{
	"id": "7b1e95be-833a-4956-b279-a13c0966c1d4",
	"created_at": "2026-04-06T00:19:19.600673Z",
	"updated_at": "2026-04-10T13:13:09.713285Z",
	"deleted_at": null,
	"sha1_hash": "c946c2bbe80c1acfca4687572db33d487e445744",
	"title": "A Visualizza into Recent IcedID Campaigns:",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 416985,
	"plain_text": "A Visualizza into Recent IcedID Campaigns:\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 20:20:25 UTC\r\nReconstructing Threat Actor Metrics with Pure Signal™ Recon\r\nIntroduction\r\nIcedID (also known as BokBot) started life in early 2017 as a banking trojan that later evolved to include dropper\r\nmalware capabilities. These capabilities enable IcedID to download and deploy additional malware like Cobalt\r\nStrike, with recent infections leading to Quantum ransomware. Cybersecurity professionals should continue to pay\r\nattention to IcedID as it remains one of the top dropper malware in the threat landscape and has no signs of\r\nslowing down. It is typically delivered via email spamming campaigns, with new campaigns being delivered on a\r\nnear-daily basis that leverage an assortment of different lure types and execution processes.\r\nThis got us curious - how do different campaigns compare to each other? We’ve extensively tracked IcedID C2\r\ninfrastructure using our Recon and BARS (Botnet Analysis and Reporting Service) feed tooling, and using this\r\ndata we were able to peek behind the scenes at metrics that are possibly similar to what the threat actors are\r\ntracking themselves.\r\nC2 Tracking\r\nWe’ve previously written about IcedID Stage 2 Tier 1 (T1) and Tier 2 (T2) C2 infrastructure and threat telemetry,\r\nwhich pertains to bot activity that occurs after IcedID has successfully infected a machine. In this post, our focus\r\nis on the Stage 1 T1 C2s that initially load the malware onto a victim’s machine after they perform the action\r\nbeing asked of them in the lure, such as ‘enable macros’ or ‘click a disguised shortcut’.\r\nRegistration\r\nUntil 21 September 2022 and dating back to at least two months, domains used as Stage 1 downloader C2s were\r\nregistered with 1337 Services LLC Hosting (connected to the Njalla hosting service) and parked there for an\r\naverage of 31 days before use as a C2. This process was possibly developed for the circumvention of firewall\r\nblocks against newly registered domains. As of 22 September 2022, however, domains used as C2s have been\r\nregistered only a few days prior, breaking this long-term pattern.\r\nC2 Assignment\r\nEither the day before or the day of a campaign, a C2 domain is assigned to a new IP that is used for inbound\r\nvictim traffic on port 80 and for T1 -\u003e T2 communications.  Communication with the T2 C2 generally begins the\r\nsame day the campaign is released.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 1 of 11\n\nAccording to our C2 tracking data for the August-September 2022 timeframe, domains and IPs are typically only\r\nused for one campaign and not recycled. In mid-September there were a few instances where downloader IPs and\r\ndomains were reused, but as of the end of September, C2s have returned to being unique / single-use.\r\nC2 Lifespan\r\nC2 communication with T2 infrastructure occurs for an overall average of six days before ending, and four or five\r\nC2 IPs are normally active at a time. Although, around the third week of September active C2s dwindled down to\r\ntwo from the usual amount due to IPs and domains being reused between campaigns, which prevented aged-out\r\nC2s from being replaced. In most cases, no changes are made regarding the IP or domain once it’s inactive. All but\r\none of the C2 domains from the campaigns we analyzed were still assigned to the same IPs at the time of writing.\r\nCampaign Metrics\r\nUsing the C2s we’ve gathered from tracking IcedID infrastructure, we analyzed data from campaigns that were\r\nspammed during the period 13 - 21 September 2022 to see if there was a correlation between TTPs and the\r\nvolume of victim interaction.\r\nIn order to identify potential traffic, we had to remove general noise, as well as security research traffic from our\r\ndata. This process includes enrichment with supplementary open source data such as WHOIS information. The\r\nnumbers provided throughout this blog are based on an approximation derived from sampled threat telemetry.\r\nDelivery Methods\r\nOf the campaigns analyzed, the following methods were used for malware delivery:\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 2 of 11\n\nPassword Protected ZIP -\u003e ISO -\u003e LNK -\u003e JS -\u003e [CMD or BAT] -\u003e DLL\r\nDelivery was via a password protected zip file that contained an ISO which itself contained a LNK file and\r\narchive holding the files used for IcedID installation. When the LNK file is clicked by the user, it functions as a\r\nshortcut to run a script within the archive that ultimately installs IcedID from a DLL. It is typically launched\r\nthrough either a CMD or BAT script, depending on which was included in the archive.\r\nPassword Protected ZIP -\u003e ISO -\u003e CHM -\u003e DLL\r\nDelivery was via a password protected zip file containing an ISO that led to a CHM (Compiled HTML) file. The\r\nvictim must open the file to launch the DLL and complete the infection process.\r\nMaldoc\r\nUsers received either a malicious Word or Excel file that asked them to enable macros, which then allowed the\r\nembedded script to execute and install IcedID.\r\nPrivateLoader\r\nDelivery was through PrivateLoader, a pay-per-install service that distributes malware by hiding it in free software\r\ndownloaded by unsuspecting users.\r\n________________________________________\r\n13 September\r\nThere were two campaigns launched; one targeting Italian speakers (project ID 3281798692) and the other\r\ntargeting English speakers (project ID 726442267).\r\nThe Italian lure was in the form of a malicious ‘.docm’ file with kolinandod[.]com as the C2, which was set to\r\nresolve to 159.203.5[.]238 on 12 September.\r\nThere were around 18 potential victims and most of the victim communication occurred the same day of the\r\ncampaign. The C2 stopped interacting with the T2 on 19 September.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 3 of 11\n\nThe lure targeting English speakers arrived using the following delivery method:\r\nPassword Protected ZIP -\u003e ISO -\u003e LNK -\u003e JS -\u003e BAT -\u003e DLL\r\nThe C2 was qvantumbrakesz[.]com, which resolves to 134.209.97[.]90.  \r\nThere were around 115 potential victims that communicated with the C2 before it was disconnected from the T2\r\non 20 September. Most of this traffic occurred on the day of the campaign and tapered off until the last victim hit\r\nit on 19 September.\r\n________________________________________\r\n14 September\r\nFor the campaign on 14 September (project ID 809191839), threat actors returned to leveraging CHM files for the\r\ndelivery method:\r\nPassword Protected ZIP -\u003e ISO -\u003e CHM -\u003e DLL\r\nNote: The use of CHMs was first spotted in a IcedID campaign on 8 August 2022, but the use of this file-type maliciously is a technique that has been around for several years.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 4 of 11\n\nThe C2 was allozelkot[.]com and was set to resolve to 188.166.169[.]40 on the day of the campaign. There were\r\naround 18 unique victims with the last connections occurring on the 19th. The C2 stopped communicating with\r\nthe T2 on 22 September.\r\n________________________________________\r\n15-16 September\r\nBoth the 15 September and 16 September campaign used pildofraften[.]com as their C2. This domain has resolved\r\nto the same IP address (142.93.44[.]94) since 15 September. Seeing domains and IPs reused for Stage 2 bot C2s is\r\nnot uncommon, but this is the first case of a Stage 1 downloader C2 reusing either since at least mid-August 2022.\r\nThe campaign on September 15 (project ID 612758225) used the delivery method:\r\nPassword Protected ZIP -\u003e ISO -\u003e LNK -\u003e JS -\u003e BAT -\u003e DLL\r\nThe second campaign (project ID 3747825559), seen on 16 September, was delivered as an EXE dropped by\r\nPrivateLoader.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 5 of 11\n\nThere were around 79 potential victims and most of them first communicated with the C2 on 16 September. The\r\nlast victim requests to the C2 occurred 19 September and traffic with the T2 ended 22 September.\r\n________________________________________\r\n19 Sep\r\nThe campaign that occurred on 19 September (project ID 775636601) was a bit of an outlier compared to the\r\nothers we’ve looked at so far. Delivery consisted of a password protected zip file containing an ISO:\r\nPassword Protected Zip -\u003e ISO -\u003e LNK -\u003e DLL\r\nThe C2 was aviadronazhed[.]com, which was updated to resolve to 67.205.169[.]96 on the day of the campaign.\r\nInbound port 80 traffic began at around 15:00 UTC and continued for about three hours for a total of five potential\r\nvictims. T2 traffic began about two and half hours after the victim traffic (17:30 UTC) and lasted around two and\r\nhalf hours after the last port 80 request (20:30 UTC). Oddly, the C2 was then disconnected from the T2 instead of\r\ncontinuing to communicate for the usual period of approximately six days.\r\nAnother oddity was that unlike other C2s where domains remained on the same IPs at the conclusion of a\r\ncampaign, this domain was updated and removed from 67.205.169[.]96 on 22 September.\r\n________________________________________\r\n20-21 September\r\nThree campaigns occurred during the period 20 - 21 September and each had a unique domain that resolved to the\r\nsame IP (161.35.110[.]54). The IP was reused between domains similarly to the 15 - 16 September campaigns,\r\nexcept in this case the domains were unique.\r\nThere was one campaign seen on 20 September (project ID 512092511) with alkaliodplus[.]com as its C2. For\r\ndelivery it used a password protected zip file and ISO:\r\nPassword Protected ZIP -\u003e ISO -\u003e LNK -\u003e BAT -\u003e DLL\r\nTwo campaigns were seen on 21 September, each with a unique project ID and domain: nikolandfantazy[.]com\r\n(project ID 1367965656) and zalikomanperis[.]com (project ID 2432960414). The delivery was via a password\r\nprotected zip containing an ISO:\r\nPassword Protected ZIP -\u003e ISO -\u003e LNK -\u003e JS -\u003e CMD -\u003e DLL\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 6 of 11\n\nThere were 29 potential victims from when the C2 was active between 20 - 27 September, with the last\r\ncommunication from a unique IP on port 80 happening on the 26 September. Only two victims hit the C2 on 20\r\nSeptember and most of the traffic began on 21 September before gradually tapering off.\r\n________________________________________\r\nBonus Bloopers!\r\nThese campaigns fell outside of the timeframe we were focusing on but due to their peculiarities we thought it\r\nwould be interesting to add for comparison.\r\n9 September\r\nThe lure for this campaign (project ID 3207262051) was meant to be an XLSM file for English-speakers, but the\r\nthreat actors used the Italian word for “View” on the button they wanted to convince users to click.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 7 of 11\n\nFigure 1 – Screenshot from Hatching Triage\r\nThe C2 for this campaign was audifastinggip[.]com and it began resolving to 143.198.178[.]0 on 9 September.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 8 of 11\n\nUntil 13 September around 12 potential victims were curious enough to click the “Visualizza” button, and\r\ncommunication with the T2 ended on 15 September.  \r\n22-23 September\r\nIt appears a key component of the process may have been skipped when setting up the C2 on 22 September\r\n(project ID 1023645195). The C2 was trallfasterinf[.]com, and it resolves to 137.184.114[.]20. Unlike the other\r\nC2s we’ve tracked which were registered an average of 31 days prior to being used in a campaign, this domain\r\nwas the first to be registered only one day before it was a C2. It was assigned to this IP the day of the campaign,\r\nwhich is normal, but T2 communications appear to have never been set up. Potential victim traffic is hitting the\r\nC2, but it goes nowhere.\r\nThe C2 for 23 September (project ID 2349072319) was sebdgoldingor[.]com, and it also resolves to\r\n137.184.114[.]20. Reusing IPs for these C2s is a new behavior which occurred twice in the same week. It was also\r\nregistered with Njalla on 21 September, two days prior. Interestingly, T2 communications were still not set up\r\nwhen this second campaign launched. Two campaigns seen the following Monday on 26 September contained the\r\nexpected T2 traffic, so it appears the threat actors may have had a bit of a mishap with 137.184.114[.]20.\r\nAnalysis/Key Findings\r\nGEO Targeting\r\nThe 13 September campaign targeting Italian speakers resulted in 18 potential victims. It was also the only\r\ncampaign from our timeframe using a malicious Word document as the delivery method, which makes a true\r\ncomparison difficult. The campaign that leveraged a CHM file along with an English-lure also had 18 potential\r\nvictims. It’s probable that the target base for this campaign was larger than that aimed at Italian speakers (based on\r\nthe prevalence of both languages), so 18 potential Italian victims may be considered a successful number to the\r\nthreat actors.\r\nDelivery Methods\r\nThe campaign with the highest potential victim count was the campaign targeting English speakers that was\r\nreleased the same day as the Italian campaign (13 September). It was delivered via the most common method; a\r\npassword protected zip file containing an ISO, which contained a LNK file. The second most successful campaign\r\nwas that which leveraged PrivateLoader on 16 September 16.\r\nFrom our observations, it appears that campaigns leveraging CHM files are less successful, which could explain\r\nwhy we have only seen this technique being used twice. However, we do not have a complete picture - the number\r\nof victims may have been proportionately similar (or different) based on the number of users targeted. For\r\nexample, it is possible the CHM file campaigns were tests against a smaller target base, in which case one might\r\nargue that they were successful.\r\nLastly, it appears end users are far less likely to fall for a lure if there are any errors within the aesthetics, as seen\r\nwith the campaign on 9 September – security awareness training appears to pay off! Unfortunately, in the majority\r\nof cases, lures look quite realistic and don’t always contain obvious errors and misspellings.\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 9 of 11\n\nTraffic Timeline\r\nExcluding the 19 September campaign as an outlier, the majority of victim traffic hits the C2 the day after a\r\ncampaign is first reported in the wild. This could be a coincidence due to the small dataset being examined, and\r\ntherefore will be a topic we revisit after further tracking.\r\nCommunication with the T2 infrastructure ends at least one day after the last victim traffic, which lasted anywhere\r\nfrom three to seven days. Due to the small sample size, this is also something we will continue to keep an eye on\r\nfor any emerging patterns.\r\nThe timeframe we examined was coincidently when many odd behaviors were being observed, including the\r\nchanges with C2s being reused, the time between domain registration and C2 assignment shrinking, and the\r\ncampaign on 19 September that was quickly cut short (among other observations not mentioned). We believe that\r\nthe threat actors behind IcedID were either making changes to various infrastructure processes behind the scenes\r\nor were having technical issues during this time.\r\nConclusion\r\nIn this post we pulled back the curtain on IcedID campaign metrics and Stage 1 C2 infrastructure, to shed light on\r\nbehaviors and details not often available. These metrics are numbers the threat actors are watching as well, and\r\njust like any other business may influence their future actions.\r\nWhen it comes to delivery methods, daily campaigns often leverage emails containing password protected zip\r\nfiles and ISOs and perform comparatively well. The relative success of the campaign leveraging PrivateLoader\r\ninfections, with the malware concealed within ‘cracked’ software downloads, makes this method something also\r\nworth watching.\r\nThe threat actors spamming IcedID are likely aware that lures with glaring mistakes and typos perform poorly\r\ncompared to those that are more realistic, as we saw with the campaign on 9 September.  Targets may not be as\r\neasily tricked by phishing emails nowadays, but in response the threat actors have adapted their methods to use\r\nlures that appear legitimate and don’t typically include errors. Make sure your company’s security awareness\r\ntraining has adapted too!\r\nWe hope that these findings provide benefit to the reader in a number of areas:\r\nContext on the cadence, volume, and impact of IcedID campaigns.\r\nData points for the assessment of the effectiveness of IcedID delivery TTPs.\r\nContext for the aging out of IcedID C2 IP IOCs; whilst IcedID domains continue to resolve to these IPs,\r\ntheir communications with the T2 cease after approximately 6 days.\r\nTopics for security awareness trainings that reflect the current environment\r\nIOCs\r\n67.205.169.96 aviadronazhed[.]com\r\n134.209.97.90 qvantumbrakesz[.]com\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 10 of 11\n\n137.184.114.20 trallfasterinf[.]com\r\n142.93.44.94 pildofraften[.]com\r\n143.198.178.0 audifastinggip[.]com\r\n159.203.5.238 kolinandod[.]com\r\n161.35.110.54\r\nalkaliodplus[.]com\r\nnikolandfantazy[.]com\r\nzalikomanperis[.]com\r\n188.166.169.40 allozelkot[.]com\r\nSource: https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nhttps://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.team-cymru.com/post/a-visualizza-into-recent-icedid-campaigns"
	],
	"report_names": [
		"a-visualizza-into-recent-icedid-campaigns"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434759,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c946c2bbe80c1acfca4687572db33d487e445744.pdf",
		"text": "https://archive.orkl.eu/c946c2bbe80c1acfca4687572db33d487e445744.txt",
		"img": "https://archive.orkl.eu/c946c2bbe80c1acfca4687572db33d487e445744.jpg"
	}
}