as an isolated group. EclecticIQ assessed that the group has significant connections within the cybercrime ecosystem, including links to WIZARD SPIDER, the Russia-based group associated with TrickBot and Conti ransomware. It also assessed that LUNAR SPIDER has likely provided initial access to ransomware operators.
Huntress describes LUNAR SPIDER as a Russian-speaking eCrime group active since at least 2017, specializing in malware development and initial access brokerage. It characterizes the group as a decentralized criminal consortium involving malware developers, distribution affiliates, and infrastructure operators.
Attribution should be treated carefully. Cybercriminal ecosystems are fluid. Tool developers, botnet operators, access brokers, ransomware affiliates, and infrastructure providers may overlap without being a single neat organization. Still, the recurring links between IcedID, Latrodectus, Lotus, Brute Ratel deployment, and ransomware-adjacent intrusions make LUNAR SPIDER a significant actor to track.
Law enforcement pressure has hurt, but not ended the threat
Operation Endgame was a major disruption. The FBI said the international action involved a dozen countries, disrupted more than 100 servers, and targeted malware used to gain access to victims’ computers, deploy ransomware, and steal personal and financial login information.
Europol later reported follow-up actions in 2025, including detentions, interrogations, and additional server takedowns based on data seized during the May 2024 operation.
But disruption is not the same as eradication. EclecticIQ assessed that LUNAR SPIDER resumed operations after the 2024 takedown and adapted by using newer tooling such as Latrodectus and Brute Ratel C4.
Why businesses should care
LUNAR SPIDER is dangerous because it sits near the beginning of the kill chain. A single compromised workstation can become the launch point for domain compromise, credential theft, data exfiltration, and ransomware.
Organizations should treat LUNAR SPIDER-linked malware as a high-priority incident, not as a simple commodity infection. In practice, that means:
- Investigate the full intrusion path, not just the first detected file.
- Hunt for credential theft, lateral movement, remote access tools, and suspicious command execution.
- Review identity systems, especially Active Directory, VPN, SSO, and privileged accounts.
- Block known malicious infrastructure where possible, but avoid relying only on indicators because the group changes infrastructure quickly.
- Harden email security, script execution controls, endpoint detection, and application control policies.
- Train finance, HR, and operations teams to treat tax forms, invoices, and shared business documents as common malware lures.
Bottom line
LUNAR SPIDER is not just “the IcedID group.” It represents the evolution of cybercrime from banking Trojans to modular access operations that support ransomware, credential theft, and enterprise compromise. IcedID made the group famous, but Latrodectus, Lotus, and Brute Ratel-linked activity show a broader pattern: when one tool is disrupted, the operators adapt.
For defenders, the key lesson is simple. Treat loader infections as the beginning of a serious intrusion. By the time malware like IcedID or Latrodectus is detected, the attackers may already be preparing the next stage.