{
	"id": "29abf395-289f-4df8-bbcb-ec9d0577f467",
	"created_at": "2026-04-06T00:13:43.393878Z",
	"updated_at": "2026-04-10T03:24:24.52342Z",
	"deleted_at": null,
	"sha1_hash": "c60a748e57368ea3485503b8f6101244b4654728",
	"title": "IcedID to Cobalt Strike In Under 20 Minutes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1403715,
	"plain_text": "IcedID to Cobalt Strike In Under 20 Minutes\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 23:04:10 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nWe identified IcedID malware attempting to load Cobalt Strike within 20 minutes of initial infection.\r\nAs noted in the June 2021 TRU Positive, IcedID is a modular banking trojan and precursor to hands-on-intrusions and ransomware attacks.\r\nThe incident started with the victim unwittingly mounting and executing the contents of an ISO file\r\ndelivered through email.\r\nThis technique uses a disk image (.iso) containing a shortcut and hidden files. When clicked, the\r\nshortcut command uses the regsvr32 lolbin to execute the IcedID payload hidden within the\r\nmounted image container.\r\nOnce executed, IcedID immediately performs discovery commands to capture the system, domain, and\r\nnetworking information. These are common commands executed by precursor malware and are likely used\r\nto prioritize footholds for further intrusion actions.\r\nLess than 20 minutes from initial infection, the host executed remote PowerShell commands to deploy a\r\nCobalt Strike stager.\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 1 of 8\n\nFigure 1 Endpoint View Showing IcedID Execution, Discovery Commands and Cobalt Strike\r\nExecution via PowerShell\r\nFigure 2 Timeline of Events from IcedID Infection to Cobalt Strike\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 2 of 8\n\nFigure 3 Cobalt Strike PowerShell Stager\r\nHow did we find it?\r\nOur Machine Learning PowerShell classifier identified the malicious Cobalt Strike PowerShell command.\r\nMDR for Network disrupted and alerted on the IcedID C2 traffic.\r\nWhat did we do?\r\nOur 24/7 SOC alerted the customer, and the host was contained.\r\nWhat can you learn from this TRU positive?\r\nRansomware precursor threats such as IcedID, Emotet and Qakbot must be identified and contained before\r\nthe host is used as a foothold for further attacks.\r\nAdversaries are streamlining attacks to account for defender reaction times.\r\nIn December 2021, Emotet was observed directly deploying Cobalt Strike beacons to expedite\r\nintrusion actions. This was a departure from historical observations where malware such as Trickbot\r\nwas deployed prior to Cobalt Strike.\r\nIcedID has been documented loading Cobalt Strike as recently as January 2022.\r\nIn this case, the rapid deployment of Cobalt Strike stager suggests that an interactive intrusion was\r\nimminent.\r\nAdversaries are using alternative techniques (e.g., .iso containers) to macro-based execution in malicious\r\ndocuments.\r\nThis is likely in response to Microsoft’s recent announcement of blocking macros by default in\r\ninternet-sourced files starting in 2022.\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nLoader malware attempts to install other malware, so the priority should be to identify and investigate the\r\npresence of follow-on malware on systems. In addition, we recommend:\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 3 of 8\n\nDisplay file extensions for known file types and consider showing hidden files to users by default.\r\nConduct Managed Phishing and Security Awareness Training on a regular basis. Warn users about the\r\nthreat posed by scripts (e.g. JavaScript or VBScript) and image files (.iso) attached or linked in emails.\r\nEmploy email filtering and protection measures.\r\nBlock or quarantine email attachments such as EXEs, Password Protected ZIPs, JavaScript, Visual\r\nBasic scripts.\r\nImplement anti-spoofing measures such as DMARC and SPF.\r\nEmploy an MFA solution to reduce impact of compromised credentials.\r\nTrain users to identify and report suspicious emails.\r\nProtect endpoints against malware.\r\nEnsure antivirus signatures are up-to-date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and\r\ncontain threats.\r\nLimit or disable macros across the organization. See UK's National Cyber Centre guidance on\r\nMacro Security.\r\nAsk Yourself…\r\n1. Is your malware identification and remediation process agile enough to disrupt follow-on attacks stemming\r\nfrom loader malware?\r\n2. What level of visibility do you have across your network, endpoint and overall environment to detect\r\nmalicious behavior at scale?\r\n3. What tools are you employing for email filtering and how is that activity monitored?\r\n4. What level of managed endpoint support do you have in place?\r\n5. Are you monitoring your endpoints 24/7 and what degree of control do you have to initiate a kill switch\r\nwhen required?\r\nIndicators of Compromise\r\nValue Description\r\n51[.]89[.]73[.]150 IcedID C2\r\n194[.]15[.]112[.]23 IcedID C2\r\n149[.]3[.]170[.]104 IcedID C2\r\ncooldogblunts[.]com IcedID C2\r\nreseptors[.]com IcedID C2\r\ncoolbearblunts[.]com IcedID C2\r\n88[.]119[.]161[.]88 IcedID\r\n934a3c540bb7224f9e0f6229b7dbe00b IcedID\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 4 of 8\n\nhttp://162[.]33[.]179[.]178/pasdphaiusfoifds PowerShell Download Cradle for Cobalt Strike\r\n0ab07147f62d8daabb591c7b4ccb4187 PowerShell Download Cradle for Cobalt Strike\r\nhttp://162[.]33[.]179[.]178/asdhodihsa Cobalt Strike PowerShell Stager\r\na1702eceb019352298b88b2011bfe8af Cobalt Strike PowerShell Stager\r\n162[.]33[.]178[.]218 Cobalt Strike\r\njquerysearchengine[.]com Cobalt Strike\r\n162[.]33[.]179[.]178 Cobalt Strike\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services in order to disrupt threats before they impact your business.\r\nWant to learn more? Connect with an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 5 of 8\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 6 of 8\n\nBack to blog\r\nTake Your Cybersecurity Program to the Next Level with eSentire MDR.\r\nBUILD A QUOTE\r\nin this blog\r\nWhat did we find?How did we find it?What did we do?What can you learn from this TRU positive?\r\nRecommendations from our Threat Response Unit (TRU) Team:\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 7 of 8\n\nSource: https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nhttps://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes"
	],
	"report_names": [
		"icedid-to-cobalt-strike-in-under-20-minutes"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434423,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c60a748e57368ea3485503b8f6101244b4654728.pdf",
		"text": "https://archive.orkl.eu/c60a748e57368ea3485503b8f6101244b4654728.txt",
		"img": "https://archive.orkl.eu/c60a748e57368ea3485503b8f6101244b4654728.jpg"
	}
}