{ "id": "57acee8b-db26-4435-bec7-d338366a9f1b", "created_at": "2026-04-06T00:22:12.689144Z", "updated_at": "2026-04-10T13:12:31.545436Z", "deleted_at": null, "sha1_hash": "b725061aeda3d14c7ac380959f0155bffba2f161", "title": "Ancient ICEFOG APT malware spotted again in new wave of attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49091, "plain_text": "Ancient ICEFOG APT malware spotted again in new wave of\r\nattacks\r\nBy Catalin Cimpanu\r\nPublished: 2019-06-07 ยท Archived: 2026-04-05 21:13:53 UTC\r\nMalware developed by Chinese state-sponsored hackers that was once thought to have disappeared has been\r\nrecently spotted in new attacks, in an updated and more dangerous form.\r\nSpotted by FireEye senior researcher Chi-en (Ashley) Shen, the malware is named ICEFOG (also known as\r\nFucobha).\r\nIt was initially used by a Chinese APT (advanced persistent threat, a technical term for state-sponsored hacking\r\nunits), also named ICEFOG, whose operations were first detailed in a Kaspersky report in September 2013.\r\nFollowing the publication of that report, the ICEFOG group's activities stopped, and so have sightings of its\r\neponymously named malware.\r\nNew ICEFOG versions discovered\r\nBut in a presentation at a cyber-security conference in Poland this week, Shen said she discovered new and\r\nupgraded versions of the presumed-to-be-dead ICEFOG malware.\r\nThe two most important strains were ICEFOG-P and ICEFOG-M, spotted being used in attacks starting with 2014\r\nand 2018, respectively.\r\nICEFOG new malware variants\r\nImage: Shen, FireEye\r\nICEFOG-P new\r\nImage: Shen, FireEye\r\nICEFOG-M new\r\nImage: Shen, FireEye\r\nICEFOG malware timeline\r\nImage: Shen, FireEye\r\nBoth ICEFOG strains were superior to the original ICEFOG malware sighted back in hacking campaigns in the\r\nearly 2010s, suggesting that additional development has been done to bolster their capabilities.\r\nFurthermore, Shen also found a Mac version of the ICEFOG malware, previously unseen.\r\nICEFOG for Mac\r\nhttps://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/\r\nPage 1 of 3\n\nImage: Shen, FireEye\r\nICEFOG now shared by multiple Chinese APTs\r\nBut these new ICEFOG malware variants were not being used in campaigns that could be associated with the\r\noriginal ICEFOG group. Instead, they were spotted across a large number of hacking campaigns orchestrated by\r\ndifferent groups.\r\n\"The operations between 2011 and 2013 were pretty consistent, suggesting one group and an exclusive use of the\r\nmalware,\" Shen told ZDNet in an email this week.\r\n\"The new variant was seemingly used by multiple groups after the 2013 campaign.\r\n\"I pivoted between the infrastructure from the campaign in 2013 and the new campaigns after 2014 and can't\r\nsuggest a strong connection between them,\" she added.\r\nIt appears that ICEFOG evolved from a malware sample that was exclusively in the use of one Chinese hacking\r\ngroup into a tool now shared among many different APTs, each with its own agenda -- similar to how the Winnti\r\ngroup disolved and its Winnti malware was shared among different Chinese APTs in the past. Of course, this isn't\r\na new theory, as cyber-security experts have previously pondered that many Chinese APTs may have a shared\r\nsupply chain.\r\n\"It is unclear how the ICEFOG samples were shared, but we have seen tools shared among other China-nexus\r\nAPT groups before,\" Shen said.\r\n\"An exploit document template has also been shared between several groups,\" the researcher added. \"Also, other\r\nmalware like SOGU is a commonly shared tool.\"\r\nShen said she spotted variants of the ICEFOG malware in attacks targeting:\r\n- an unnamed agriculture company in Europe in 2015\r\n- government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)\r\n- the government of multiple former Soviet states in 2015 (Roaming Tiger)\r\n- Kazach officials in 2016 (APPER campaign)\r\n- water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan\r\nin 2018 (WATERFIGHT campaign)\r\n- an unknown entity in the Philippines in 2018 (PHKIGHT campaign)\r\n- organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)\r\nICEFOG attacks\r\nImage: Shen, FireEye\r\nICEFOG actors\r\nImage: Shen, FireEye\r\nICEFOG used for cyber-espionage predominantly\r\nhttps://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/\r\nPage 2 of 3\n\n\"From my observation, most samples were [used] for political espionage and intelligence gathering,\" Shen told\r\nZDNet.\r\n\"Some campaigns also targeted telecommunication, energy, media, transportation, and suspected financial sectors,\r\npresumably targeting intellectual property as well. However, we believe these are the minority of cases.\"\r\nAs to why new ICEFOG sightings haven't been reported, Shen also has a theory, suggesting that the malware\r\nwasn't detected because it very rarely used.\r\n\"The ICEFOG-P variant used between 2014 and 2018 is not particularly advanced,\" Shen told us. \"The code is\r\nfairly simple and most samples were not even packed.\r\n\"The reason why the campaigns were not observed is probably because of the lower sample numbers between\r\n2013 Q4 and 2017, especially compared to the campaign before 2013.\r\n\"In a case we observed in 2015, the actor seemed to leverage ICEFOG as a post-exploitation tool, which was\r\ndeployed after the victim was compromised. As a result, a researcher would have to dig into the specific incident\r\nto find the ICEFOG connection.\r\n\"The variant ICEFOG-M, which appeared in 2019, used a file-less payload, making the campaign harder to track,\"\r\nShen said.\r\nThe conclusion here is that the ICEFOG malware is now here to stay. After receiving so many updates over the\r\npast few years, and after proving successful in flying under the radar, Chinese cyber-espionage groups are most\r\nlikely to continue using it for the foreseeable future.\r\nShen presented her findings at the CONFidence security conference that was held in Krakow, Poland, earlier this\r\nweek. A copy of her presentation slides is available on SpeakerDeck. Indicators of compromise (IOCs) are also\r\navailable.\r\nRelated malware and cybercrime coverage:\r\nHollywood lie: Bank hacks take months, not seconds\r\n440 million Android users installed apps with an aggressive advertising plugin\r\nGermany: Backdoor found in four smartphone models; 20,000 users infected\r\nGandCrab ransomware operation says it's shutting down\r\nI2P network proposed as the next hiding spot for criminal operations\r\nA botnet is brute-forcing over 1.5 million RDP servers all over the world\r\nThe dark web is smaller, and may be less dangerous, than we think TechRepublic\r\nGame of Thrones has the most malware of any pirated TV show CNET\r\nSource: https://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/\r\nhttps://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks/" ], "report_names": [ "ancient-icefog-apt-malware-spotted-again-in-new-wave-of-attacks" ], "threat_actors": [ { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434932, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b725061aeda3d14c7ac380959f0155bffba2f161.pdf", "text": "https://archive.orkl.eu/b725061aeda3d14c7ac380959f0155bffba2f161.txt", "img": "https://archive.orkl.eu/b725061aeda3d14c7ac380959f0155bffba2f161.jpg" } }