Security researchers have uncovered a sophisticated new malware family that borrows heavily from notorious banking trojans, raising concerns about evolving ransomware threats.
Zscaler ThreatLabz discovered YiBackdoor in June 2025, a backdoor malware that shares significant code with IcedID and Latrodectus—two established threats previously used in banking fraud and ransomware attacks. The connection suggests cybercriminals are recycling proven attack methods to create new, potentially more dangerous tools.
"YiBackdoor contains significant code overlaps with IcedID and Latrodectus," Zscaler ThreatLabz researchers noted in their analysis. The malware can collect system information, capture screenshots, execute arbitrary commands, and deploy additional plugins that expand its capabilities—essentially giving attackers complete remote control over infected systems.
What makes YiBackdoor particularly concerning is its sophisticated evasion techniques. The malware employs multiple anti-analysis methods to avoid detection by security software, including checking for virtual environments commonly used by cybersecurity researchers and dynamically loading system functions to hide its activities.
The malware establishes persistence by copying itself to random locations and using Windows registry entries to ensure it survives system reboots. It communicates with command-and-control servers using encrypted traffic that changes encryption keys daily, making network-based detection more challenging.
Researchers discovered YiBackdoor uses an identical encryption algorithm previously employed by IcedID, along with matching character sets for generating randomized strings. Most notably, both malware families share the same Windows GUID list—digital fingerprints that strongly suggest code reuse between development teams.
Currently, YiBackdoor appears to be in development or testing phases, with researchers observing limited deployments. However, its connection to IcedID—which evolved from a banking trojan into a ransomware delivery mechanism—suggests similar potential for YiBackdoor.
Organizations should maintain updated antivirus software, implement network monitoring for suspicious encrypted traffic, and train employees to recognize phishing attempts that typically deliver such malware. The discovery underscores how cybercriminals continuously adapt existing tools to create new threats.