{ "id": "7817f92b-24bf-4cd3-b721-87e0f43fe79e", "created_at": "2026-04-06T00:06:08.274953Z", "updated_at": "2026-04-10T03:37:23.900863Z", "deleted_at": null, "sha1_hash": "1c36f53dd7a0d7e6e21e621721df8437b403ec37", "title": "THREAT ANALYSIS: From IcedID to Domain Compromise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1956354, "plain_text": "THREAT ANALYSIS: From IcedID to Domain Compromise\r\nBy Cybereason Global SOC and Incident Response Team\r\nArchived: 2026-04-02 11:11:31 UTC\r\nBACKGROUND\r\nIn this Threat Analysis report, the Cybereason team investigates a recent IcedID infection that illustrates the\r\ntactics, techniques, and procedures (TTPs) used in a recent campaign. IcedID, also known as BokBot, is\r\ntraditionally known as a banking trojan used to steal financial information from its victims. It has been around\r\nsince at least 2017 and has been tied to the threat group TA551. \r\nRecently IcedID has been used more as a dropper for other malware families and as a tool for initial access\r\nbrokers.\r\nKEY OBSERVATIONS\r\nFast Moving: The attacker went from initial infection to lateral movement in less than an hour. The Active\r\nDirectory domain was compromised in less than 24 hours. \r\nStandardized Attack Flow: Throughout the attack, the attacker followed a routine of recon commands,\r\ncredential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the\r\nnewly compromised host. This activity is explained in more detail in the Lateral Movement section below.\r\nTechniques Borrowed From Other Groups: Several of the TTPs we observed have also been found in\r\nattacks attributed to Conti, Lockbit, FiveHands, and others. Not only does this show a trend towards\r\nattackers sharing ideas across groups, but this also demonstrates how the ability to detect the techniques\r\nand tactics of one group can be applied to detecting others.\r\nChange of Initial Infection Vector: In previous campaigns, attackers delivered IcedID through phishing\r\nwith malicious macros in documents. With the recent changes Microsoft has implemented, attackers are\r\nusing ISO and LNK files to replace macros. The behavior illustrated in this article confirms that trend.\r\nQuick to Exfiltrate: Exfiltration in the customer environment started two days after initial infection.\r\nANALYSIS\r\nTimeline\r\nDuring the case investigated by the Cybereason team, the attacker executed various actions as displayed in this\r\ntimeline:\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 1 of 20\n\nInitial access, execution, and initial persistence\r\nIn this section, we describe the infection methods employed on the patient-zero machine, which was used as a\r\npivot by the attacker for the rest of the compromise.\r\nIn the following diagram, we describe the deployment mechanisms observed during this case:\r\nVictim opens an archive.\r\nVictim clicks the ISO file, which creates a virtual disk.\r\nVictim navigates to the virtual disk and clicks the only file visible, which actually is an LNK file.\r\nLNK file runs a batch file which drops a DLL into a temporary folder and runs it with rundll32.exe.\r\nRundll32.exe loads the DLL, which creates network connections to IcedID-related domains, downloading\r\nthe IcedID payload.\r\nIcedID payload is loaded into the process.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 2 of 20\n\nSimilar IcedID infections typically begin with the victim opening a password-protected zip file that contains an\r\nISO file.\r\nWhen double-clicked, ISO files automatically mount themselves as a read-only directory. This directory contains a\r\nhidden folder and an LNK (shortcut) file. \r\nThe hidden folder contains both an obfuscated batch file and a DLL payload.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 3 of 20\n\nContent of the folder “hey” shows a DLL file\r\nWhen the shortcut file is clicked, it executes the batch file in the hidden directory, through the system component\r\ncmd.exe.\r\nLNK file showing that twelfth.bat will be executed when this is clicked\r\nThe batch file calls xcopy.exe to copy and drop the DLL into the %TEMP% directory where it gets executed with\r\nrundll32.exe and a command line argument “#1” which indicates the function at ordinal 1 in the DLL.\r\nSnippet of the obfuscated BAT file\r\nPartially de-obfuscated BAT file, showing the copy of the DLL followed by the execution of rundll32.exe\r\nThe initial execution of the attack we’re reporting started through a batch file named “dealing.bat\" which was\r\nfound in the directory location \"D:\\ten\\”, fitting with the known examples of typical IcedID infections.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 4 of 20\n\nExecution of the BAT file “dealing.bat”\r\nThis batch file spawned the rundll32.exe process to execute DLL homesteading.dll found in the user’s %TEMP%\r\ndirectory. We observed DNS requests and a successful HTTP connection to the address crhonofire[.]info.\r\nRundll32.exe process executing the DLL file named homesteading.dll\r\nNext, the attacker carried out host discovery with net.exe to query for information on the domain, workstation, and\r\nmembers of the Domain Admins group.\r\nCybereason process tree screenshot showing OS and Active Directory discovery activity\r\nIcedID\r\nA few minutes after the initial start of the attack, homesteading.dll downloaded a file named xaeywn1.dll.\r\nRundll32.exe then loaded this file into memory. The command line argument that references “license.dat”\r\nindicates that this is a component of IcedID malware. The “license.dat” file serves as a key to decrypt the IcedID\r\npayload.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 5 of 20\n\nRundll32.exe loading xaeywn1.dll and referencing “license.dat” as an argument\r\nWe also observed, that simultaneously, there was an MSRPC request to MS-TSCH SchRpcRegisterTask,\r\nindicating that a scheduled task had been created by the rundll32.exe process, which was meant to execute\r\nxaeywn1.dll every hour and at each logon  This establishes persistence on the machine.\r\nMSRPC call indicating the creation of a\r\nscheduled task\r\nNext we then observe rundll32.exe loading the floating module “init_dll_64.dll”. This is the decrypted and\r\nunpacked IcedID main bot. HTTP/S connections were made to blackleaded[.]tattoo, curioasshop[.]pics and\r\ncerupedi[.]com, all domains associated with IcedID malware.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 6 of 20\n\nModule init_dll_64.dll being loaded into memory\r\nAfter that, we observe the creation of a child process named dllhost.exe, with a command line that references\r\nxaeywn1.dll, the decrypted IcedID payload. Dllhost.exe made external network connections and started an\r\ninteractive session of cmd.exe.\r\nDuring this interactive session, curl.exe was used to download the files power.bat and PowerDEF.bat from a\r\nremote IP address over HTTP.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 7 of 20\n\nThe process curl was used to download power.bat and powerDEF.dat\r\nOnce downloaded, the attacker then executes the “powerDEF.bat”, which executes a Base64 encoded powershell\r\nthat downloads additional files. This process was used to download 2.txt and 2.exe. Finally, tasklist.exe was used\r\nto list all of the running processes on the host.\r\nDecoded PowerShell command\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 8 of 20\n\nCybereason Process tree showing the interactive CMD session\r\nCobalt Strike\r\nAfter the initial foothold was established with IcedID, regsvr32.exe loaded the file \"cuaf.dll\". Through open-source and intelligence (OSINT) research, we were able to determine this to be a Cobalt Strike beacon. The hash\r\nfor this file was identified on several other machines as the attacker moved laterally throughout the network. \r\nThis process also made a connection to the IP resolving from the domain dimabup[.]com, a known Cobalt Strike\r\ncommand and control server.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 9 of 20\n\nProcess tree showing regsvr32.exe loading a Cobalt Strike module, executing discovery action on the network\r\nand communicating with a C2 domain\r\nMentioned in more detail in the Credential Theft section, the Cobalt Strike beacon loaded Rubeus, a tool written in\r\nC# for Kerberos interaction and abuse, as well as additional reconnaissance activity with net.exe, ping.exe, and\r\nnltest.exe. \r\nAdditional information about this reconnaissance activity can be found in the Discovery section.  \r\nCobalt Strike process\r\nloading Rubeus\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 10 of 20\n\nLateral Movement\r\nThe attacker followed what appeared to be a standard process when it came to lateral movement. The first pivot to\r\nanother machine the Cybereason GSOC observed was roughly less than an hour after the initial infection. The\r\nattacker used ping.exe to determine if the host was online and then used wmic.exe with the “process call create”\r\narguments to execute a remote file “db.dll” on the remote workstation.\r\nWmic.exe used for lateral movement\r\nOnce established on the remote host, the attacker executed the same Cobalt Strike beacon, this time named gv.dll. \r\nThe attacker continued to follow this process throughout the network, using ping.exe to see if the host is online,\r\nmoving laterally through WMI, and executing Cobalt Strike payload for a better foothold.\r\nCobalt Strike payload used after lateral movement\r\nHaving compromised the credentials of a service account via kerberoasting, the attacker was able to move\r\nlaterally to an internal Windows Server. The account has domain admin privileges and the attacker deployed a\r\nCobalt Strike beacon.\r\nPersistence\r\nBorrowing a technique from Conti, the attacker installed the AteraAgent RMM tool on several machines. Atera is\r\na legitimate tool that is used for remote administration. Utilizing IT tools like this allows attackers to create an\r\nadditional “backdoor” for themselves in the event their initial persistence mechanisms are discovered and\r\nremediated. \r\nThese tools are less likely to be detected by antivirus or EDR and are also more likely to be written off as false\r\npositives.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 11 of 20\n\nInstallation of the AteraAgent\r\nThe executed command lines show that during the installation process, the attacker made a mistake with the\r\nmisspelling of the outlook.it domain. It is a fairly common practice for attackers to use “burner” email addresses\r\nfrom both Proton and Outlook when using Atera as their backdoor agent.\r\nProcess tree showing executions of the Atera Agent\r\nCredential Theft\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 12 of 20\n\nKerberoasting\r\nThe first instance of credential theft took place just 15 minutes after the initial infection. The attacker used\r\nKerberoasting (MITRE ATT\u0026CK ID: T1558.003) to pull the hashes of service accounts on the domain. In this\r\ncase, the C# Kerberos utility and interaction tool Rubeus was used. \r\nIn this attack, the hashes can be exfiltrated from the network, and depending on the strength of the password(s) of\r\nthe service account(s), the hashes can be cracked with tools such as  Hashcat or John the Ripper.\r\nThe process rundll32.exe is detected as it performed Kerberoasting attacks\r\nDCSync\r\nAfter moving laterally to a file server in the environment and elevating privileges to SYSTEM via services, the\r\nattacker successfully executed a DCSync attack, allowing the attacker to compromise the domain. DCSync attacks\r\n(MITRE ATT\u0026CK ID: T1003.006) allow an attacker to impersonate a domain controller and request password\r\nhashes from other domain controllers. \r\nThis is done by making RPC calls to a DC for AD Objects, namely DRSGetNCChanges. Only accounts that have\r\ncertain replication permissions with Active Directory can be targeted and used in a DCSync, but it is an otherwise\r\ndevastating credential stealing attack. A DCSync attack was also detected on one of the initially infected hosts. \r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 13 of 20\n\nDetection showing Active Directory abuse, identified by the DRSGetNCChanges MSRPC call\r\nBrowser Hooking\r\nIcedID is known to attempt to hook into browsers such as Firefox or Chrome to attempt to steal credentials,\r\ncookies, and saved information. After the main bot was loaded, we observed hooking behavior in chrome.exe:\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 14 of 20\n\nProcess hooking into Chrome.exe\r\nDiscovery\r\nDiscovery Commands\r\nDuring its attack, the attacker used several discovery commands. Many of these commands are executed as part of\r\nthe “SysInfo” module in the IcedID bot. \r\nNet.exe was leveraged to discover OS and Active Directory information :\r\nnet view /all /domain\r\nnet config workstation\r\nnet group \"Domain Admins\" /domain\r\nnet group \"Domain Computers\" /domain\r\nnet view \\\\{HOST IP ADDRESS} /all\r\nAs mentioned previously, ping.exe was used to check if remote machines were online for lateral movement.\r\nThe attacker used nltest.exe to extract Active Directory information : \r\nnltest /domain_trusts\r\nUsed to find trusted domains the host could communicate with\r\nnltest /domain_trusts /all_trusts\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 15 of 20\n\nnltest /dclist\r\nReturns a list of all Domain Controllers on the network\r\nThe PowerShell command Invoke-Share Finder was also used to find non-standard shares on the network.\r\nAdditional system commands were used to fetch more information on the host :\r\nsysteminfo\r\ntime\r\nIpconfig\r\nFinally, the attacker executed the command “wuauclt.exe /detectnow” in order to check for missing updates and\r\npatches.\r\nNetwork Scanning\r\nBorrowing another technique from Conti, the attacker used netscan.exe, a legitimate IT tool created by\r\nSoftPerfect, to scan a large subset of the network his beachhead machine was on. The results of the scan were\r\nwritten to a local file “results.xml”\r\nNetscan.exe used to locate additional hosts for lateral movement\r\nData Exfiltration\r\nThe attacker used renamed copies of the popular rclone file syncing software to encrypt and sync several\r\ndirectories to the Mega file sharing service. \r\nExecutions of renamed rclone.exe\r\nUsage of rclone has become the exfiltration vector of choice for many threat actors, including Lockbit.\r\nCYBEREASON RECOMMENDATIONS\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 16 of 20\n\nIf IcedID activity is observed in your environment, the following is recommended in order to help contain the\r\nattack:\r\nEnable both the Signatures and Artificial Intelligence modes on Cybereason NGAV, and enable the\r\nDetect and Prevent modes of these features.\r\nIn your sensor policy, navigate to Behavioral Execution Prevention (BEP) and set both BEP and Variant\r\nPayload Prevention to Prevent.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom\r\nhunting queries for detecting specific threats - to find out more about threat hunting and Managed\r\nDetection and Response with the Cybereason Defense Platform, contact a Cybereason Defender here.\r\nCybereason also provided recommendations which are not related to the product: \r\nPhishing email protection : If possible, block or quarantine password-protected zip files in your email\r\ngateway.\r\nWarn your users against similar threats : Use caution when handling files that are out of the ordinary\r\nand from the internet (ex - ISO and LNK files).\r\nDisable disk image file auto-mounting : To avoid this infection technique to succeed, please consider\r\ndisabling auto-mounting of disk image files (mainly, .iso, .img, .vhd, and .vhdx) globally through GPOs \r\nThis can be achieved by modifying the Registry values related to the Windows Explorer file\r\nassociations in order to disable the automatic Explorer \"Mount and Burn\" dialog for these file\r\nextensions. \r\nPlease note that this will not deactivate the mount functionality itself\r\nBlock compromised users: Block users whose machines were involved in the attack, in order to stop or at\r\nleast slow down attacker propagation over the network.\r\nIdentify and block malicious network connections: Identify network flows toward malicious IPs or\r\ndomains identified in the reports and block connections to stop the attacker from controlling the\r\ncompromised machines. \r\nReset Active Directory access: If Domain Controllers (DCs) were accessed by the attacker and potentially\r\nall accounts have been stolen, it is recommended that, when rebuilding the network, all AD accesses are\r\nreset. Important note: krbtgt account needs to be reset twice and in a timely fashion.\r\nEngage Incident Response: It is important to investigate the actions of the attacker thoroughly to ensure\r\nyou’ve not missed any activity and you’ve patched everything that needs to be patched.\r\nCleanse compromised machines: Isolate and re-image all infected machines, to limit the risk of a second\r\ncompromise or the attacker getting subsequent access to the network.\r\nResearchers\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 17 of 20\n\nDerrick Masters, Principal Security Analyst, Cybereason Global SOC\r\nDerrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat\r\nhunting and purple teaming. Derrick's Global Information Assurance Certification (GIAC) professional\r\ncertifications include GIAC Certified Forensic Analyst (GCFA), GIAC Certified Detection Analyst (GCDA),\r\nGIAC Certified Penetration Tester (GPEN), GIAC Python Coder (GPYC), and GIAC Security Essentials\r\nCertification (GSEC).\r\nLoïc Castel, Incident Response Investigator, Cybereason IR team\r\n Loïc Castel is an IR Investigator with the Cybereason IR team. Loïc analyses and researches critical incidents and\r\ncybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as\r\nLead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and incident response, but is also\r\ninterested in offensive aspects such as vulnerability research.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 18 of 20\n\nNicholas Mangano, Security Analyst, Cybereason Global SOC\r\nNick Mangano is a SOC Analyst with the Cybereason Global SOC team. He is involved with active malOp\r\ninvestigation and remediation. Previously, Nick worked as a Security Analyst with Seton Hall University while\r\ncompleting his undergraduate degree. Nick holds an Accounting and Information Technology Degree as well as a\r\nCybersecurity Certification from Seton Hall University. He is interested in malware analysis as well as digital\r\nforensics.\r\nBrandon Ledyard, Senior Security Analyst, Cybereason Global SOC\r\nBrandon Ledyard is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat\r\nhunting, solutions engineering, incident response, and information security automation. Brandon is a GIAC\r\ncertified Python Coder (GPYC) and holds a Bachelor of Science in Cybersecurity from Champlain College.\r\nBrandon previously worked at the Senator Leahy Center for Digital Investigation where he conducted research on\r\ncryptominers.\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 19 of 20\n\nChris Casey, Senior Security Analyst, Cybereason Global SOC\r\nChris Casey is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat\r\nhunting and assisting L1s with critical incident investigations. Previously, Chris worked as a Security Analyst as a\r\ncivilian employee for the Department of Defense in the US Navy. Chris holds a professional certification from\r\nGlobal Information Assurance Certification (GIAC), GIAC Certified Forensic Analyst (GCFA). Chris also holds a\r\nBachelor of Science in Computer Science from the University of Rhode Island. He is interested in digital forensics\r\nand incident response, as well as malware analysis.\r\nAbout the Author\r\nCybereason Global SOC and Incident Response Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nhttps://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-from-icedid-to-domain-compromise" ], "report_names": [ "threat-analysis-from-icedid-to-domain-compromise" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433968, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c36f53dd7a0d7e6e21e621721df8437b403ec37.pdf", "text": "https://archive.orkl.eu/1c36f53dd7a0d7e6e21e621721df8437b403ec37.txt", "img": "https://archive.orkl.eu/1c36f53dd7a0d7e6e21e621721df8437b403ec37.jpg" } }