Lunar Spider Campaign: Single Click Leads to Two-Month Intrusion and Domain Admin Theft
A cybercriminal group known as Lunar Spider executed a sprawling operation that began with a single click on a bogus file and culminated in weeks of sustained control over the victim’s infrastructure.
According to analysts at THE DFIR Report, the campaign was initiated in May 2024 when an employee of an unnamed organization opened an obfuscated JavaScript file masquerading as a tax form. That script fetched an MSI package which, using the legitimate Windows utility rundll32, injected the Brute Ratel library.
From there, the attackers deployed the Latrodectus malware, implanting it into the explorer.exe process and establishing command-and-control channels concealed behind Cloudflare proxies. Within the first hour the malware loaded an infostealer module capable of exfiltrating credentials.
Latrodectus has demonstrated extensive capabilities: it targeted 29 Chromium-based browsers — including Chrome, Edge, Vivaldi, and Yandex Browser — while separately harvesting Firefox profiles by extracting cookies.sqlite. The malware also harvested Microsoft Outlook data (versions 11.0–17.0) by querying the system registry to retrieve mail client configurations. Operators thus obtained SMTP, POP3, IMAP and NNTP server addresses, port numbers, usernames, and encrypted passwords.
On the third day, the intruders discovered an unattend.xml file left from an automated deployment that contained domain administrator passwords in cleartext. Within twenty-four hours they executed lsassa.exe via BackConnect, instantly elevating privileges to domain level and paving the way for lateral movement across the network.
To obscure their presence, Lunar Spider extensively injected code into legitimate Windows processes such as explorer.exe, sihost.exe, and spoolsv.exe. They established persistence through registry autorun keys and scheduled tasks so that control would survive reboots or partial remediation. The threat actors employed multiple frameworks — Brute Ratel, Latrodectus, and Cobalt Strike — providing redundancy and resilience to their C2 infrastructure.
With access to domain resources, the attackers were able to execute administrative processes (for example, gpupdate.exe) via sihost.exe. Nearly three weeks into the intrusion they began exfiltrating files from servers, using a renamed Rclone to transfer data over FTP; this export ran for roughly ten hours. In total, Lunar Spider maintained access to the network for approximately two months. Notably, there were no recorded ransomware deployments: the operation clearly prioritized data theft over destructive or disruptive extortion.
The campaign underscores the group’s high degree of tradecraft: a multi-stage intrusion chain, camouflage through legitimate software, the coordinated use of multiple C2 channels, and the exploitation of non-obvious escalation points. Collectively, these elements point to a long-term intelligence-gathering strategy rather than a one-off extortion scheme.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
