{
	"id": "efd7c495-9065-4fdf-b6fa-7ca68c4929fb",
	"created_at": "2026-04-06T02:11:55.752509Z",
	"updated_at": "2026-04-10T03:21:44.210522Z",
	"deleted_at": null,
	"sha1_hash": "adee0864d77e43b9c30e28a1121c57b70ee7fd65",
	"title": "IcedID Botnet Distributors Abuse Google PPC to Distribute Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1963060,
	"plain_text": "IcedID Botnet Distributors Abuse Google PPC to Distribute\r\nMalware\r\nBy Ian Kenefick ( words)\r\nPublished: 2022-12-23 · Archived: 2026-04-06 01:33:19 UTC\r\nMalware\r\nWe analyse the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to\r\ndistribute IcedID via malvertising attacks.\r\nBy: Ian Kenefick Dec 23, 2022 Read time: 4 min (1167 words)\r\nSave to Folio\r\nAfter closely tracking the activities of the IcedID botnetnews- cybercrime-and-digital-threats, we have discovered\r\nsome significant changes in its distribution methods. Since December 2022, we observed the abuse of Google pay\r\nper click (PPC) ads to distribute IcedID via malvertisingnews- cybercrime-and-digital-threats attacks. This IcedID\r\nvariant is detected by Trend Micro as TrojanSpy.Win64.ICEDID.SMYXCLGZ.\r\nAdvertising platforms like Google Ads enable businesses to display advertisements to target audiences for the\r\npurpose of boosting traffic and increasing sales. Malware distributors abuse the same functionality in a technique\r\nknown as malvertising, wherein chosen keywords are hijacked to display malicious ads that lure unsuspecting\r\nsearch engine users to downloading malware.\r\nIn our investigation, malicious actors used malvertising to distribute the IcedID malware via cloned webpages of\r\nlegitimate organisations and well-known applications. Recently, the Federal Bureau of Investigation (FBI)\r\npublished a warning pertaining to how cybercriminals abuse search engine advertisement services to imitate\r\nlegitimate brands and direct users to malicious sites for financial gain.\r\nOur blog entry provides the technical details of IcedID botnet’s new distribution method and the new loader it\r\nuses.\r\nTechnical analysis\r\nOrganic search results are those generated by the Google PageRank algorithm, whereas Google Ads appear in\r\nmore prominent locations above, beside, below, or with the organic search results. When these adverts are\r\nhijacked by malicious actors via malvertising, they can lead users to malicious websites.\r\nTargeted brands and applications\r\nIn our investigation, we discovered that IcedID distributors hijacked the keywords used by these brands and\r\napplications to display malicious adverts:\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 1 of 8\n\n1. Adobe – A computer software company\r\n2. AnyDesk - A remote control application\r\n3. Brave Browser - A web browser\r\n4. Chase Bank - A banking application\r\n5. Discord - An instant messenger service\r\n6. Fortinet - A security company\r\n7. GoTo - A remote control application\r\n8. Libre Office - An open-source alternative to Microsoft Office\r\n9. OBS Project - A streaming application\r\n10. Ring - A home CCTV (closed-circuit) manufacturer\r\n11. Sandboxie - A virtualisation/sandbox application\r\n12. Slack - An instant messaging application\r\n13. Teamviewer - A remote control application\r\n14. Thunderbird - An email client\r\n15. US Internal Revenue Service (IRS) – A US federal government body\r\nThe malicious websites where victims are directed are made to look like their legitimate counterparts. Figure 1\r\nshows a legitimate-looking malicious Slack webpage used by IcedID distributors to lure victims into downloading\r\nmalware.\r\nFigure 1. A legitimate-looking malicious Slack webpage used by IcedID distributors\r\nInfection chain\r\nThe overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the\r\npayload. The payload is typically a backdoor.\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 2 of 8\n\nFigure 2. IcedID botnet malware infection chain\r\nInfection via malvertising\r\n1. A user searches for an application by entering a search term on Google. In this particular example, the user\r\nwants to download the AnyDesk application and enters the search term “AnyDesk” on the Google search\r\nbar.\r\n2. A malicious advert for the AnyDesk application that leads to a malicious website is displayed above the\r\norganic search results.\r\n3. IcedID actors abuse the legitimate Keitaro Traffic Direction System (TDS), to filter researcher and sandbox\r\ntraffic. The victim is then redirected to a malicious website.\r\n4. Once the user selects the “Download” button, it downloads a malicious Microsoft Software Installer (MSI)\r\nor Windows Installer file inside a ZIP file in the user’s system.\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 3 of 8\n\nFigure 3. IcedID botnet malvertising infection chain\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 4 of 8\n\nThe new IcedID botnet loader\r\nIn this campaign, the loader is dropped via an MSI file, which is atypical for IcedID.\r\nThe installer drops several files and invokes the “init” export function via rundll32.exe, which then executes the\r\nmalicious loader routine.\r\nThis “loader” DLL has the following characteristics:\r\nThe authors have taken a legitimate DLL and replaced a single legitimate function with the malicious\r\nloader function using the “init” export function name at the last ordinal.\r\nThe first character of each legitimate export function in the IcedID loader is replaced with the letter “h.”\r\nThe reference to the malicious function is a patched legitimate function.\r\nThe resulting malicious file is almost identical to the legitimate version. This can prove to be challenging for\r\nmachine learning (ML) detection solutions.\r\nOn the surface, the malicious IcedID and legitimate sqlite3.dll files look almost identical. Figure 4 shows a side-by-side comparison of these files using the PortEx Analyzer tool, which was developed by security researcher\r\nKarsten Hahn. The tool allows us to quickly visualise the structure of the portable executable (PE) files, and, in\r\nthis case, assess the similarity of files. \r\nFigure 4. A visual representation of the malicious IcedID (left) and legitimate PE (right) files (using\r\nKarsten Hahn’s PortEx Analyser tool)\r\nFor this reason, we hypothesise that this is an attack on two types of malware detection technologies:\r\nMachine learning detection engines\r\nWhitelisting systems\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 5 of 8\n\nTampered DLL files functioning as IcedID loaders\r\nWe have observed that some of the files that have been modified to act as IcedID loaders are well-known and\r\nwidely used libraries.\r\nTable 1. Files that have been modified to act as IcedID loaders\r\nDLL name Description\r\ntcl86.dll\r\nA library component of ActiveState’s TCL (Tool Command Language) Programming\r\nLanguage Interpreter\r\nsqlite3.dll A library component of SQLite database\r\nConEmuTh.x64.dll A plugin for Far Manager\r\nlibcurl.dll A CURL library\r\nIn sqlite3.dll, we observed that the function at ordinal 270 “sqlite3_win32_write_debug” has been replaced with\r\nthe malicious “init” function in the IcedID loader.\r\nThis is the case across the modified DLL files listed above: The export function at the last ordinal is replaced with\r\nthe malicious “init” function.\r\nFigure 5. A comparison of IcedID-modified (left) and normal (right) files, wherein the former’s\r\nexport function at the last ordinal is replaced with the malicious “init” function\r\nFurther investigation shows that the structure of the file is identical.\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 6 of 8\n\nFigure 6. A comparison of IcedID-modified and normal files wherein both files show an identical\r\nstructure\r\nExecution\r\n1. “MsiExec.exe” executes (parent process) (MITRE ID T1218.007 - System Binary Proxy Execution:\r\nmsiexec)\r\n2. “rundll32.exe” is spawned (MITRE ID T1218.011 - System Binary Proxy Execution: rundll32.exe)\r\n3. “rundll32.exe” runs the custom action “Z3z1Z” via\r\n“zzzzInvokeManagedCustomActionOutOfProc” (MITRE ID T1218.011 - System Binary Proxy Execution:\r\nrundll32.exe)\r\n4. The custom action spawns a second “rundll32.exe” to run the IcedID loader “MSI3480c3c1.msi” with the\r\n“init” export function (MITRE IDs T1027.009 - Embedded Payloads and T1218.011 - System Binary\r\nProxy Execution: rundll32.exe)\r\nFigure 7. IcedID loader execution chain\r\nFigure 8. MSI custom action\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 7 of 8\n\nFigure 9. MSI structure that contains the custom action\r\nConclusion\r\nIcedID is a noteworthy malware family that is capable of delivering other payloads, including Cobalt Strike and\r\nother malware. IcedID enables attackers to perform highly impactful follow through attacks that lead to total\r\nsystem compromise, such as data theft and crippling ransomware. The use of malvertising and an evasive loader is\r\na reminder of why it’s important for businesses to deploy layered security solutions that include custom\r\nsandboxing, predictive machine learning, behaviour monitoring and file and web reputation detection capabilities.\r\nUsers can also consider the use of ad blockers to help thwart malvertising attacks.\r\nIndicators Of Compromise (IOCs) \r\nThe indicators of compromise can be accessed via this text fileopen on a new tab.\r\nMitre ATT\u0026CK\r\nTags\r\nSource: https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nhttps://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_ie/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html"
	],
	"report_names": [
		"icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441515,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/adee0864d77e43b9c30e28a1121c57b70ee7fd65.pdf",
		"text": "https://archive.orkl.eu/adee0864d77e43b9c30e28a1121c57b70ee7fd65.txt",
		"img": "https://archive.orkl.eu/adee0864d77e43b9c30e28a1121c57b70ee7fd65.jpg"
	}
}