{
	"id": "eac9dff3-e521-41da-b738-ccbb154ffee4",
	"created_at": "2026-04-06T00:16:01.915462Z",
	"updated_at": "2026-04-10T13:12:15.200127Z",
	"deleted_at": null,
	"sha1_hash": "93795dd69ad29dfcc05f728bf5068e92aa224d26",
	"title": "IcedID Campaign Strikes Back",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 959358,
	"plain_text": "IcedID Campaign Strikes Back\r\nBy Paul Kimayong\r\nPublished: 2020-08-12 · Archived: 2026-04-05 14:39:08 UTC\r\nIcedID Campaign Strikes Back\r\nIn our previous blog about IcedID, we  explored some of the changes in the malware and how it tries to evade\r\ndetection. We also detailed how threat actors took advantage of the COVID-19 pandemic to phish their target\r\nvictims. Recently, we discovered an evolution in their phishing methods, particularly how they attempt to evade\r\ndetection by implementing a password protected attachment, keyword obfuscation and minimalist macro code in\r\ntheir trojanized documents. This time, they also use a DLL for the second stage downloader, which shows a new\r\nmaturity level of this threat actor.\r\nPhishing Victims\r\nIn the current campaign discovered in July 2020, an email phishing campaign is performed using compromised\r\nbusiness accounts where the recipients are customers of the same businesses. This makes the phish that much\r\nmore likely to succeed, given the sender and the recipient have an established business relationship. One example\r\nwe are going to highlight is from a compromise of PrepNow.com, a private, nationwide student tutoring company\r\nwith business presence in many states.\r\nThe phishing emails are sent to potential victims from the accounting department and purported to include an\r\ninvoice. The attachment is a password protected zip file named request.zip. The password protection is to prevent\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 1 of 9\n\nanti-malware analysis solutions from decrypting and inspecting the attachment. The password is included in the\r\nemail message body, in the hopes that the victim would read the email, locate the password and use it to open the\r\nattached file.\r\nAn interesting characteristic of these messages is the word “attached” is obfuscated in multiple ways. This may be\r\nan attempt for this phish to bypass spam filters or phishing detection systems that could be looking for such\r\nkeywords. However, this is useless because there is no need for any security solution to rely on the word\r\n“attached” to figure out there is an attachment. If anything, we expected the obfuscation to obfuscate the word\r\n“password” because that’s a tell-tale sign of something phishy going on. Then again, modifying the body of the\r\nemail ever so slightly may change some fuzzy hashes email security solutions calculate to identify bulk email\r\ncampaigns.\r\nAdditionally, the campaign has rotated the file name used for the attachment inside the zip file. Again, this seems\r\nfutile, since the password protection should prevent most security solutions from opening and inspecting the\r\ncontent.\r\nNonetheless, this technique proved successful against Google’s Gmail security, which did not block this email.\r\nSample email containing the password protected Request.zip sha256:\r\n2beadfb91e794860aad159dcca1c94855a99b9bc908d03d10cea005dad652422 MS Word Document\r\ninside zip file: legal paper_07.23.2020.doc: Sha 256:\r\n9b0ff58ddedd7a78e3b8f28c9c5a4934ea9f4dc530d57cc7715bdca6687590fc\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 2 of 9\n\nAnother example showing a slightly different obfuscation of the word “attached” Request.zip\r\n(sha256): d80dc6c07eedf0cbccedf9427accef8bcb067b9dc1eaf4f81b9ee968854eb176 legal\r\nagreement.07.20.doc (inside request.zip)\r\ndc6452b6b0683223c0d87970c600ebbda3ed6c4dab14649beff12be59842f59c\r\nYet another sample email with a third way of obfuscating the word attached Request.zip (sha256):\r\n78fd08878d1f5025ecf7dcf1f0460a4d00f7c50ea281b35c190cd3f8aecf61af\r\nQuestion_07.20.doc (inside request.zip)\r\n469fc41ba6d15f2af6bcf369e39c5c06b8bb5d991c008efadbfd409d096e911b\r\nLet’s take a look at the malicious documents in the attachments.\r\nFirst Stage: MS Office Documents Macro Downloader\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 3 of 9\n\nIn short, once the zip file is expanded, the user finds a Microsoft Word document that contains a macro that\r\nexecutes upon opening the document. There is the usual social engineering attempt to get victims to enable\r\nmacros, which claims the document was created with a previous version of MS Word, in this case. Once macros\r\nare enabled, the VB script will download a DLL, save it as a PDF and install it as a service using regsvr32 to\r\nguarantee persistence.\r\nThe authors have resorted to being “minimalist” in this recent campaign. The “macro” code is very simple and\r\nstraightforward but they managed to add a few tricks to evade detection. For instance, all strings and function calls\r\nin the macro are obfuscated. \r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 4 of 9\n\nThere are also instances where the URL is saved as an XML file inside the document.\r\nTo some extent, these few tricks worked. Virustotal hits were low at first submission on the samples from July 20.\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 5 of 9\n\nSha256: 469fc41ba6d15f2af6bcf369e39c5c06b8bb5d991c008efadbfd409d096e911b\r\nSource: virustotal.com\r\nSha256: dc6452b6b0683223c0d87970c600ebbda3ed6c4dab14649beff12be59842f59c\r\nSecond Stage: DLL Trojan\r\nIn our observation, the second stage payload consists of a DLL that is downloaded from 3wuk8wv[.]com or\r\n185.43.4[.]241, which is hosted on a \r\nhosting provider in Russian Siberia https://ispserver.com/ \r\nOnce downloaded, the malicious DLL is saved as a pdf file, then the macro executes it via a call to regsvr32.exe.\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 6 of 9\n\nPcap capture of downloading of DLL\r\nOur sample has very few detection on Virustotal, upon initial submission.\r\nThird Stage: Malicious Payload Downloader\r\nOnce launched, the DLL will download the next stage from the domain loadhnichar[.]co as a PNG file and decrypt\r\nit. Similar to the second stage loader we analyzed in our previous blog, this loader blends its traffic with requests\r\nto benign domains, such as apple.com, twitter.com, microsoft.com, etc. to look more benign to sandboxes trying to\r\nanalyze it.\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 7 of 9\n\nUnfortunately, at the time of our testing, the download domain, loadhnichar[.]co for the next stage is already\r\ndown.\r\nUsing a similar sample from malware-traffic analysis, https://malware-traffic-analysis.net/2020/07/20/index.html,\r\nwe analyzed the next stages. \r\nWe have not found any changes from this stage, compared to our previous analysis. The second stage will\r\ndownload the third stage as a PNG file, decrypt it and run it. It will be saved as {random}.exe and will create a\r\nscheduled task for persistence. The third stage will download the IcedID main module as a PNG file, spawn a\r\nmsiexec.exe process and inject the IcedID main module into it.\r\nJuniper Advanced Threat Prevention (ATP) detects this file as malware.\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 8 of 9\n\nIndicators of Compromise\r\nsha256 Notes\r\n2beadfb91e794860aad159dcca1c94855a99b9bc908d03d10cea005dad652422 request.zip\r\nd80dc6c07eedf0cbccedf9427accef8bcb067b9dc1eaf4f81b9ee968854eb176 request.zip\r\n78fd08878d1f5025ecf7dcf1f0460a4d00f7c50ea281b35c190cd3f8aecf61af request.zip\r\n9b0ff58ddedd7a78e3b8f28c9c5a4934ea9f4dc530d57cc7715bdca6687590fc doc\r\ndc6452b6b0683223c0d87970c600ebbda3ed6c4dab14649beff12be59842f59c doc\r\n469fc41ba6d15f2af6bcf369e39c5c06b8bb5d991c008efadbfd409d096e911b doc\r\n3wuk8wv[.]com 2nd stage\r\n185.43.4[.]241 2nd stage\r\nSpecial thanks to Alexander Burt and Mounir Hahad from Juniper Threat Labs for participating in the analysis\r\nand writing of this blog.\r\nSource: https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nhttps://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back"
	],
	"report_names": [
		"iceid-campaign-strikes-back"
	],
	"threat_actors": [],
	"ts_created_at": 1775434561,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/93795dd69ad29dfcc05f728bf5068e92aa224d26.pdf",
		"text": "https://archive.orkl.eu/93795dd69ad29dfcc05f728bf5068e92aa224d26.txt",
		"img": "https://archive.orkl.eu/93795dd69ad29dfcc05f728bf5068e92aa224d26.jpg"
	}
}