{
	"id": "8a75f03f-b3c8-4f4a-a216-1dcc65bc16fa",
	"created_at": "2026-04-06T00:14:55.305267Z",
	"updated_at": "2026-04-10T13:12:31.107697Z",
	"deleted_at": null,
	"sha1_hash": "0ce2c3e8153e314b1f45dd1b52132f7c53ed148b",
	"title": "IcedID Command and Control Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53289,
	"plain_text": "IcedID Command and Control Infrastructure\r\nBy Silent Push Threat Team\r\nPublished: 2021-04-25 · Archived: 2026-04-05 17:24:26 UTC\r\nEarlier this week, the DFIR Report published an interesting analysis of an intrusion with the notorious\r\nSodinokibiREvil ransomware. The intrusion used IcedID as the initial access broker: many ransomware actors use\r\nanother malware campaign to gain access to an internal network and IcedID has become a very popular choice for\r\nthat.\r\nThis blog post demonstrates how the IOCs shared by the DFIR Report can uncover more command and control\r\ninfrastructure linked to IcedID, some of which has not been published before.\r\nIcedID, also known as Bokbot, was discovered by IBM X-Force in November 2017. Initially operating as a\r\nbanking trojan, it has since made the same move that Emotet had made previously and is now used to serve a\r\nfoothold within a network. This is then later used by a ransomware operation.\r\nThe DFIR Report’s analysis lists cikawemoret34[.]space and nomovee[.]website as IcedID command and control\r\nservers used during the intrusion. These domains were hosted on the IP addresses 206.189.10[.]247 and\r\n161.35.109[.]168 respectively.\r\nIt is always a good idea to see what other domains were hosted on these IP addresses. Using Silent Push passive\r\nDNS data, on 206.189.10[.]247, Martijn also found the following domains:\r\n33nachoscocso[.]website\r\nberxion9[.]online\r\nchinavillage[.]uno\r\nemanielepolikutuo1[.]website\r\ngommadrilla[.]space\r\noskolko[.]uno\r\nprolomstenn[.]fun\r\nWhile on 161.35.109[.]168, Martijn found:\r\naspergerr[.]top\r\nkneelklil[.]uno\r\nnewstationcosmo8[.]space\r\nUnsurprisingly, most of these domains have been publicly linked to IcedID.\r\nAll the domains were registered through Porkbun in February or March and parked there initially before switching\r\nto Cloudflare’s name servers and pointing to the aforementioned IP addresses. This switching happened at\r\nhttps://www.silentpush.com/blog/icedid-command-and-control-infrastructure\r\nPage 1 of 3\n\ndifferent times for different domains, suggesting that the switch was made just before a domain was used in a\r\ncampaign.\r\nOne domain stands out:\r\nemanielepolikutuo1[.]\r\nThis website first switched to using name servers belonging to Russia’s Server Space and pointing to the IP\r\naddress 143.198.25[.]214, before switching to Cloudflare and 206.189.10[.]247 a little over a week later.\r\nSo, looking at 143.198.25[.]214, the following domains hosted there can be found:\r\napouvtios2[.]uno\r\nawefoplou5[.]site\r\nchajkovsky[.]space\r\ndaserwewlollipop[.]club\r\ndastemodaste[.]fun\r\nemanielepolikutuo1[.]website\r\nohbluebennihill[.]website\r\nseconwowa[.]cyou\r\nviolonchelistto[.]space\r\nzomonedu3[.]website\r\nAll but one of these domains were registered at Porkbun, the exception is the slightly older seconwowa[.]cyou,\r\nwhich was registered through NameSilo.  \r\nJust like the previous set of domains, all these domains switched to using Cloudflare’s nameservers at some point\r\nand switched IP addresses at the same time. However, some first pointed to 83.97.20[.]176 before pointing to\r\n143.198.25[.]214. On the former IP addresses, four more domains were found:\r\nameripermanentno[.]website\r\nmazzappa[.]fun\r\nodichaly[.]space\r\nvaccnavalcod[.]website\r\nAgain, these used same pattern of registering at Porkbun before switching to Cloudflare’s name servers and the\r\nabove IP address.\r\nOf the latter two lists of domains, only some have been publicly linked to IcedID activity. However, the\r\nsimilarities noted above, as well as the choice of TLDs, suggest these domains belong to the same infrastructure\r\nand either have been or will be used in IcedID campaigns.\r\nThere is a pattern there: a domain gets registered, usually at Porkbun, and parked there for a while before its name\r\nservers switch to those of Cloudflare when the domain points to a new IP address. This IP address hosts multiple\r\nof these domains. There is also a preference for slightly unusual top-level domains.\r\nhttps://www.silentpush.com/blog/icedid-command-and-control-infrastructure\r\nPage 2 of 3\n\nUsing this pattern, one can dig into the Silent Push data trove to look for other domains that satisfied this pattern.\r\nAfter sifting through the results to filter out false positives, the analyst ends up with a list of domain names and\r\ncorresponding IP addresses of which he considered very likely to belong to IcedID’s infrastructure.\r\nMany of these indicators have been published previously, for example on Maltrail’s GitHub, but many others have\r\nnot been publicly linked to IcedID before.\r\nYou can find the full list of 58 IP addresses and 323 domain names (and 402 combinations: some domain names\r\nhave pointed to multiple IP addresses) on our GitHub page.  \r\nConclusion\r\nMalware like IcedID plays a crucial role in many large cybercrime campaigns, including ransomware, which can\r\nbe very costly for the victim organization. Early knowledge of indicators is thus important, even if these indicators\r\nhaven’t all been publicly linked to the malware. This blog post demonstrated how to find hundreds of such\r\nindicators by spotting some patterns in the domain behaviour. \r\nThank you to John Jensen and Ken Bagnall for their contributions.\r\nSource: https://www.silentpush.com/blog/icedid-command-and-control-infrastructure\r\nhttps://www.silentpush.com/blog/icedid-command-and-control-infrastructure\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.silentpush.com/blog/icedid-command-and-control-infrastructure"
	],
	"report_names": [
		"icedid-command-and-control-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434495,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ce2c3e8153e314b1f45dd1b52132f7c53ed148b.pdf",
		"text": "https://archive.orkl.eu/0ce2c3e8153e314b1f45dd1b52132f7c53ed148b.txt",
		"img": "https://archive.orkl.eu/0ce2c3e8153e314b1f45dd1b52132f7c53ed148b.jpg"
	}
}