{ "id": "90a30c1e-bb80-4254-af1d-af5095723361", "created_at": "2026-04-06T00:11:39.948592Z", "updated_at": "2026-04-10T03:37:26.659273Z", "deleted_at": null, "sha1_hash": "20417ecfe0c96170589066030c4d95a5d820380c", "title": "Fork in the Ice: IcedID Malware Analysis | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4718555, "plain_text": "Fork in the Ice: IcedID Malware Analysis | Proofpoint US\r\nBy March 27, 2023 Pim Trouerbach, Kelsey Merriman and Joe Wise\r\nPublished: 2023-03-24 · Archived: 2026-04-05 17:32:52 UTC\r\nKey Findings\r\nProofpoint is tracking new variants of IcedID used by at least three threat actors.\r\nInitial analysis suggests this is a forked version with potentially a separate panel for managing the malware.\r\nWhile much of the code base is the same, there are several key differences.\r\nOne key difference is the removal of banking functionality such as web injects and backconnect.\r\nProofpoint researchers hypothesize the original operators behind Emotet are using an IcedID variant with different\r\nfunctionality.\r\nOverview\r\nProofpoint researchers have observed and documented, for the first time, three distinct variants of the malware known as\r\nIcedID. Proofpoint calls the two new variants recently identified “Forked” and “Lite” IcedID. This report details the\r\nfollowing variants of IcedID:\r\nStandard IcedID Variant – The variant most commonly observed in the threat landscape and used by a variety of\r\nthreat actors.\r\nLite IcedID Variant – New variant observed as a follow-on payload in November Emotet infections that does not\r\nexfiltrate host data in the loader checkin and a bot with minimal functionality.\r\nForked IcedID Variant – New variant observed by Proofpoint researchers in February 2023 used by a small\r\nnumber of threat actors which also delivers the bot with minimal functionality.\r\nIcedID is a malware originally classified as a banking malware and was first observed in 2017. It also acts as a loader for\r\nother malware, including ransomware.  As previously published, historically there has been just one version of IcedID that\r\nhas remained constant since 2017. The well-known IcedID version consists of an initial loader which contacts a Loader C2\r\nserver, downloads the standard DLL Loader, which then delivers the standard IcedID Bot.\r\nIn November 2022, Proofpoint researchers observed the first new variant of IcedID Proofpoint dubbed “IcedID Lite”\r\ndistributed as a follow-on payload in a TA542 Emotet campaign. It was dropped by the Emotet malware soon after the\r\nactor returned to the e-crime landscape after a nearly four-month break.\r\nThe IcedID Lite Loader observed in November 2022 contains a static URL to download a “Bot Pack” file with a static\r\nname (botpack.dat) which results in the IcedID Lite DLL Loader, and then delivers the Forked version of IcedID Bot,\r\nleaving out the webinjects and backconnect functionality that would typically be used for banking fraud.\r\nStarting in February 2023, Proofpoint observed the new Forked variant of IcedID. To date, Proofpoint has uncovered seven\r\ncampaigns using the Forked IcedID variant. This variant was distributed by TA581 and one unattributed threat activity\r\ncluster which acted as initial access facilitators. The campaigns used a variety of email attachments such as Microsoft\r\nOneNote attachments and somewhat rare to see .URL attachments, which led to the Forked variant of IcedID. \r\nThe IcedID Forked Loader, first observed in February 2023, is more similar to the Standard IcedID Loader in that it\r\ncontacts a Loader C2 server to retrieve the DLL loader and bot. That DLL loader has similar artifacts to the Lite Loader,\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 1 of 32\n\nand also loads the Forked IcedID Bot.\r\nThe following picture shows the high-level overview of the various IcedID variants Proofpoint researchers have identified.\r\nFigure  1: Overview of the three IcedID variants.\r\nThreat Actor Details\r\nProofpoint has identified hundreds of IcedID campaigns from 2022 through 2023, and at least five threat actors were\r\nobserved directly distributing this malware in campaigns since 2022. Nearly all threat actors and unattributed threat\r\nactivity clusters use the Standard IcedID variant. Proofpoint considers most of these threat actors to be initial access\r\nbrokers that facilitate infections leading to ransomware.\r\nProofpoint continues to see all variants of the IcedID malware in campaign data, so researchers assess with high\r\nconfidence that the changes detailed below are not direct upgrades to the Standard IcedID codebase. It is likely a cluster of\r\nthreat actors is using modified variants to pivot the malware away from typical banking trojan and banking fraud activity to\r\nfocus on payload delivery, which likely includes prioritizing ransomware delivery. Additionally, based on artifacts\r\nobserved in the codebase, timing and association with Emotet infections, Proofpoint researchers suspect the initial\r\ndevelopers of Emotet have partnered with IcedID operators to expand their activities including using the new Lite variant\r\nof IcedID that has different, unique functionality and likely testing it via existing Emotet infections.\r\nThe Lite IcedID variant has only been observed following TA542 Emotet infections, but Proofpoint cannot definitively\r\nattribute the Lite variant to TA542 as follow-on infections are typically outside of researchers’ visibility. The following are\r\nthreat actors frequently associated with IcedID.\r\nTA578 – Proofpoint has observed TA578 deliver IcedID in campaigns since June 2020. Typically, this actor uses email\r\nthemes such as “stolen images” or “copyright violation” to deliver malware. In addition to IcedID, TA578 also frequently\r\nconducts campaigns delivering Bumblebee malware. TA578 uses the Standard IcedID variant.\r\nTA551 – Proofpoint has observed TA551 deliver IcedID in campaigns since November 2018. This actor usually uses\r\nthread hijacking to typically deliver attached files including Word documents, PDFs, and recently, OneNote documents.\r\nTA551 has used multiple malware types, with recent payloads including IcedID, SVCReady, and Ursnif. TA551 uses the\r\nStandard IcedID variant.\r\nTA577 – Proofpoint has observed TA577 use IcedID in limited campaigns since February 2021. This actor typically uses\r\nthread hijacking to deliver malware, with Qbot being TA577’s preferred payload. However, Proofpoint has observed\r\nIcedID delivered by TA577 in six campaigns since 2022. TA577 uses the Standard IcedID variant.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 2 of 32\n\nTA544 – Proofpoint observed TA544 use IcedID in limited campaigns throughout 2022. This actor typically targets\r\norganizations in Italy and Japan, and typically delivers Ursnif malware. TA544 uses the Standard IcedID variant.\r\nTA581 – TA581 is a newly classified threat actor Proofpoint has tracked as an unattributed activity cluster since mid-2022.\r\nThis actor typically uses business-relevant themes such as payroll, customer information, invoice, and order receipts to\r\ndeliver a variety of filetypes or URLs. TA581 typically delivers IcedID, but has been observed using Bumblebee malware\r\nand telephone-oriented attack delivery (TOAD) payloads. TA581 uses the Forked IcedID variant.\r\nCampaign Details\r\nProofpoint has only observed the IcedID Lite Loader variant delivered as a second-stage payload following Emotet\r\ninfections associated with November 2022 campaigns. Below are examples of the Standard and Forked IcedID variants\r\nobserved as first-stage payloads.\r\nExample 1: IcedID Standard Campaign\r\nProofpoint observed a campaign with over 2,800 messages on 10 March 2023. This campaign began with thread hijacked\r\nemails which contained HTML attachments. The HTML attachments used HTML Smuggling to drop a password\r\nprotected, zipped Windows Script File (WSF). The password “747” was displayed in the HTML file. The WSF ran a\r\nVBScript which initiated a PowerShell command to download and execute an intermediate script which then downloaded\r\nand executed the Standard IcedID Loader using a non-standard export “init”.\r\nFigure 2: Sample email using thread hijacking to deliver an HTML attachment.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 3 of 32\n\nFigure 3: HTML Attachment spoofing Office 365.\r\nFigure 4: Contents of smuggled ZIP file.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 4 of 32\n\nFigure 5: WSF file contents.\r\nFigure 6: Intermediate PowerShell downloader. This pulled the next stage – the Standard IcedID Loader.\r\nThe IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were\r\nmet.\r\nStandard IcedID Loader Configuration:\r\n     C2: ariopolanetyoa[.]com\r\n     ProjectID: 3278418257\r\nStandard IcedID Bot Configuration:\r\n     C2: alishaskainz[.]com\r\n     C2: akermonixalif[.]com\r\n     CommsCookie: 998075300\r\n     ProjectID: 35\r\n     URI: /news/\r\n     Update URLs: [\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 5 of 32\n\n“hxxps://yelsopotre[.]com/news/,\r\n          ”hxxps://qoipaboni[.]com/news/\",\r\n          hxxps://halicopnow[.]com/news/,\r\n          hxxps://oilbookongestate[.]com/news/\r\n     ]\r\nExample 2: IcedID Forked Campaign\r\nProofpoint observed a campaign with over 13,000 messages on 3 February 2023. This campaign began with invoice-themed email lures requesting confirmation from the recipient to manage a contract. The emails were personalized to the\r\nrecipient by using the recipient’s name in the greeting of the email. The observed emails contained the subject \"How can i\r\ncontact you?\" with an attachment name (regex): \"unpaid_[0-9]{4}-February-03\\.one\".\r\nThese messages contained Microsoft OneNote attachments (.one). When opened, the OneNote document instructed the\r\nrecipient to \"open\" the document by double-clicking the button displayed in the OneNote document. An HTML\r\nApplication (HTA) file was concealed beneath the \"open\" text which, if clicked, executed the HTA file. The HTA file\r\ninitiated a PowerShell command used to download and execute an IcedID loader. The IcedID loader was executed\r\nwith rundll32 using a non-standard export: \"PluginInit\". The PowerShell command also downloaded and opened a decoy\r\nPDF.\r\nFigure 7: Screenshot of email sample from the 3 February IcedID campaign.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 6 of 32\n\nFigure 8: OneNote attachment containing the “open” button that hides the HTA file.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 7 of 32\n\nFigure 9: Screenshot of HTA displayed in a text editor.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 8 of 32\n\nFigure 10: Benign PDF that appears while malicious activity is running in the background.\r\nThe IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were\r\nmet.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 9 of 32\n\nIcedID Loader Configuration:\r\n     C2: ehonlionetodo[.]com\r\n     ProjectID: 3954321778\r\nIcedID Bot configuration:\r\n     {\r\n         \"date\": \"03-06-2023\",\r\n         \"family\": \"IcedID Core\",\r\n         \"comms_cookie\": \"01\",\r\n         \"project_id\": 3954321778,\r\n         \"uri\": \"/news/\",\r\n         \"c2s\": [\r\n             \"renomesolar[.]com\",\r\n             \"palasedelareforma[.]com\",\r\n             \"noosaerty[.]com\"\r\n]\r\nThis campaign is attributed to TA581, a threat actor that Proofpoint has been tracking since 2022, and officially designated\r\na TA number in March 2023.\r\nExample 3: IcedID Forked Campaign\r\nProofpoint observed a campaign with over 200 messages conducted from 20 February to 23 February 2023. This campaign\r\nincluded two different email lures: 1) a recall notice purporting to be from the National Traffic and Motor Vehicle Safety\r\nAct; and 2) a violation purporting to be from the U.S. Food and Drug Administration (FDA). The emails contained .URL\r\nattachments. A URL file is a shortcut that points to a specific Uniform Resource Locator. If the recipient clicked to open\r\nthe .URL file, the recipient's default web browser would access the URL contained in the file. If the .URL file was\r\nopened it would initiate the download of a batch (.bat) file. The batch file would download and execute an IcedID loader\r\nwith rundll32 using a non-standard export: \"PluginInit\".\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 10 of 32\n\nFigure 11: Sample email using the motor vehicle safety lure.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 11 of 32\n\nFigure 12: Sample email using motor vehicle/seatbelt safety lure.\r\nFigure 13: URL (.url) attachment displayed in a text editor.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 12 of 32\n\nFigure 14: BAT (.bat) file displayed in a text editor.\r\nThe IcedID loader connected to the C2 server and delivered and executed the IcedID core bot if specific conditions were\r\nmet.\r\nIcedID Loader Configuration:\r\n     C2: samoloangu[.]com\r\n     project ID: 3971099397\r\nIcedID Bot Configuration:\r\n     C2: sanoradesert[.]com\r\n     C2: steepenmount[.]com\r\n     C2: guidassembler[.]com\r\n     CommsCookie: 1\r\n     ProjectID: 3971099397\r\n     URI: /news/\r\n     ]\r\nMalware analysis\r\nBefore comparing the Standard Loader to the Forked Loader, it is worth covering the highlights of the IcedID Lite Loader\r\nas there is code overlap and clear similarities when compared with the Forked Loader. For an in-depth analysis of the Lite\r\nLoader, check out Proofpoint’s previous report here. The Lite Loader’s purpose is to download the next stage of the\r\nmalware from a hardcoded domain and URI path. The domain is decrypted from the configuration and the URI path is\r\ndecrypted within the function that makes the HTTP request. Unlike the Standard IcedID Loader, there is no host\r\ninformation being exfiltrated within the request. When the Lite Loader was dropped on Emotet infections, that fact made\r\nsense, since this version of IcedID was specifically being deployed on already infected machines, and there was no need to\r\ncheck the host information.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 13 of 32\n\nFigure 15: Config decryption within IcedID Lite Loader.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 14 of 32\n\nFigure 16: Decryption of the URI within the IcedID Lite Loader.\r\nConsidering that Proofpoint has not observed a standalone campaign of the Lite Loader in the wild, the remainder of the\r\nanalysis section will compare the Standard variant to the Forked variant as well as similarities to the Lite Loader.\r\nLoader Analysis\r\nField Standard Loader Forked Loader\r\nInternal name loader_dll_64.dll Loader.dll\r\nFileType Standard DLL COM Server\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 15 of 32\n\nExtraneous string Contains “1.bin”\r\nProject ID Project ID differs from loader to bot Project ID is the same across loader and bot\r\nRough size ~36KB ~48KB\r\nBotpack decryption Decryption is the same across both\r\nAs far as behavior is concerned, the Forked Loader functions the same as the Standard Loader. The goal is to send host info\r\nto the loader C2, then to gate the bot download. This gating mechanism is to ensure that only truly infected machines get\r\nthe bot binary vs researchers or malware sandboxes. If the checks are passed, the C2 will return the encrypted bot and DLL\r\nloader which is where the real capabilities of the botnet emerge. The differences come within the binary itself by how the\r\ncode is/was structured and how they obfuscate the sample. Both variants of the loader initiate their malicious code by\r\ncreating a thread for the malware main. Before this happens though, the Forked Loader decrypts and copies strings into\r\nglobal variables where they will be later used to resolve required functions. This pattern of decrypting strings for future use\r\nwill come up later in the analysis of the DLL loader.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 16 of 32\n\nFigure 17: String decryption of the DLL names used within the Forked Loader.\r\nWith the DLL strings decrypted, the malware then decrypts the loader configuration by taking the first 64 bytes and\r\nXORing it against the next 64 bytes. The first four bytes of the decrypted buffer will contain the project identifier (ID) (a\r\ncampaign identifier of sorts) and then a singular domain which is used to gate the download of the bot.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 17 of 32\n\nFigure 18: Decryption of the config buffer in the Forked Loader.\r\nFor whatever reason, there is an extraneous “1.bin” that is appended to a string which isn’t used. As far as Proofpoint\r\nresearchers can tell, this string is not used and serves no purpose. With the config decrypted, the malware creates the\r\ncookies that contain the host information and sends an HTTP request that will contain the encrypted bot response.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 18 of 32\n\nFigure 19: Raw response from the loader C2 containing the encrypted bot and DLL loader.\r\nThe response gets decrypted with the IcedID decryption routine, then split into the encrypted bot (being “license.dat”) and\r\nthe custom DLL loader which is generally some randomly generated filename ending in .tmp.\r\nDLL Loader Analysis\r\nField\r\nStandard DLL\r\nLoader\r\nForked DLL Loader\r\nExtraneous\r\ncode\r\nContains code to decrypt strings and domains related to the “lite\r\nloader”\r\nFile type Standard DLL COM Server\r\nInternal name init_dll_64.dll Init.dll\r\nRough size 20KB 36KB\r\nThe start of the DLL loader is the same across both versions of the DLL loader, a thread is created that contains the\r\nmalicious code for custom loading license.dat:\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 19 of 32\n\nFigure 20: Start of the Standard DLL Loader.\r\nWhen comparing the StartAddress function, we see the biggest difference across these two samples:\r\nFigure 21: Standard DLL Loader thread function.\r\nThe following shows the thread function for the Forked DLL Loader. This function decrypts strings that originally just\r\nexisted in the Lite Loader.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 20 of 32\n\nFigure 22: Forked DLL Loader thread function.\r\nThe rest of this report section focuses on the Forked DLL Loader, as that is where these differences exist. Just like the\r\nForked Loader, the Forked DLL Loader decrypts the DLL strings to be used later to resolve handles to the DLLs needed.\r\nThe strings are decrypted in the same algorithm where the data is split into DWORDs and XOR’d against a random key.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 21 of 32\n\nFigure 23: String decryption for the DLL names needed for execution.\r\nNext, a function is called that decrypts strings that are not used at any point within the binary itself. The function starts by\r\ncreating a structure that is going to be returned at the end of the function. This structure contains two domains and various\r\nURIs that could potentially be used to get a separate version of the bot.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 22 of 32\n\nFigure 24: Decryption of “Lite Loader”\" domains.\r\nFor all the Forked DLL Loader variants we have seen, there are two domains that are decrypted: “tourdeworldsport[.]com”\r\nand “handsinworld[.]com”. Neither of these domains are used within the file, and at the time of this report have no\r\nrelations on VirusTotal. Looking into the “handsinworld” domain, passive DNS shows that the domain started resolving to\r\nits current IP of “193[.]37[.]69[.]107” on 12 Nov 2022. This is also around the time that Emotet dropped the IcedID Lite\r\nLoader onto the Epoch 4 and Epoch 5 botnet. More information on the Lite Loader and Emotet can be found in our\r\nprevious report here. The other domain “tourdeworldsport”, also started resolving to the IP “5[.]61[.]34[.]46” on 18 Nov\r\n2022.\r\nWith the domain names decrypted, the DLL Loader decrypts 10 strings that should be URIs to be appended to the domains.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 23 of 32\n\nFigure 25: Decryption of “Lite Loader” filenames.\r\nWithin this list though, they have typos for botpackn3dat. Most likely there should be a period before .dat. This is the same\r\nURI structure (/botpack.dat) that the Lite Loader used to download the bot and DLL loader from the C2 in November 2022\r\nwhen it was dropped via Emotet infections.\r\nAfter the strings are decrypted, the structure referencing them is never used again. This is most likely code that has been\r\ncopy/pasted from the lite loader. If implemented correctly, these strings should appear in the actual loader of IcedID and\r\nnot within the DLL Loader where it currently resides. These commonalities between the Lite Loader and this DLL Loader\r\nmake it seem as if the same group that dropped IcedID via Emotet is behind these campaigns as well.\r\nBot Analysis\r\nField Standard Bot Forked Bot\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 24 of 32\n\nFile format Custom PE Format Custom PE Format\r\nRough size 368 KB 304 KB\r\nRemoved code Removed web injects capability\r\nVersioning Currently at version 119 Currently at version 111\r\nLooking at the Forked IcedID Bot variant and the Standard Bot variant in BinDiff, researchers observed that the Standard\r\nIcedID bot contains more functionality than the Forked variant.\r\nFigure 26: Output of BinDiff showing the Standard Bot vs the Forked Bot.\r\nCombining Hexray’s Lumina and BinDiff shows that the Standard Bot contains functionality relating to web injects,\r\nadversary in the middle (AiTM) and backconnect capabilities that do not exist within the Forked variant. This could be\r\nbecause banking fraud has become increasingly more difficult over the last couple of years.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 25 of 32\n\nFigure 27: Functions that have been removed within the Forked Bot.\r\nWithin the communications of the bot, there is an authentication header which contains the bot’s project ID, some other\r\ndetails and the version of the bot.\r\n     Authorization: Basic OTk4MDc1MzAwOjA6MTE5OjY1OjM1\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 26 of 32\n\n998075300:0:119:65:35\r\nBase64 decoding this value gives up the version as the third component of the list. For the Standard IcedID Bot, this value\r\nis set to 119 as seen above, but for the Forked variant, we get the following base64 decoded header;\r\n     998075300:0:111:67:1\r\nThis value contains version 111, which could indicate the fork happened when the Standard Bot was using that version.\r\nFinally, there seems to be a bug within the Forked variant of the bot where the URIs of specific requests are not\r\nconstructed properly which causes 404s to occur.\r\nFigure 28: Network requests made by the Forked Bot.\r\nIn the example above, the request should be “/news/4/2/1” but for whatever reason the bot does not append the initial / for\r\nspecific commands.\r\nLite Loader Anomaly\r\nAfter analysis of the separate variants was finished, Proofpoint identified a file called “botpackn1.dat” on VirusTotal that\r\nseemed related to our Lite Loader.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 27 of 32\n\nFigure 29: VirusTotal page showing the botpack used in the Lite Loader.\r\nThat filename is embedded within the custom Forked DLL Loader mentioned previously. This relationship was enough to\r\nprompt further analysis. In the article where Proofpoint described the IcedID Lite Loader being dropped via Emotet\r\ninfections, researchers documented the structure of the botpack format and how to decrypt it as well. Taking that same\r\nscript and applying it to this file leads to a valid configuration where researchers can analyze the configuration.\r\nFigure 30: Commandline output showing the decrypted botpack structure.\r\nThis botpackn1.dat contains the later stages of the infection chain, so with some pivoting on the VirusTotal relationships,\r\nresearchers land on the distribution URL (VT Link) “http[:]//lepriconloots[.]com/botpackn1.dat”. Pivoting again to find\r\nfiles that reach to the URL, we come across the Lite Loader sample itself. Looking at the build artifacts of this sample, it\r\nseems like the threat actors have removed the PDB path, but the Lite Loader still contains the build name “Loader.dll”.\r\nLoader.dll was initially used within IcedID to refer to the Lite Loader back when it was dropped via Emotet infections in\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 28 of 32\n\nNovember, but that same build name is now being used within the Forked DLL Loader. This could mean the codebase is\r\nsimilar enough where the threat actors can interchange the loader and the DLL Loader, or that these actors are copy/pasting\r\nextraneous code.\r\nFigure 31: Embedded build name of the DLL Loader.\r\nFinally, pivoting on where this “c2.dll” (IcedID Lite loader) came from, the distribution URL\r\n“http[:]//104[.]156[.]149[.]6/webdav/c2.dll” is observed. Similarly, this IP address hosted an IcedID campaign from TA581\r\nthat occurred on 21 February 2023. The TA581 campaign ended up loading the DLL “host.dll” from that same directory\r\nand led to one of the first campaigns of Proofpoint observing the Forked variant. At the time when this distribution URL\r\nwas live the IP was hosting an open directory on /webdav/ that contained various bat files, a forked IcedID loader as well\r\nas this lite loader.\r\nConclusion\r\nIcedID is a popular malware typically used by more advanced cyber criminal threat actors, and its use across the threat\r\nlandscape has remained relatively consistent until recently. Ultimately, there seems to be considerable effort going into the\r\nfuture of IcedID and the malware’s codebase, including the addition of two new variants described in this report. While\r\nhistorically IcedID’s main function was a banking trojan, the removal of banking functionality aligns with the overall\r\nlandscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including\r\nransomware.\r\nProofpoint anticipates that while many threat actors will continue to use the Standard variant, it is likely the new variants\r\nwill continue to be used to facilitate additional malware attacks.\r\nET Rules\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 29 of 32\n\nET MALWARE Win32/IcedID Request Cookie\r\nETPRO MALWARE Win32/IcedID Stage2 Checkin\r\nETPRO MALWARE Win32/IcedID Stage2 CnC Activity\r\nETPRO MALWARE Win32/IcedID Stage2 CnC Activity M2 (GET)\r\nIndicators of Compromise\r\nIndicator Type Description\r\nDate\r\nObserved\r\nehonlionetodo[.]com C2\r\nIcedID\r\nLoader\r\nFebruary\r\n2023\r\nsamoloangu[.]com C2\r\nIcedID\r\nLoader\r\nFebruary\r\n20-23,\r\n2023\r\nsanoradesert[.]com C2 IcedID Bot\r\nFebruary\r\n20-23,\r\n2023\r\nsteepenmount[.]com C2 IcedID Bot\r\nFebruary\r\n20-23,\r\n2023\r\nguidassembler[.]com C2 IcedID Bot\r\nFebruary\r\n20-23,\r\n2023\r\nrenomesolar[.]com C2 IcedID Bot\r\nFebruary\r\n3, 2023\r\npalasedelareforma[.]com C2 IcedID Bot\r\nFebruary\r\n3, 2023\r\nnoosaerty[.]com C2 IcedID Bot\r\nFebruary\r\n3, 2023\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 30 of 32\n\nhxxp[://]helthbrotthersg[.]com/view[.]png URL\r\nHTA Payload\r\nURL\r\nFebruary\r\n3, 2023\r\nhxxp[://]104[.]156[.]149[.]6/webdav/c2[.]dll URL\r\nStaging URL\r\nfor Lite\r\nLoader\r\nFebruary\r\n22, 2023\r\nhxxp[://]lepriconloots[.]com/botpackn1[.]dat URL\r\nStaging URL\r\nfor the IcedID\r\nbot\r\nFebruary\r\n22, 2023\r\nhxxp[://]94[.]131[.]11[.]141/webdav/Labels_FDA_toCheck[.]bat URL\r\n.URL File \r\nPayload URL\r\nFebruary\r\n20-23,\r\n2023\r\nhxxp[://]94[.]131[.]11[.]141/webdav/fda[.]dll URL\r\nBAT Payload\r\nURL\r\nFebruary\r\n20-23,\r\n2023\r\nRecall_2.22.url filename\r\n.URL\r\nAttachment\r\nFebruary\r\n20-23,\r\n2023\r\nfeb20_fda_labels-violation.url filename\r\n.URL\r\nAttachment\r\nFebruary\r\n20-23,\r\n2023\r\ndc51b5dff617f4da2457303140ff1225afc096e128e7d89454c3fa9a6883585c SHA256\r\n.URL\r\nAttachment\r\nFebruary\r\n20-23,\r\n2023\r\n7c8b3b8cf2b721568b96f58e5994b8ddb8990cd05001be08631ade7902ae6262 SHA256 Botpackn1.dat\r\nFebruary\r\n22, 2023\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 31 of 32\n\nfbad60002286599ca06d0ecb3624740efbf13ee5fda545341b3e0bf4d5348cfe SHA256\r\nIcedID\r\nStandard\r\nLoader\r\nFebruary\r\n3, 2023\r\n03fdf03c8f0a0768940c793496346253b7ccfb7f92028d3281b6fc75c4f1558e SHA256 HTA\r\nFebruary\r\n3, 2023\r\n9bf40256fb7f0acac020995a3e9a231d54a6b14bb421736734b5815de0d3ba53 SHA256 WSF\r\nMarch 10,\r\n2023\r\nbefeb1ab986fae9a54d4761d072bf50fdbff5c6b1b89b66a6790a3f0bfc4243f SHA256 DLL\r\nMarch 10,\r\n2023\r\nhxxp[://]segurda[.]top/dll/loader_p1_dll_64_n1_x64_inf[.]dll53[.]dll URL\r\nStaging URL\r\nfor Standard\r\nLoader\r\nMarch 10,\r\n2023\r\nhxxp[://]segurda[.]top/gatef[.]php URL\r\nPowerShell\r\nPayload URL\r\nMarch 10,\r\n2023\r\nconsumption_8581_march-10.html Filename\r\nHTML\r\nAttachment\r\nMarch 10,\r\n2023\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nhttps://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid\r\nPage 32 of 32\n\n https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid \nFigure 12: Sample email using motor vehicle/seatbelt safety lure.\nFigure 13: URL (.url) attachment displayed in a text editor.\n Page 12 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/fork-ice-new-era-icedid" ], "report_names": [ "fork-ice-new-era-icedid" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434299, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/20417ecfe0c96170589066030c4d95a5d820380c.pdf", "text": "https://archive.orkl.eu/20417ecfe0c96170589066030c4d95a5d820380c.txt", "img": "https://archive.orkl.eu/20417ecfe0c96170589066030c4d95a5d820380c.jpg" } }