{
	"id": "b845bca0-62ab-4540-b86a-bc2d1a1304f6",
	"created_at": "2026-04-06T00:22:16.784353Z",
	"updated_at": "2026-04-10T03:21:15.212166Z",
	"deleted_at": null,
	"sha1_hash": "6fa57c6ae06da208ca65b985848285478200b646",
	"title": "IcedID leverages PrivateLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 799548,
	"plain_text": "IcedID leverages PrivateLoader\r\nBy Jason Reaves\r\nPublished: 2022-08-04 · Archived: 2026-04-05 22:26:43 UTC\r\n4 min read\r\nAug 4, 2022\r\nBy: Joshua Platt and Jason Reaves\r\nPress enter or click to view image in full size\r\nPrivateLoader[1,2,3,4] continues to function as an effective loading service, recently leveraging the use of SmokeLoader for\r\ntheir loads.\r\nA recent sample of their SmokeLoader can be seen\r\nhere(b01195c3e828d9a79c958e4c810a363d804d51996337db89a5d248096846b27a), the C2 domains for the sample are a\r\nhallmark for PrivateLoader:\r\nhost-file-host6.com\r\nhost-host-file8.com\r\nThese domains are simply proxies but behind them sits a massive operation performing millions of loads for various\r\ncustomers. Recently a new customer has started leveraging this service which caught our attention, in the aforementioned\r\nhash of SmokeLoader you can see all the tasks being ran:\r\nhttps://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nPage 1 of 5\n\nhttps://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nPage 2 of 5\n\nRef: Virustotal.com\r\nFrom the DNS resolutions we can see SmokeLoader checking in along with quite a lot of other activity, some of them are\r\nrelated to tasks for the bot to load but the domain ‘deficulintersun[.]com’ is the C2 for an IcedID loader. Luckily Zenbox on\r\nVirusTotal left us with a PCAP so we can decrypt the SmokeLoader traffic and hopefully recover the tasks.\r\nSmokeLoader C2 Traffic\r\n\\xe4\\x078F1CEBFF99E357584119ACFBC1B392A2383170A8\\x00DESKTOP-B0T93D6\\x00pub3\\x00\r\nSo the group is pub3 and the version of the bot is 0x7e4 or 2020. The recovered tasks are as follows:\r\nLocation: http://rgyui.top/dl/buildz.exe\r\nLocation: https://dl.uploadgram.me/62e817d1aff5ah?dl\r\nLocation: https://allejee.com/bulking.exe\r\nLocation: http://194.87.31.137/7loader_exe_64.exe\r\nLocation: http://2.58.28.60/csflow.exe\r\nSmokeLoader Tasks\r\nThe file I got from buildz.exe shows to be Djvu Ransomware, the more interesting part here is that the ransomware sample\r\nwas crypted with the same crypter used for the SmokeLoader sample. Coupled with the fact that IcedID has been seen\r\nleading to ransomware itself, potentially a conflict of interest going on here between the service provider and their\r\ncustomers or competing customers?\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDecoded Djvu strings:\r\nhttp://acacaca.org/test1/get.php 2http://rgyui.top/dl/build2.exe$run http://acacaca.org/files/1/build3.exe$run\r\nThe file from uploadgram, 62e817d1aff5ah, turns out be RedLine stealer:\r\n{'C2': '193.233.193.14:8163', 'BOTNET': 'LogsDiller Cloud (Sup: @mr_golds)'}\r\nThe file from allejee was down at the time we found it but we did find same name files from that server in VirusTotal:\r\n03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0\r\nhttps://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nPage 3 of 5\n\nWhich has ITW URLs from the same server in July:\r\nPress enter or click to view image in full size\r\nRef:\r\nhttps://www.virustotal.com/gui/file/03626471a65baf211f2110cd91e52b9e44524780e042a473cd09d864d9af20a0/relations\r\nThis file is a self extracting EXE signed by ‘Nir Sofer’, the extracted EXE inside of it ends up being a simple .NET based\r\nloader which will download and execute more .NET code, eventually this leads to Racoon Stealer V2[5].\r\n.NET based loader\r\nThe csflow.exe executable is an installer for CoinSurf which allows people to monetize their traffic usage.\r\nFinally the 7loader_exe_64.exe file is an IcedID loader:\r\n{'C2': 'deficulintersun.com', 'Campaign': 1514253643}\r\nPrivateLoader is not new to having some bigger names leveraging it as previous research indicates it being leveraged by\r\nTrickBot, Qakbot, DanaBot and Dridex previously. The more pressing question is why these groups would leverage a\r\nsystem that is actively stealing data and dropping ransomware on top of their bots?\r\nIOCs\r\nSmokeBot tasks:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nPage 4 of 5\n\nNetwork indicators:\r\nrgyui.top\r\nallejee.com\r\n194.87.31.137\r\n2.58.28.60\r\nhost-file-host6.com\r\nhost-host-file8.com\r\n64.52.80.224 - Raccoon Stealer\r\ndeficulintersun.com - IcedID\r\nacacaca.org - Djvu Ransomware\r\n193.233.193.14:8163 - RedLine Stealer\r\n2.58.28.60/install.txt\r\n2.58.28.60/startup.txt\r\nReferences\r\n1: https://intel471.com/blog/privateloader-malware\r\n2: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e\r\n3: https://www.zscaler.com/blogs/security-research/peeking-privateloader\r\n4: https://tavares.re/blog/2022/06/06/hunting-privateloader-pay-per-install-service/\r\n5: https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with-a-new-version-to-steal-your-passwords/\r\nSource: https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nhttps://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/icedid-leverages-privateloader-7744771bf87f"
	],
	"report_names": [
		"icedid-leverages-privateloader-7744771bf87f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434936,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fa57c6ae06da208ca65b985848285478200b646.pdf",
		"text": "https://archive.orkl.eu/6fa57c6ae06da208ca65b985848285478200b646.txt",
		"img": "https://archive.orkl.eu/6fa57c6ae06da208ca65b985848285478200b646.jpg"
	}
}