3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
IcedID

IcedID

ID: b49db66ae902d18c7180ab952942e74c52874
Crimeware Banking Malware Botnet Spyware/Stealer Trojan
Threat types: Credential Theft, Spam, Payload Delivery
Russia DEU, ITA, JPN, USA
Updated: 2026-03-14
Created: 2025-11-01
Progress: 78% Completeness: 81% Freshness: 70%
Operation zone: Germany, Italy, Japan, United States
Aliases Limited alias preview
BokBot Forked IcedID Ic*********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

IcedID (BokBot) is a modular banking malware first observed around 2017 that evolved into a loader/backdoor used by criminal access-broker ecosystems. Initially focused on webinject-based credential theft, it now commonly arrives via phishing attachments (Office, ISO/LNK, OneNote + HTA/CMD) and establishes persistence to download additional modules and hand off access to ransomware operators. It supports browser session hijacking, discovery, process injection, and encrypted C2 over HTTPS. Ref: https://attack.mitre.org/software/S0483/


Technique Technique name Tactics Evidence
T1566.001 Spearphishing Attachment TA0001
  • 2023-03-06 — Phishing: Spearphishing Attachment – IcedID is routinely delivered via phishing emails with malicious attachments (Office documents, compressed archives, ISO/LNK containers, and OneNote files containing HTA/CMD scripts). · ref
T1204.002 Malicious File TA0002
  • 2023-03-06 — User Execution: Malicious File – Infection chains rely on users opening malicious documents or container files (Word/Excel, ISO with LNK, OneNote with embedded HTA or CMD) and approving execution of embedded content. · ref
T1218.011 Rundll32 TA0005
  • 2023-03-06 — System Binary Proxy Execution: Rundll32 – IcedID stages DLL payloads that are executed via rundll32.exe, including DLLs masquerading as images downloaded to ProgramData or user profile paths. · ref
T1218.007 Msiexec TA0005
  • 2020-06-18 — System Binary Proxy Execution: Msiexec – Campaigns installing new IcedID variants inject into msiexec.exe and use it for stealthy module and configuration deployment. · ref
T1059.001 PowerShell TA0002
  • 2023-03-06 — Command and Scripting Interpreter: PowerShell – OneNote and CMD droppers invoke PowerShell (for example Invoke-WebRequest) to download and execute IcedID DLLs from attacker-controlled URLs. · ref
T1105 Ingress Tool Transfer TA0011
  • 2020-07-15 — Ingress Tool Transfer – Once running, IcedID downloads additional modules, configuration files, and follow-on payloads from its C2 infrastructure over HTTP/HTTPS. · ref
T1071.001 Web Protocols TA0011
  • 2020-07-15 — Application Layer Protocol: Web Protocols – IcedID communicates with command and control servers over HTTP/HTTPS, periodically beaconing and retrieving commands or payloads. · ref
T1573.002 Asymmetric Cryptography TA0011
  • 2020-07-15 — Encrypted Channel: Asymmetric Cryptography – IcedID uses SSL/TLS-encrypted channels for C2 communication to hinder inspection and protect stolen data in transit. · ref
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol TA0010
  • 2020-07-15 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol – Collected information such as credentials and system data is exfiltrated over HTTPS using the same encrypted web channels as C2. · ref
T1185 Browser Session Hijacking TA0009
  • 2017-11-13 — Browser Session Hijacking – Early IcedID variants used man-in-the-browser web injects to hijack online banking sessions and redirect victims to spoofed financial sites. · ref
T1027.002 Software Packing TA0005
  • 2020-07-15 — Obfuscated Files or Information: Software Packing – IcedID loader components are packed and encrypted, with imports and configuration resolved only at runtime to hinder static analysis. · ref
T1027.003 Steganography TA0005
  • 2020-06-18 — Obfuscated Files or Information: Steganography – Campaigns have embedded IcedID binaries and configuration inside images (for example PNG) that are decoded by the loader at runtime. · ref
T1027.009 Embedded Payloads TA0005
  • 2020-07-15 — Obfuscated Files or Information: Embedded Payloads – IcedID has embedded malicious code within otherwise legitimate-looking DLLs to help hide its core functionality. · ref
T1027.013 Encrypted/Encoded File TA0005
  • 2020-07-15 — Obfuscated Files or Information: Encrypted/Encoded File – IcedID stores core modules and configuration in encrypted or encoded blobs, only decrypting them in memory during execution. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • 2020-07-15 — Masquerading: Match Legitimate Resource Name or Location – IcedID places files in plausible directories and uses names that resemble benign DLLs to blend into the system. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2023-05-22 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – IcedID has been observed configuring Registry Run keys and scheduled tasks that invoke rundll32 to execute its DLL with an embedded license.dat payload on a recurring basis. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • 2023-05-22 — Scheduled Task/Job: Scheduled Task – In DFIR-observed intrusions, IcedID established persistence via a scheduled task that regularly runs rundll32.exe pointing to the IcedID DLL and its encoded license.dat file. · ref
T1055.004 Asynchronous Procedure Call TA0004 TA0005
  • 2020-07-15 — Process Injection: Asynchronous Procedure Call – IcedID uses Windows APIs such as ZwQueueApcThread to queue APC calls in remote processes and inject its malicious code. · ref
T1055.012 Process Hollowing TA0004 TA0005
  • 2020-07-15 — Process Injection: Process Hollowing – IcedID can create benign processes in a suspended state (for example msiexec.exe) and replace their memory with malicious payloads before resuming execution. · ref
T1087.002 Domain Account TA0007
  • 2023-05-22 — Account Discovery: Domain Account – During post-compromise discovery, IcedID-related operators issued commands such as "net group \"Domain Computers\" /domain" and "whoami /upn" to enumerate domain accounts and the current user. · ref
T1069 Permission Groups Discovery TA0007
  • 2023-05-22 — Permission Groups Discovery – After IcedID execution, threat actors used commands including "net group \"Domain Admins\" /domain" and "net localgroup \"administrators\" /dom" to enumerate high-privilege groups. · ref
T1482 Domain Trust Discovery TA0007
  • 2023-05-22 — Domain Trust Discovery – Investigated intrusions show IcedID operators running "nltest /domain_trusts" and "nltest /domain_trusts /all_trusts" to map Active Directory trust relationships. · ref
T1082 System Information Discovery TA0007
  • 2023-03-06 — System Information Discovery – IcedID collects system information such as computer name, OS version, hardware and domain details to include in its initial C2 profile. · ref
T1016 System Network Configuration Discovery TA0007
  • 2023-05-22 — System Network Configuration Discovery – IcedID post-exploitation tooling executes commands including "ipconfig /all" and "arp -a" to inspect network configuration and reachable hosts. · ref
T1614.001 System Language Discovery TA0007
  • 2023-05-22 — System Location Discovery: System Language Discovery – Discovery scripts associated with IcedID adjust the console code page (for example via "chcp"), a behavior used to infer locale and normalize command output. · ref
T1135 Network Share Discovery TA0007
  • 2023-05-22 — Network Share Discovery – IcedID operators used commands such as "net view /all" and directory listings against ADMIN$ and C$ shares on remote systems to enumerate accessible network resources. · ref
T1518.001 Security Software Discovery TA0007
  • 2020-07-15 — Software Discovery: Security Software Discovery – IcedID queries Windows SecurityCenter (for example via WMI) to identify installed antivirus and security tools on infected hosts. · ref
T1047 Windows Management Instrumentation TA0002
  • 2020-07-15 — Windows Management Instrumentation – IcedID has executed binaries via WMI to perform actions on local or remote systems as part of its post-compromise tooling. · ref
T1497 Virtualization/Sandbox Evasion TA0005 TA0007
  • 2020-07-15 — Virtualization/Sandbox Evasion – Reporting referenced by ATT&CK notes IcedID’s manipulation of traffic direction systems and filtering to avoid analysis environments and security research infrastructure. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-01-19T19:10:14+00:00

IcedID — Preliminary Intelligence

Report ID: CYBER-PI-ICEDID-2026-01-19

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

1. What is IcedID and why you should care

IcedID is a loader operated by a financially motivated crime group (LUNAR SPIDER) and used by initial access brokers (IABs).

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Operational Rules

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-01-19T21:17:24+00:00

IOC Appendix (TLP:WHITE) — IcedID / BokBot

This appendix provides a structured overview of Indicators of Compromise (IOCs) associated with IcedID/BokBot, with a limited set of representative samples and pointers to live feeds rather than a static full corpus.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-01-19T21:38:07+00:00

OSINT Library — IcedID (BokBot)


2018-08-09 — Fox-IT International Blog — “Bokbot: The (re)birth of a banker”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.