{
	"id": "84315dd3-3d1b-42bc-9d34-e4010c247ed2",
	"created_at": "2026-04-06T01:30:47.882781Z",
	"updated_at": "2026-04-10T03:21:34.912243Z",
	"deleted_at": null,
	"sha1_hash": "654fb9cbb5d31259e2c55a00e260fcdb8121a9b2",
	"title": "New IceXLoader 3.0 – Developers Warm Up to Nim | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1196118,
	"plain_text": "New IceXLoader 3.0 – Developers Warm Up to Nim | FortiGuard\r\nLabs\r\nBy Joie Salvio and Roy Tay\r\nPublished: 2022-06-15 · Archived: 2026-04-06 01:24:20 UTC\r\nFortiGuard Labs has encountered version 3.0 of what is now dubbed IceXLoader, a new malware loader being\r\nadvertised in malware hacking forums.\r\nIceXLoader is a commercial malware used to download and deploy additional malware on infected machines. The\r\nlatest version is written in Nim, a relatively new language utilized by threat actors the past two years, most notably\r\nby the NimzaLoader variant of BazarLoader used by the TrickBot group.\r\nThis article discusses the technical details of how IceXLoader behaves and the potential malware that it can\r\ndeliver in an infected system.\r\nAffected Platforms: Windows\r\nImpacted Parties: Windows users\r\nImpact: Potential to deploy additional malware for malicious purposes\r\nSeverity Level: Medium\r\nThe ICE X Project\r\nWhile hunting for new malware families written in the Nim programming language, FortiGuard Labs discovered a\r\nloader malware with the strings “ICE_X” and “v3.0”.\r\nA loader is a type of malware that is intended for downloading and executing additional payloads provided by a\r\nthreat actor to further their malicious objectives.\r\nCollected samples had some incomplete features, for example the code for using a mutex for running only a single\r\ninstance of the malware is only comprised of dummy code. When coupled with the “v3.0” string (implying the\r\npresence of earlier versions of a similar malware), we suspected that this was a work-in-progress port of an\r\nexisting malware to Nim.\r\nTo validate our hypothesis, we dug deeper and found links to underground forums where the developers sell the\r\nloader as ICE X at $118 for a lifetime license (Figure 1).\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 1 of 10\n\nFigure 1: ICE X advertisement in a forum website\r\nThe malware developers’ website (Figure 2), sells several commodity malware and provides related services\r\nincluding hacking, crypting, and malware development. The team of four claims 14 years of experience in the\r\nbusiness with more than 200 clients.\r\nFigure 2. IceXLoader malware developer website\r\nFortiGuard Labs researchers chose to name this malware family IceXLoader based on the “ICE_X” strings found\r\nin both version 1 and version 3 samples. As there are similarly-named Ice IX / IceX variants of the Zeus banking\r\ntrojan, we appended Loader to the name to avoid confusion with these older banking trojans.\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 2 of 10\n\nNew Version, New Language\r\nThe developers provided a video to demonstrate configuring the IceXLoader builder with a Server URL\r\ncontaining the familiar Command \u0026 Control (C2) URL pattern “icex/Script.php” seen in our samples (Figure 3).\r\nFigure 3. IceXLoader builder configuration\r\nIn the same video, the developers showed an IceXLoader version 1 client connected to the C2 server panel (Figure\r\n4), which was likely the production version at that time.\r\nFigure 4. C2 server panel showing the IceXLoader version 1 client\r\nPivoting around the known C2 URLs for IceXLoader allowed us to collect version 1 samples written in the AutoIt\r\nscripting language.\r\nThe almost identical implementation of the functions from the two versions confirmed our suspicions that the\r\nNim-based loader is a newer version of the more feature-complete IceXLoader version 1 (Figure 5).\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 3 of 10\n\nFigure 5. getinfo() function comparison between IceXLoader version 1 and 3\r\nThe developers market their loader as FUD (Fully UnDetected), a common term used within malware hacking\r\nforums to denote malware that can bypass antivirus products. They also claim that they will continuously update it\r\nas security products eventually detect such malware.\r\nThis need to evade security products could be a reason the developers chose to transition from AutoIt to Nim for\r\nIceXLoader version 3. Since Nim is a relatively uncommon language for applications to be written in, threat\r\nactors take advantage of the lack of focus on this area in terms of analysis and detection.\r\nThe following technical analysis will focus primarily on IceXLoader version 3. However, comparisons to old\r\nversions are mentioned where necessary.\r\nTechnical Details\r\nThe IceXLoader builder generates a standalone executable EXE file with the chosen configuration values\r\nhardcoded into each file that a threat actor can distribute to potential victims.\r\nOnce this file is executed on a victim machine, it initializes itself based on the configured settings.\r\nPersistence\r\nIf configured, IceXLoader utilizes Windows startup features commonly abused by malware to survive system\r\nreboots. It copies itself to %AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ with a configurable\r\nfilename.\r\nAt the same time, it adds a registry entry in Software\\Microsoft\\Windows\\CurrentVersion\\Run with the value set\r\nto a second copy previously dropped in %AppData%.\r\nAs the mutex implementation is incomplete in the version 3 samples, multiple instances of IceXLoader will run\r\nwhen Windows restarts.\r\nEvasion\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 4 of 10\n\nIceXLoader performs a known method of in-memory patching of “AmsiScanBuffer” in AMSI.DLL. It does this to\r\nbypass the Microsoft Windows Antimalware Scan Interface used by security products to scan and detect malicious\r\ncontent. This reduces the chance of IceXLoader and its subsequent malware payloads being detected.\r\nIt then writes some PowerShell commands to %TEMP%\\file.bat (Figure 6) and executes them to disable Windows\r\nDefender’s real-time scan. Moreover, it adds exclusions to Windows Defender to prevent it from scanning the\r\ndirectory where IceXLoader is located.\r\nFigure 6. PowerShell commands used to evade detection\r\nOnce the malware has completed initialization, it proceeds to communicate with the C2 to carry out further actions\r\nin the victim system.\r\nClient-Server Communication Protocol\r\nIceXLoader communicates with a hardcoded list of C2 servers via HTTP/HTTPS POST requests. The User-Agent\r\nHTTP header is set to the Windows machine GUID, which uniquely identifies each infected machine. This could\r\nbe referred to as a victim ID. Communication between the loader and C2 is in plaintext and is not encoded or\r\nencrypted.\r\nFigure 7 demonstrates the communication flow between IceXLoader and its C2 server. The “info” command is\r\nused as an example below, but other commands use a similar flow:\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 5 of 10\n\nFigure 7. IceXLoader client-server communication\r\nAn initial beaconing POST request with “SetOn=On” is sent by IceXLoader to notify the C2 that it is ready to\r\nreceive commands.\r\nThe C2 server usually responds with an “info” command to register the loader as a valid client in the server panel.\r\nThe client acknowledges the command by responding with “Done=\u003ccommand\u003e\u003c|\u003e” i.e., “Done=info\u003c|\u003e”. After\r\nthat, the client executes the command.\r\n For the “info” command, IceXLoader collects the following information and sends it to the C2 server\r\nNickname (set by malware operator and hardcoded in binary sample, “ICE X” by default)\r\nVictim ID\r\nUsername and machine name and whether user has administrative privileges\r\nWindows OS version\r\nInstalled antivirus products\r\nPresence of .NET Framework v2.0 and/or v4.0\r\nLoader version (hardcoded in binary sample)\r\nTotal amount of installed memory\r\nProcessor name\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 6 of 10\n\nGraphics card name\r\nFigure 8 shows an HTTP POST request with all the information gathered from the victim system.\r\nFigure 8. POST request with the gathered information\r\nCommands\r\nOnce the system info is sent to the C2 server, IceXLoader regularly repeats the beaconing request to poll for\r\nadditional commands.\r\nThe list of all the commands supported by IceXLoader can be found below. The pipe “|” character is used to\r\nseparate options for the commands. Words in italics refer to values supplied by the threat actor.\r\nclose: Stop execution\r\ninfo: Collect system info and send it to C2\r\nmsg|MESSAGE: Display a dialog box with specified message\r\nrestart: Restart the loader\r\nrunFile|URL|TEMP_FILE_NAME: Send a GET request to download a file from URL to %TEMP% as\r\nTEMP_FILE_NAME and then open it with “cmd /c”. The advantage of using “cmd /c” is the ability to\r\nopen any file type registered on the system, e.g., .txt files or Office documents. It is not limited to just\r\nexecutable files\r\nrunFile|URL|mem|True: Send a GET request to download an executable file from URL and run it from\r\nmemory\r\nrunFile|URL|mem|False: Not fully implemented in version 3. This command loads and executes a .NET\r\nassembly in version 1\r\nSleep|INTERVAL: Change the C2 server beaconing interval to the new value specified by INTERVAL (in\r\nmilliseconds)\r\nUpdate: Current implementation in version 3 is identical to the “runFile” command, but original\r\nimplementation in version 1 was designed for updating IceXLoader itself\r\nuninstall: Remove all copies of itself from disk and stop running\r\nAs the main function of IceXLoader, the malware operator can interactively send “runFile” commands to the\r\nloader to download and execute additional malware on disk or filelessly in memory.\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 7 of 10\n\nInfection Chains\r\nPrevious campaigns spotted in the wild distributed DcRat via IceXLoader version 1 and an unknown malware\r\nwith an associated Monero (XMR) miner via IceXLoader version 3.\r\nThe infection chains observed during earlier campaigns are illustrated below.\r\nMalspam-delivered IceXLoader leads to DcRat (May 2022)\r\nIceXLoader version 1 has been observed to be delivered through ZIP email attachments. The infection chain\r\nillustrated in Figure 9 is based on a submission by Andre Girondo at MalwareBazaar.\r\nFigure 9. Malspam infection chain\r\nAn email with a ZIP file attachment masquerading as an invoice is sent to unsuspecting victims. If a user unzips\r\nand executes the invoice.exe, this .NET executable drops and executes IceXLoader version 1. The attacker issues\r\nthe runFile command to download and execute DcRat, a publicly available .NET-based Remote Access Tool\r\n(RAT).\r\nMulti-stage .NET loader drops IceXLoader to mine Monero (June 2022)\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 8 of 10\n\nFigure 10. Multi-stage .NET loader infection chain\r\nA simple .NET downloader malware downloads and executes a .NET dropper, which then extracts and runs an\r\nIceXLoader version 3 embedded in itself. IceXLoader then receives the command to download an unknown\r\nmalware. While FortiGuard Labs researchers were unable to obtain a sample of this malware, the accompanying\r\nconfiguration file suggested that this malware was likely a RAT or infostealer that will additionally deploy a\r\nMonero (XMR) cryptocurrency miner.\r\nFortiGuard Labs is unable to confirm how the initial .NET downloader was delivered to victims. Based on the\r\nfilenames of similar samples, they may have masqueraded as fake or cracked game-related installers.\r\nConclusion\r\nIn this article, we highlighted how threat actors continually evolve to evade and deter detection of their malware to\r\nthe extent of porting existing code to a different and uncommon language. While simple and limited in\r\nfunctionality, loaders like IceXLoader pose a threat to users due to the possibility of threat actors deploying more\r\nfull-featured malware upon infection.\r\nFortiGuard Labs will continue to monitor IceXLoader and emerging trends in the loader threat landscape.\r\nProtections\r\nThe FortiGuard Antivirus service detects and blocks this threat as W32/IceXLoader.FGLT!tr.\r\nFortinet customers are protected from this malware through FortiGuard’s Web Filtering, Antivirus, and CDR\r\n(content disarm and reconstruction) services and FortiMail, FortiClient, and FortiEDR solutions.\r\nLoaders like IceXLoader are commonly delivered via phishing. Organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 9 of 10\n\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user\r\nawareness and vigilance to phishing threats and to train and reinforce proper practices when users\r\nencounter targeted phishing attacks.\r\nWe also suggest that organizations have their end users go through our free NSE training: NSE 1 –\r\nInformation Security Awareness. It includes a module on Internet threats that is designed to help end users\r\nlearn how to identify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nFiles (SHA256)\r\n6d98c8bdb20a85ef44677f3e7eed32c9fee0c18354e3365c28e11cb6130a8794\r\n4eaed1357af8b4f757c16d90afb339161ac73fa4b8d867a416664b89a1d0a809\r\n3a838c22312f4279f400b7eee63918d9232907a1aa483c824cb8a815150f06e8\r\n4c26dbee513067e6d327e4b336b29992fd5270a0a8ecd1e9571378a3fb0bdc60\r\n4fe56d88c1170a3d0e025b9d8f7939139a7618b3868eb993037c6e3b52d9d501\r\nfecfca77593850e4f6deb8090fc35b14366ab27ef0ada833f940b2d4cb381509\r\n619356420efd4dc53704fb5eb5c93f1f5d4a0123ed1fdd5ce276a832381de51d\r\n915f0d1e9bd1b681d9935af168cb9f1823c738b869fb2c3646f81098a0fe5d95\r\nC2 URLs\r\nhxxp[:]//kulcha[.]didns[.]ru:8080/Script.php\r\nhxxp[:]//golden-cheats[.]com/icex/Script.php\r\nhxxps[:]//r4yza92[.]com/Script.php\r\nhxxp[:]//62[.]197[.]136[.]240/script.php\r\nhxxp[:]//funmustsolutions[.]site/wp-includes/icex/Script.php\r\nhxxps[:]//north[.]ac/pxnel.php\r\nhxxp[:]//hhj[.]jbk0871[.]fun/study/Script.php\r\nDownload URLs\r\nhxxp[:]//funmustsolutions[.]site/wp-includes/icex/Files/Client.exe\r\nhxxp[:]//funmustsolutions[.]site/wp-includes/icex/Files/Loader.exe\r\nhxxp[:]//golden-cheats[.]com/icex/Files/BadforICE.exeBadforICE.exe\r\nhxxp[:]//golden-cheats[.]com/remote-config.json\r\nhxxp[:]//golden-cheats[.]com/loader/uploads/InstallerLoader_Wjyhorou.bmp\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nhttps://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-icexloader-3-0-developers-warm-up-to-nim"
	],
	"report_names": [
		"new-icexloader-3-0-developers-warm-up-to-nim"
	],
	"threat_actors": [],
	"ts_created_at": 1775439047,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/654fb9cbb5d31259e2c55a00e260fcdb8121a9b2.pdf",
		"text": "https://archive.orkl.eu/654fb9cbb5d31259e2c55a00e260fcdb8121a9b2.txt",
		"img": "https://archive.orkl.eu/654fb9cbb5d31259e2c55a00e260fcdb8121a9b2.jpg"
	}
}