Glitch effectGlitch effect

IcedID Malware

Published: 12/28/2025


What is IcedID malware?

IcedID malware is a banking trojan designed to steal sensitive information, particularly financial credentials. Over the years, its functionality has expanded to include deploying ransomware and enabling lateral movement within networks. Known aliases include BokBot. It is considered a high-severity threat due to its advanced evasion techniques and ability to propagate rapidly.

When was IcedID first discovered?

IcedID was first discovered in September 2017 by IBM X-Force researchers. The malware quickly gained attention for its highly targeted attacks against banks and payment platforms, utilizing botnets to extend its reach.

Who created IcedID?

The identities of the individuals or groups behind IcedID remain unknown, but the malware is believed to be the work of advanced cybercriminal organizations due to its sophisticated capabilities and continuous evolution.

What does IcedID target?

IcedID typically targets financial institutions, large corporations, and small-to-medium businesses. It has been observed globally, with particular prevalence in North America and Europe, and affects endpoints by harvesting credentials or acting as a botnet to facilitate further attacks.

IcedID distribution method

IcedID primarily spreads through phishing emails containing malicious attachments or links. It has also been delivered via drive-by downloads, malicious advertisements, and exploit kits. Once downloaded, it leverages web injection techniques to intercept user data.

Technical analysis of IcedID malware

IcedID begins infection by executing a malicious payload that downloads additional components to maintain persistence. Its tactics include injecting malicious code into web pages to steal data and using Command and Control (C2) servers for communication. Advanced evasion techniques like DLL injection and encryption ensure it remains hidden from traditional defenses.

Tactics, Techniques & Procedures (TTPs)

IcedID employs sophisticated MITRE ATT&CK techniques across multiple tactics:

Initial Access:

  • T1566.001 - Phishing: Spearphishing Attachment
  • T1189 - Drive-by Compromise (cloned legitimate websites)

Execution:

  • T1204.002 - User Execution: Malicious File
  • T1059.005 - Command and Scripting Interpreter: Visual Basic (obfuscated VBA macros)
  • T1047 - Windows Management Instrumentation
  • T1218.007 - System Binary Proxy Execution: Msiexec
  • T1218.011 - System Binary Proxy Execution: Rundll32

Persistence:

  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1053.005 - Scheduled Task/Job: Scheduled Task

Defense Evasion:

  • T1055.004 - Process Injection: Asynchronous Procedure Call
  • T1055.012 - Process Injection: Process Hollowing (into msiexec.exe)
  • T1027.002 - Obfuscated Files or Information: Software Packing
  • T1027.003 - Obfuscated Files or Information: Steganography (binaries in RC4 encrypted .png files)
  • T1027.009 - Obfuscated Files or Information: Embedded Payloads
  • T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
  • T1036.005 - Masquerading: Match Legitimate Resource Name or Location
  • T1497 - Virtualization/Sandbox Evasion

Credential Access:

  • T1185 - Browser Session Hijacking (web injection to harvest banking credentials)
  • T1056 - Input Capture (keylogging capabilities)

Discovery:

  • T1087.002 - Account Discovery: Domain Account (LDAP queries)
  • T1482 - Domain Trust Discovery (using nltest)
  • T1082 - System Information Discovery
  • T1614.001 - System Location Discovery: System Language Discovery
  • T1016 - System Network Configuration Discovery (ipconfig /all)
  • T1135 - Network Share Discovery (net view /all)
  • T1069 - Permission Groups Discovery (Workgroup membership)
  • T1518.001 - Software Discovery: Security Software Discovery (WMIC AV enumeration)

Command and Control:

  • T1071.001 - Application Layer Protocol: Web Protocols (HTTPS)
  • T1573.002 - Encrypted Channel: Asymmetric Cryptography (SSL/TLS)
  • T1106 - Native API (ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, NtResumeThread)

Collection & Exfiltration:

  • T1105 - Ingress Tool Transfer (downloads modules and config from C2)
  • T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (HTTPS exfiltration)

Indicators of Compromise (IoCs)

Defenders should monitor for these specific, real-world IcedID indicators:

File Hashes (SHA256):

  • c9c4ed0902df031f72f3ae176895a2b43dc2737f7ce5ab5017134aec0c21dfad — Malicious MSI package (build-123.msi)
  • 2ed82c45ca01afb84db23d41f50eecc726a804f4f8b2f5e9c6a561003643194d — 64-bit DLL installer
  • e562eafa553e130de12386f8b099d77fc2bdeeebdc5aa3573268bbc73a259c64 — Fake gzip binary
  • 332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953 — Data binary (license.dat)
  • 5d58a00e92dcbc86c8d6825f1971e589b17029611f1e3206ac9a6604923e3d90 — Persistent IcedID DLL

Command & Control Domains:

  • grafielucho[.]com
  • manjuskploman[.]com
  • qousahaff[.]com
  • brojizuza[.]com
  • asleytomafa[.]com

Command & Control IP Addresses:

  • 104.21.32[.]6
  • 45.61.137[.]225
  • 45.61.139[.]232
  • 45.61.136[.]22
  • 162.33.179[.]136
  • 159.89.124[.]188

File System Artifacts:

  • C:\ProgramData\[random_string]\0loader_p1_dll_64_n1_x64_inf.dll
  • C:\Users\[username]\AppData\Roaming\ChronicExample\license.dat
  • C:\Users\[username]\AppData\Roaming\[username]\[random]64.dll

Execution Methods:

  • rundll32.exe [filename] scab /k roluxe752
  • rundll32.exe [filename],init --itpela="[path to license.dat]"
  • Process hollowing into msiexec.exe

Network Indicators:

  • HTTPS connections on port 443 to C2 domains
  • BackConnect traffic patterns (secondary C2 channel)
  • Self-signed TLS certificates used for man-in-the-browser attacks

Behavioral Indicators:

  • Scheduled tasks created in %AppData%\Roaming directories with random folder names
  • Process hollowing of msiexec.exe with randomly named .msi files
  • WMIC queries for security software enumeration
  • net view /all commands for network share discovery
  • nltest domain trust enumeration

Note: IcedID IoCs change frequently. For current threat intelligence, consult repositories like ThreatFox (abuse.ch), Unit42 Timely Threat Intel, and your threat intelligence feeds.

Source URLs:

Malware Guide

Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.

Read the Malware Guide

How to know if you’re infected with IcedID?

Systems infected with IcedID often display signs like slowed performance, increased network traffic, and abnormal outbound connections. Additionally, compromised credentials or unauthorized access to accounts may indicate its presence.

IcedID removal instructions

To remove IcedID, immediately disconnect the infected system from the network to limit lateral movement. Use endpoint detection and response (EDR) tools like Huntress’ solutions to perform in-depth scans and quarantine malicious files. Updating antivirus databases and restoring data from backups is also recommended.

Is IcedID still active?

IcedID activity has significantly decreased since late 2023, with its operators appearing to transition to Latrodectus, a likely successor developed by the same threat actors. While legacy IcedID infections may still be encountered, Latrodectus use increased in campaigns throughout February and March 2024, suggesting it's becoming the primary loader for these operators. Organizations should monitor for both IcedID and Latrodectus indicators, as the underlying threat actor infrastructure and tactics remain consistent.

Mitigation & prevention strategies

Organizations should implement robust cybersecurity practices to mitigate the risk of IcedID, including keeping software patched, using multi-factor authentication (MFA), educating users about phishing, and monitoring networks for unusual activity. Huntress’ 24/7 managed detection and response (MDR) services can help detect and neutralize threats like IcedID before they escalate.

IcedID Malware FAQs

IcedID is a banking trojan designed to steal credentials and financial information. It utilizes tactics like web injection, botnets, and C2 servers to infect systems and facilitate subsequent attacks.

IcedID commonly infects systems through phishing emails containing malicious attachments or links, as well as drive-by downloads and exploit kits.

Yes, IcedID remains an active and evolving threat, with cybercriminals continuing to update it with new functionalities. It is still used in high-profile attacks worldwide.

Organizations can protect against IcedID by implementing strong email filters, using managed detection and response (MDR) tools, enabling MFA, and conducting regular cybersecurity training for employees.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free