IcedID Malware
Published: 12/28/2025
What is IcedID malware?
IcedID malware is a banking trojan designed to steal sensitive information, particularly financial credentials. Over the years, its functionality has expanded to include deploying ransomware and enabling lateral movement within networks. Known aliases include BokBot. It is considered a high-severity threat due to its advanced evasion techniques and ability to propagate rapidly.
When was IcedID first discovered?
IcedID was first discovered in September 2017 by IBM X-Force researchers. The malware quickly gained attention for its highly targeted attacks against banks and payment platforms, utilizing botnets to extend its reach.
Who created IcedID?
The identities of the individuals or groups behind IcedID remain unknown, but the malware is believed to be the work of advanced cybercriminal organizations due to its sophisticated capabilities and continuous evolution.
What does IcedID target?
IcedID typically targets financial institutions, large corporations, and small-to-medium businesses. It has been observed globally, with particular prevalence in North America and Europe, and affects endpoints by harvesting credentials or acting as a botnet to facilitate further attacks.
IcedID distribution method
IcedID primarily spreads through phishing emails containing malicious attachments or links. It has also been delivered via drive-by downloads, malicious advertisements, and exploit kits. Once downloaded, it leverages web injection techniques to intercept user data.
Technical analysis of IcedID malware
IcedID begins infection by executing a malicious payload that downloads additional components to maintain persistence. Its tactics include injecting malicious code into web pages to steal data and using Command and Control (C2) servers for communication. Advanced evasion techniques like DLL injection and encryption ensure it remains hidden from traditional defenses.
Tactics, Techniques & Procedures (TTPs)
IcedID employs sophisticated MITRE ATT&CK techniques across multiple tactics:
Initial Access:
- T1566.001 - Phishing: Spearphishing Attachment
- T1189 - Drive-by Compromise (cloned legitimate websites)
Execution:
- T1204.002 - User Execution: Malicious File
- T1059.005 - Command and Scripting Interpreter: Visual Basic (obfuscated VBA macros)
- T1047 - Windows Management Instrumentation
- T1218.007 - System Binary Proxy Execution: Msiexec
- T1218.011 - System Binary Proxy Execution: Rundll32
Persistence:
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1053.005 - Scheduled Task/Job: Scheduled Task
Defense Evasion:
- T1055.004 - Process Injection: Asynchronous Procedure Call
- T1055.012 - Process Injection: Process Hollowing (into msiexec.exe)
- T1027.002 - Obfuscated Files or Information: Software Packing
- T1027.003 - Obfuscated Files or Information: Steganography (binaries in RC4 encrypted .png files)
- T1027.009 - Obfuscated Files or Information: Embedded Payloads
- T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
- T1036.005 - Masquerading: Match Legitimate Resource Name or Location
- T1497 - Virtualization/Sandbox Evasion
Credential Access:
- T1185 - Browser Session Hijacking (web injection to harvest banking credentials)
- T1056 - Input Capture (keylogging capabilities)
Discovery:
- T1087.002 - Account Discovery: Domain Account (LDAP queries)
- T1482 - Domain Trust Discovery (using nltest)
- T1082 - System Information Discovery
- T1614.001 - System Location Discovery: System Language Discovery
- T1016 - System Network Configuration Discovery (ipconfig /all)
- T1135 - Network Share Discovery (net view /all)
- T1069 - Permission Groups Discovery (Workgroup membership)
- T1518.001 - Software Discovery: Security Software Discovery (WMIC AV enumeration)
Command and Control:
- T1071.001 - Application Layer Protocol: Web Protocols (HTTPS)
- T1573.002 - Encrypted Channel: Asymmetric Cryptography (SSL/TLS)
- T1106 - Native API (ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, NtResumeThread)
Collection & Exfiltration:
- T1105 - Ingress Tool Transfer (downloads modules and config from C2)
- T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (HTTPS exfiltration)
Indicators of Compromise (IoCs)
Defenders should monitor for these specific, real-world IcedID indicators:
File Hashes (SHA256):
c9c4ed0902df031f72f3ae176895a2b43dc2737f7ce5ab5017134aec0c21dfad— Malicious MSI package (build-123.msi)2ed82c45ca01afb84db23d41f50eecc726a804f4f8b2f5e9c6a561003643194d— 64-bit DLL installere562eafa553e130de12386f8b099d77fc2bdeeebdc5aa3573268bbc73a259c64— Fake gzip binary332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953— Data binary (license.dat)5d58a00e92dcbc86c8d6825f1971e589b17029611f1e3206ac9a6604923e3d90— Persistent IcedID DLL
Command & Control Domains:
- grafielucho[.]com
- manjuskploman[.]com
- qousahaff[.]com
- brojizuza[.]com
- asleytomafa[.]com
Command & Control IP Addresses:
- 104.21.32[.]6
- 45.61.137[.]225
- 45.61.139[.]232
- 45.61.136[.]22
- 162.33.179[.]136
- 159.89.124[.]188
File System Artifacts:
C:\ProgramData\[random_string]\0loader_p1_dll_64_n1_x64_inf.dllC:\Users\[username]\AppData\Roaming\ChronicExample\license.datC:\Users\[username]\AppData\Roaming\[username]\[random]64.dll
Execution Methods:
rundll32.exe [filename] scab /k roluxe752rundll32.exe [filename],init --itpela="[path to license.dat]"- Process hollowing into msiexec.exe
Network Indicators:
- HTTPS connections on port 443 to C2 domains
- BackConnect traffic patterns (secondary C2 channel)
- Self-signed TLS certificates used for man-in-the-browser attacks
Behavioral Indicators:
- Scheduled tasks created in %AppData%\Roaming directories with random folder names
- Process hollowing of msiexec.exe with randomly named .msi files
- WMIC queries for security software enumeration
net view /allcommands for network share discoverynltestdomain trust enumeration
Note: IcedID IoCs change frequently. For current threat intelligence, consult repositories like ThreatFox (abuse.ch), Unit42 Timely Threat Intel, and your threat intelligence feeds.
Source URLs:
- Palo Alto Networks Unit42 IcedID IoCs (October 2023): https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2023-10-31-IOCs-for-IcedID-infection.txt
- ThreatFox IcedID Database: https://threatfox.abuse.ch/browse/malware/win.icedid/
- Red Canary Threat Detection Report - IcedID: https://redcanary.com/threat-detection-report/threats/icedid/
How to know if you’re infected with IcedID?
Systems infected with IcedID often display signs like slowed performance, increased network traffic, and abnormal outbound connections. Additionally, compromised credentials or unauthorized access to accounts may indicate its presence.
IcedID removal instructions
To remove IcedID, immediately disconnect the infected system from the network to limit lateral movement. Use endpoint detection and response (EDR) tools like Huntress’ solutions to perform in-depth scans and quarantine malicious files. Updating antivirus databases and restoring data from backups is also recommended.
Is IcedID still active?
IcedID activity has significantly decreased since late 2023, with its operators appearing to transition to Latrodectus, a likely successor developed by the same threat actors. While legacy IcedID infections may still be encountered, Latrodectus use increased in campaigns throughout February and March 2024, suggesting it's becoming the primary loader for these operators. Organizations should monitor for both IcedID and Latrodectus indicators, as the underlying threat actor infrastructure and tactics remain consistent.
Mitigation & prevention strategies
Organizations should implement robust cybersecurity practices to mitigate the risk of IcedID, including keeping software patched, using multi-factor authentication (MFA), educating users about phishing, and monitoring networks for unusual activity. Huntress’ 24/7 managed detection and response (MDR) services can help detect and neutralize threats like IcedID before they escalate.
Related educational articles & videos
IcedID Malware FAQs