{ "id": "efba9be1-ebff-4861-a571-570ce48c2b6b", "created_at": "2026-04-06T02:12:59.081513Z", "updated_at": "2026-04-10T03:37:23.842633Z", "deleted_at": null, "sha1_hash": "796900344c1b9f54cb7d3e2dd38919332d8934e2", "title": "Microsoft Exchange targeted for IcedID reply-chain hijacking attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1809706, "plain_text": "Microsoft Exchange targeted for IcedID reply-chain hijacking attacks\r\nBy Bill Toulas\r\nPublished: 2022-03-28 · Archived: 2026-04-06 01:35:01 UTC\r\nThe distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email\r\nconversation threads and injects malicious payloads that are hard to spot.\r\nIcedID is a modular banking trojan first spotted back in 2017, used mainly to deploy second-stage malware such as other\r\nloaders or ransomware.\r\nIts operators are believed to be initial access brokers who compromise networks and then sell the access to other\r\ncybercriminals.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe ongoing IcedID campaign was discovered this month by researchers at Intezer, who have shared their findings with\r\nBleeping Computer prior to publication.\r\nHow the attack works\r\nThe primary method of the conversation hijacking attack is to assume control of a key email account participating in a\r\ndiscussion with the target, and then send a phishing message crafted to appear as a continuation of the thread.\r\nAs such, when the target receives a reply message with an attachment named and presented as something relevant to the\r\nprevious discussion, the chances of suspecting fraud are reduced to a minimum.\r\nIntezer explains that there are clues pointing to threat actors targeting vulnerable Microsoft Exchange servers to steal the\r\ncredentials, as many of the compromised endpoints they found are public-facing and unpatched.\r\nAdditionally in this campaign, the analysts have seen malicious emails sent from internal Exchange servers, using local IP\r\naddresses within a more trustworthy domain, and hence unlikely to be marked as suspicious.\r\nIcedID latest infection chain (Interzer)\r\nThe email attachment sent to targets is a ZIP archive containing an ISO file, which, in turn, encloses an LNK and a DLL file.\r\nIf the victim double clicks the \"document.lnk\", the DLL launches to set up the IcedID loader.\r\nThe IcedID GZiploader is stored in an encrypted form in the resource section of the binary, and after decoding, it's placed in\r\nmemory and executed.\r\nThe host is then fingerprinted and the basic system information is sent to the C2 (yourgroceries[.]top) via an HTTP GET\r\nrequest.\r\nFinally, the C2 responds by sending a payload to the infected machine, although that step was not performed during Intezer's\r\nanalysis.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nPage 3 of 5\n\nDynamically called function that fetches the payload (Interzer)\r\nTies to November 2021 campaign\r\nWhile Intezer's report focuses on current and ongoing activity, it is unclear when this campaign started. It is possible that it\r\nstarted five months ago.\r\nIn November 2021, a Trend Micro report described a wave of attacks using ProxyShell and ProxyLogon vulnerabilities in\r\nexposed Microsoft Exchange servers to hijack internal email reply-chains and spread malware-laced documents.\r\nThe actors behind that campaign were believed to be 'TR', known to work with a plethora of malware, including Qbot,\r\nIcedID, and SquirrelWaffle.\r\nAll three malware pieces have been previously involved in email thread hijacking to deliver malicious payloads [1, 2, 3, 4].\r\nIntezer puts threat group TA551 in the spotlight this time due to the use of regsvr32.exe for the DDL's binary proxy\r\nexecution and password-protected ZIP files.\r\nThe link between those two threat groups is unclear, though, but it's not improbable that there's some overlap or even\r\nunderlying connection there.\r\nUpdate your Exchange servers\r\nWe're approaching the one-year mark since Microsoft published fixes for the ProxyLogon and ProxyShell vulnerabilities, so\r\napplying the latest security updates is well overdue.\r\nNot doing so leaves your Exchange servers, company, and employees prey to phishing actors, cyber-espionage, and\r\nransomware infections.\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks/" ], "report_names": [ "microsoft-exchange-targeted-for-icedid-reply-chain-hijacking-attacks" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441579, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/796900344c1b9f54cb7d3e2dd38919332d8934e2.pdf", "text": "https://archive.orkl.eu/796900344c1b9f54cb7d3e2dd38919332d8934e2.txt", "img": "https://archive.orkl.eu/796900344c1b9f54cb7d3e2dd38919332d8934e2.jpg" } }