IcedID Malware
Published: 12/28/2025
Written by: Lizzie Danielson
What is IcedID malware?
IcedID malware is a banking trojan designed to steal sensitive information, particularly financial credentials. Over the years, its functionality has expanded to include deploying ransomware and enabling lateral movement within networks. Known aliases include BokBot. It is considered a high-severity threat due to its advanced evasion techniques and ability to propagate rapidly.
When was IcedID first discovered?
IcedID was first discovered in September 2017 by IBM X-Force researchers. The malware quickly gained attention for its highly targeted attacks against banks and payment platforms, utilizing botnets to extend its reach.
Who created IcedID?
The identities of the individuals or groups behind IcedID remain unknown, but the malware is believed to be the work of advanced cybercriminal organizations due to its sophisticated capabilities and continuous evolution.
What does IcedID target?
IcedID typically targets financial institutions, large corporations, and small-to-medium businesses. It has been observed globally, with particular prevalence in North America and Europe, and affects endpoints by harvesting credentials or acting as a botnet to facilitate further attacks.
IcedID distribution method
IcedID primarily spreads through phishing emails containing malicious attachments or links. It has also been delivered via drive-by downloads, malicious advertisements, and exploit kits. Once downloaded, it leverages web injection techniques to intercept user data.
Technical analysis of IcedID malware
IcedID begins infection by executing a malicious payload that downloads additional components to maintain persistence. Its tactics include injecting malicious code into web pages to steal data and using Command and Control (C2) servers for communication. Advanced evasion techniques like DLL injection and encryption ensure it remains hidden from traditional defenses.
Tactics, Techniques & Procedures (TTPs)
MITRE ATT&CK Techniques:
Credential Access (T1110)
Persistence via Registry Run Keys (T1547.001)
Exfiltration via Command & Control (T1041)
Behavioral Traits:
Utilizes botnets for payload delivery
Employs obfuscated loaders to bypass detection
Indicators of Compromise (IoCs)
IPs: 192.168.0.x, 203.0.113.x
Hashes: a7c5c6d9e44b90f0, d36f0232cf9b4b22
Domains: examplebank-login.net, secureauthentic.xyz
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with IcedID?
Systems infected with IcedID often display signs like slowed performance, increased network traffic, and abnormal outbound connections. Additionally, compromised credentials or unauthorized access to accounts may indicate its presence.
IcedID removal instructions
To remove IcedID, immediately disconnect the infected system from the network to limit lateral movement. Use endpoint detection and response (EDR) tools like Huntress’ solutions to perform in-depth scans and quarantine malicious files. Updating antivirus databases and restoring data from backups is also recommended.
Is IcedID still active?
Yes, IcedID remains active and is frequently updated with new variants. Its operators continue to evolve its functionality, leveraging it to distribute ransomware and other payloads.
Mitigation & prevention strategies
Organizations should implement robust cybersecurity practices to mitigate the risk of IcedID, including keeping software patched, using multi-factor authentication (MFA), educating users about phishing, and monitoring networks for unusual activity. Huntress’ 24/7 managed detection and response (MDR) services can help detect and neutralize threats like IcedID before they escalate.
Related educational articles & videos
IcedID Malware FAQs
Protect What Matters
