Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 15:58:54 UTC
Home > List all groups > List all tools > List all groups using tool IcedCoffee
 Tool: IcedCoffee
Names IcedCoffee
Category Malware
Type Reconnaissance, Backdoor
Description
(Kaspersky) IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of
system and user information from the system, which is then encoded with base64,
encrypted with RC4 and submitted via HTTP POST to the C2 server. IcedCoffee has no
built-in command capability, instead it may receive javascript files from the C2 server,
which are deobfuscated and executed in memory, leaving nothing behind on disk for
forensic analysis. IcedCoffee was not widely deployed, rather it was targeted at diplomats,
including Ambassadors, of European governments.
Information AlienVault OTX Last change to this tool card: 20 April 2020
Download this tool card in JSON format
All groups using tool IcedCoffee
Changed Name Country Observed
APT groups
 Turla, Waterbug, Venomous Bear 1996-2024
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7576109c-8a9f-49eb-9f4f-bb382535bcf5
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=7576109c-8a9f-49eb-9f4f-bb382535bcf5
Page 1 of 1