{
	"id": "7e9ba11d-ea39-4b9d-9a23-934d40e7331f",
	"created_at": "2026-04-06T00:14:13.19992Z",
	"updated_at": "2026-04-10T03:24:24.496904Z",
	"deleted_at": null,
	"sha1_hash": "73d8b9472caac869c775614d888c976c8719b751",
	"title": "Desde Chile con Malware (From Chile with Malware)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125004,
	"plain_text": "Desde Chile con Malware (From Chile with Malware)\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-06 00:05:10 UTC\r\nSpoiler Alert: They weren't actually from Chile.\r\nIntroduction\r\nThis blog post provides a short update on our ongoing tracking of infrastructure associated with IcedID. We have\r\nposted publicly on IcedID on several occasions over the past year, and as far back as May 2021; they remain a\r\npersistent threat.\r\nTo recap...\r\nIcedID (also known as BokBot) started life in early 2017 as a banking trojan that later evolved to include dropper\r\nmalware capabilities. These capabilities enable IcedID to download and deploy additional malware such as\r\nCobalt Strike, with infections sometimes leading to ransomware.\r\nLate last week we identified a ‘new’ IP address connecting to 5.196.196.252; one of the currently active IcedID\r\nBackConnect C2 servers. These connections were made to the same remote port, associated with the SOCKS\r\nproxy module, which we wrote about in December 2022.\r\nKey Findings\r\nIdentification of an IP address geolocated to Chile, used to access various elements of the IcedID\r\ninfrastructure.\r\nThe Chilean IP resides in a /24 netblock which is also utilized for hosting IcedID Bot C2 infrastructure (on\r\nseparate IPs).\r\nThreat telemetry data shows consistent connections sourced from the Chilean IP, to an IP geolocated to the\r\nNetherlands which is used to host two IcedID-connected domains.\r\nWeb browsing activity originating from the Chilean IP provides a snapshot into suspected threat actor\r\nTTPs. With an apparent interest in DNS and visits to services noted for association with Conti and LockBit\r\nransomware.\r\nFrom Chile... Kind Of\r\nThe ‘new’ IP address is assigned to Zappie Host, a New Zealand-based VPS provider, although geolocation data\r\nplaces it in Chile. Zappie Host, and the specific /24 netblock in which this IP resides (216.73.159.0/24), is\r\nregularly used to host IcedID Bot C2 infrastructure.\r\nIn our initial assessment of this ‘Chilean’ IP, we noted a gap in activity between 12 December 2022 and 26\r\nJanuary 2023; interestingly, this matched timelines we had observed in the case of IcedID Bot, Loader, and\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 1 of 6\n\nBackConnect infrastructure.\r\nWe have generally attributed these drops in activity to the festive and new year celebration period, infrastructure\r\nupdates, and on occasion an indication of internal issues impacting the threat operators.\r\nFurther, we noted the use of WireGuard VPN to access the Chilean IP; up to 12 December 2022. When activity\r\nreturned in January 2023 this changed to OpenVPN. Both WireGuard VPN and OpenVPN were noted in our\r\naforementioned investigation into BackConnect, hinting at the potential of a common playbook being used across\r\nvarious elements of infrastructure management associated with IcedID.\r\nFurther Ties to IcedID\r\nExamining threat telemetry data for the Chilean IP, we observed connections to the panel port of the IcedID\r\nLoader Tier 2 server. This server is used to manage the Tier 1 Loader C2s, which serve the purpose of receiving\r\ninitial victim communications and delivering the IcedID DLL. We have previously blogged about these first stage\r\nLoader C2s.\r\nFurther connections were also observed to 168.100.8.93:443 (assigned to BLNWX - BitLaunch), commencing 27\r\nJanuary 2023 and continuing daily until the time of writing. During this period of activity, we identified two\r\ndomains resolving to 168.100.8.93, based on pDNS and certificate data:\r\nneonmilkustaers[.]com - registered 9 November 2022\r\nsvoykbragudern[.]com - registered 18 November 2022\r\nBoth domains are typical of current IcedID domain nomenclature. Looking at domain registration data for the\r\nabove dates, filtered by registrant organization (Tucows) and name server usage (Njalla), we found other domains\r\nregistered within close temporal proximity:\r\ntrbiriumpa[.]com - registered 9 November 2022\r\nwhothitheka[.]com - registered 9 November 2022\r\nebothlips[.]com - registered 9 November 2022\r\nolifamagaznov[.]com - registered 18 November 2022\r\nIf these domains look familiar, that’s because they are - and we applaud your attention to detail. All four domains\r\nhave been utilized for IcedID Loader C2 infrastructure over the past three months, and as recently as last week.\r\nHowever, the standout observation for 168.100.8.93 and therefore the domains hosted on it, are the differences in\r\nbehavior when compared to other IcedID C2 infrastructure. According to our threat telemetry data, we do not see\r\nthe expected victim communications we would usually expect for C2 infrastructure, which therefore makes us\r\nquestion the purpose of these domains.\r\nVictim communications with the Loader C2s tend to occur over TCP/80, so the connections from the Chilean IP\r\nappear to be related to another service. One hypothesis we have is that the Chilean IP and by extension\r\n168.100.8.93 may be used for some form of development or testing purpose.\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 2 of 6\n\nFigure 1: Summary of Chilean IP Threat Telemetry\r\nThreat Operator TTPs\r\nIn addition to the connections to IcedID-linked infrastructure, since 26 January 2023 the Chilean IP has\r\ncommunicated with dozens of other IP addresses over TCP/443 (HTTPS).\r\nBased on our internal pDNS data, combined with OSINT investigations, we were able to identify domains (or\r\ndefine the general purpose) associated with the majority of these destination IP addresses - i.e., the targets of the\r\nconnections.\r\nMost consisted of websites related to DNS, privacy, and expected threat actor activity such as Tox and Tor usage.\r\nThere were also visits to Yandex IP space, the Russian search engine popular in CIS countries.\r\nBelow we have listed some of the sites visited, which by extension provides an insight into the services and tools\r\nthe suspected threat actor behind the Chilean IP is interested in:\r\nSape\r\nRussian-language SEO service\r\nQaz[.]im\r\nDisposable email / file sharing service\r\nMegaNerd encrypted DNS\r\nEncrypted DNS server and anonymized DNS relay\r\nLibsodium\r\nLibrary for encryption/decryption, signatures,\r\npassword hashing\r\nNjalla\r\nAnonymous domain name registrar, hosting and VPN\r\nprovider\r\nNextDNS\r\nDNS resolution service with a core focus on\r\nencryption and privacy\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 3 of 6\n\nIbksturm\r\nOpen-source DNS and Tor relay operators\r\nDigitalsize\r\nPublic, non-tracking, non-filtering DNS resolver\r\nLibredns[.]gr\r\nPublic encrypted DNS for maintaining secrecy of DNS\r\ntraffic\r\nDoH \u0026 DNSCrypt Server by alekberg\r\nOpen-source encrypted DNS\r\nDrink\r\nOpen-source dynamic authoritative DNS server\r\nSend.vis[.]ee\r\nSecurely share files via command line\r\nWalletConnect\r\nOpen-source protocol for connecting decentralized\r\napplications to mobile wallets with QR code scanning or\r\ndeep linking\r\nControl D\r\nCustomizable DNS service that can redirect\r\ntraffic through a series of transparent proxies\r\nA few of these sites are particularly pertinent:\r\nLibsodium, the library which includes features such as encryption, password hashing, etc., is also utilized\r\nin the LockBit ransomware.\r\nNjalla is currently IcedID’s domain registrar of choice, so it is somewhat unsurprising that it appears here.\r\nQaz.im appears in the Conti Leaks, and Conti ransomware was often dropped by IcedID. Based on our\r\nobservations, it appears this service continues to be used; likely a result of it being hosted in Russian IP\r\nspace and therefore deemed (rightly or wrongly) to be outside the reach of LEA action.\r\nSape, the SEO service, is notable given the recent use of malvertising campaigns as an initial delivery\r\nmechanism for IcedID.\r\nConclusion\r\nTracking the background infrastructure associated with the day-to-day operation of threats like IcedID allows us to\r\nnot only identify new victim-facing C2 infrastructure, but also to illuminate other elements of interest.\r\nIn this blog we identify a Chilean IP, which based on its activities is likely not operated by a Chilean actor, utilized\r\nfor the purposes of access / management of IcedID-linked infrastructure. The surrounding activities provide us\r\nwith an insight into the motivations of this actor and highlight some of the services and tools they may be using or\r\ninvestigating.\r\nWe also allude to some techniques which can be used to identify or confirm IcedID domains, a topic which we are\r\nplanning further expansion on in the future.\r\nIn the case of IcedID, whilst we find that the operators can change their spots (making all leopards jealous), this is\r\noften a gradual process which provides us with opportunities for pattern-of-life, and as a result infrastructure,\r\nidentification.\r\nRecommendations\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 4 of 6\n\nAlthough not used exclusively by IcedID operators to host their C2 infrastructure, we would recommend\r\nthat defenders take interest in any activity within their networks inbound to / outbound from\r\n216.73.159.0/24.\r\nBackConnect C2 infrastructure is fairly static, with a life-cycle of approximately 30 days, it is therefore\r\nviable to block connections to current C2s. We will continue to post updates to this infrastructure on our\r\nTwitter feed - @teamcymru_S2.\r\nUsers of Pure Signal Recon will be able to track this activity by querying for inbound connections to\r\n168.100.8.93:443 and pivoting from there.\r\nIOCs\r\nIcedID Bot C2s from 216.73.159.0/24 (Nov 2022 - Feb 2023):\r\n216.73.159.132\r\n216.73.159.134\r\n216.73.159.29\r\n216.73.159.44\r\n216.73.159.60\r\n216.73.159.80\r\nRecently active BackConnect C2s:\r\n135.148.217.85\r\n5.196.196.252\r\n80.66.88.71\r\nIcedID domains (mentioned):\r\nneonmilkustaers[.]com\r\nsvoykbragudern[.]com\r\nolifamagaznov[.]com\r\ntrbiriumpa[.]com\r\nwhothitheka[.]com\r\nebothlips[.]com\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 5 of 6\n\nSource: https://www.team-cymru.com/post/from-chile-with-malware\r\nhttps://www.team-cymru.com/post/from-chile-with-malware\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.team-cymru.com/post/from-chile-with-malware"
	],
	"report_names": [
		"from-chile-with-malware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434453,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73d8b9472caac869c775614d888c976c8719b751.pdf",
		"text": "https://archive.orkl.eu/73d8b9472caac869c775614d888c976c8719b751.txt",
		"img": "https://archive.orkl.eu/73d8b9472caac869c775614d888c976c8719b751.jpg"
	}
}