{
	"id": "67d41b00-a8f3-4489-ba54-f54797a4be91",
	"created_at": "2026-04-06T00:06:39.279834Z",
	"updated_at": "2026-04-10T03:33:20.631195Z",
	"deleted_at": null,
	"sha1_hash": "03ed183c6b3e0e8a97f074a81fa237ab6e1723f3",
	"title": "TA571 Threat Actor Delivers IcedID Malware | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74208,
	"plain_text": "TA571 Threat Actor Delivers IcedID Malware | Proofpoint US\r\nBy October 30, 2023 Axel F and Selena Larson\r\nPublished: 2023-10-30 · Archived: 2026-04-05 18:57:25 UTC\r\nWhat happened \r\nProofpoint researchers identified TA571 delivering the Forked variant of IcedID in two campaigns on 11 and 18 October\r\n2023. Both campaigns included over 6,000 messages, each impacting over 1,200 customers in a variety of industries\r\nglobally.  \r\nEmails in the campaigns purported to be replies to existing threads. This is known as thread hijacking. The emails\r\ncontained 404 TDS URLs linking to the download of a password-protected zip archive with the password listed in the\r\nemail. The attack chain included a series of checks to validate the recipient before delivering the zip archive. \r\nTA571 lure used in an IcedID campaign on 11 October 2023.  \r\nThe zip file contained a VBS script and a benign text file. The VBS script, if double clicked by the user, ran an\r\nembedded IcedID Forked loader with regsvr32. The loader in turn downloaded the IcedID bot.  \r\nThe use of the Forked IcedID variant is unusual, as it has only been observed in a small number of campaigns.\r\nProofpoint first identified this variant in February 2023. A key difference between the original IcedID variant and the\r\nForked variant was the removal of banking functionality. At the time, Proofpoint assessed actors were using the modified\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nPage 1 of 5\n\nvariants to pivot the malware away from typical banking trojan and banking fraud activity to focus on payload delivery,\r\nwhich likely includes prioritizing ransomware delivery. \r\nTA571 regularly uses 404 TDS in campaigns to deliver malware, including AsyncRAT, NetSupport, and DarkGate.\r\nProofpoint researchers have been tracking 404 TDS since at least September of 2022, and it is used by a number of threat\r\nactors. A traffic distribution system (TDS) is an application used to route web traffic through operator-controlled servers.\r\nThey can be used by threat actors to redirect traffic to malware downloads and use IP filtering to determine whether to\r\ndeliver a payload or redirect to a credential harvesting website. Proofpoint assesses 404 TDS is likely shared or sold to\r\nother actors due to its involvement in a variety of unrelated phishing and malware campaigns.  \r\nAttribution \r\nTA571 is a spam distributor, and this actor sends high volume spam email campaigns to deliver and install a variety\r\nmalware for their cybercriminal customers, depending on the subsequent operator’s objectives. Proofpoint assesses with\r\nhigh confidence that TA571 infections can lead to ransomware.  \r\nWhy it matters \r\nTA571’s delivery of the Forked IcedID variant is unique as Proofpoint does not often observe it in threat data.\r\nAdditionally, Proofpoint considers TA571 to be a sophisticated cybercriminal threat actor. Its attack chain includes\r\nunique filtering using intermediary “gates” for traffic to pass through. These gates, which are intermediary URLs, will\r\nfilter traffic based on IP and geo-fencing. TA571 may have as many as two gates per campaign. This is to ensure only\r\nspecifically targeted users receive the malware, and to bypass automated sandboxing or researcher activity. \r\nEmerging Threats signatures \r\n2853110 - ETPRO EXPLOIT_KIT 404 TDS Redirect \r\n2032086 - ET TROJAN Win32/IcedID Request Cookie \r\n2847335 - ETPRO TROJAN Win32/IcedID Stage2 Checkin \r\n2032086 - ET TROJAN Win32/IcedID Request Cookie \r\nIndicators of compromise \r\nIndicator Description\r\nFirst\r\nObserved\r\n6c6a68da31204cfe93ee86cd85cf668a20259220ad44341b3915396e263e4f86\r\nSHA256 Payload\r\nExample \r\nHLSV1249_5361051.zip\r\n11\r\nOctober\r\n2023\r\n0a61d734db49fdf92f018532b2d5e512e90ae0b1657c277634aa06e7b71833c4 SHA256 Payload\r\nExample \r\n11\r\nOctober\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nPage 2 of 5\n\nOFFER[2023.10.11_08-\r\n07].vbs\r\n2023\r\n57897b750473215a2ea6a15070ad5334465019ea4847a2c3c92dae8e5845b2c4\r\nSHA256 Payload\r\nExample \r\nReadMe[2023.10.11_08-\r\n07].txt\r\n11\r\nOctober\r\n2023\r\na12045a6177dd32af8b39dea93fa92962ff1716381d0d137dede1fc75ecd2c0c\r\nSHA256 \r\nIcedID Forked Loader  \r\n0050-1.dll\r\n11\r\nOctober\r\n2023\r\n5d5bc4f497406b59369901b9a79e1e9d1e0a690c0b2e803f4fbfcb391bcfeef1\r\nSHA256 \r\nIcedID \r\nUseqacaw.dll\r\n11\r\nOctober\r\n2023\r\nhxxps://gestionhqse[.]com/qd\r\n404 TDS Redirected to\r\nGate #1\r\n11\r\nOctober\r\n2023\r\nhxxps://gilaniultrasound[.]com/wfhfxtktx\r\nGate #1 redirected to\r\nGates #2 (which then\r\nleads to download of a\r\nZip)\r\n11\r\nOctober\r\n2023\r\nmodalefastnow[.]com\r\nIcedID Forked Loader\r\nC2\r\n11\r\nOctober\r\n2023\r\nhxxps://jerryposter[.]com/news/1/255/0\r\nIcedID Bot C2\r\nCommunication\r\nObserved (Example)\r\n11\r\nOctober\r\n2023\r\nopuscards[.]ca 404 TDS URL Domain 11\r\nOctober\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nPage 3 of 5\n\n2023\r\ncornerbakeryrestaurant.net 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nkaro[.]ca 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nekaraj[.]ir 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nroatancruiseship[.]com 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\njonanna[.]com 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nliguys[.]com 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nnaughtycharlotte[.]com 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\ncompacta[.]com 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nPage 4 of 5\n\nbrandworks[.]com[.]au 404 TDS URL Domain\r\n11\r\nOctober\r\n2023\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader"
	],
	"report_names": [
		"security-brief-ta571-delivers-icedid-forked-loader"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7183913d-9a43-4362-96e1-9af522b6ab84",
			"created_at": "2024-06-19T02:00:04.377344Z",
			"updated_at": "2026-04-10T02:00:03.653777Z",
			"deleted_at": null,
			"main_name": "TA571",
			"aliases": [],
			"source_name": "MISPGALAXY:TA571",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03ed183c6b3e0e8a97f074a81fa237ab6e1723f3.pdf",
		"text": "https://archive.orkl.eu/03ed183c6b3e0e8a97f074a81fa237ab6e1723f3.txt",
		"img": "https://archive.orkl.eu/03ed183c6b3e0e8a97f074a81fa237ab6e1723f3.jpg"
	}
}