On October 16, 2025, CorpLocal’s security team spotted a single workstation acting up, followed by a ransom note and proof of massive data theft. What began as one user visiting a malicious site exploded into a full domain takeover: silent process injections, credential harvesting, lightning-fast lateral movement, and a final data haul before the attackers vanished.
Welcome to the Latrodectus – LunarSpider lab! Step into the shoes of an elite threat hunter and dismantle a real-world intrusion by the Latrodectus malware. Starting with a drive-by compromise on MS01, they used living-off-the-land binaries, custom DLL beacons, stolen domain accounts, and tools to exfiltrate data from DC01, BS, and FS.
Your job: use Splunk SIEM logs and disk triage images from four compromised hosts to trace every move. Master real-world techniques like process injection, credential dumping, and lateral movement via custom named pipes, while mapping the five C2 servers used by the attacker throughout the campaign.
To start dissecting this incident, our primary goal is to identify the ransomware note, as it often marks the attack's culmination and provides insights into the threat actor's demands and capabilities. Ransomware notes typically contain instructions for payment or data recovery, helping us understand the extortion vec