{
	"id": "92e0f57c-71a7-4682-8773-f30163656711",
	"created_at": "2026-04-06T00:18:42.521372Z",
	"updated_at": "2026-04-10T03:36:11.198225Z",
	"deleted_at": null,
	"sha1_hash": "d7cd0450f7a98fc6d79b3eb8adeec29e746a6bf2",
	"title": "UnpacMe Weekly: New Version of IcedId Loader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 340102,
	"plain_text": "UnpacMe Weekly: New Version of IcedId Loader\r\nBy Sean Wilson\r\nPublished: 2023-05-03 · Archived: 2026-04-02 11:40:33 UTC\r\nBy Sean Wilson — May 3, 2023\r\nThis week we've updated coverage for IcedId and an IcedId fork based on a newly observed version.\r\nHighlights\r\nAdded support for newly observed version of IcedId Core Loader Fork and IcedId Loader Fork\r\nNullmixer SEO search result poisoning delivering LegionLoader\r\nString search: Performance improvements and bug fixes\r\nNew Features\r\nThis week we continued work on improving our new string search feature. Based on your feedback and bug\r\nreports, we've made several improvements to the overall speed and stability of search. In addition to search we\r\nalso pushed some changes to Yara Hunt to improve the overall scan performance of Yara scans.\r\nThreat Spotlight: New IcedID Loader Fork\r\nOn April 30, 2023 we observed a new version of the previously forked IcedID loader and core loader. The initial\r\nfork of these components was detailed by Proofpoint in March 2023. This new fork contains some significant\r\nupdates to both components.\r\nForked Loader Updates\r\nb40076de066f06cfd29f43ae69d1e8c1627021a06bf2edff654626671acfb752\r\nThe loader configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key.\r\nThe new load configuration file encryption algorithm is the same custom algorithm previously used by the\r\ncore loader detailed in the mwcfg module icedid_peloader.py\r\nForked Core Loader Updates\r\nhttps://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader\r\nPage 1 of 4\n\n27483870f4df637c7532e41c61e2ee1b6734b28bf511855b68c61abad031c8c8\r\nThe IcedID bot is now embedded directly in the core loader instead of being delivered in a separate .dat\r\nfile.\r\nWith the bot embedded in the core loader the command line parameter --tidu=\"license.dat\" is no\r\nlonger required when launching loader.\r\nThe embedded bot continues to use the same custom headerless “pe” format detailed by Malwarebytes in\r\n2019.\r\nThe bot \"pe\" sections are split between .text .rdata and .data sections in the core loader (one\r\nsection in each).\r\nThe core loader combines these disparate sections into a single blob of data which is then decrypted using\r\nXOR with a hard coded 32-byte ascii key zzfersksximkogxswguwqvngtjkvvzjy .\r\nThe decrypted blob is then passed through the same custom decryption routine used by previous version of\r\nthe core loader as detailed in the mwcfg module icedid_peloader.py\r\nOnce decrypted the plaintext blob is then loaded into memory using the custom IcedId “pe” loader.\r\nThe PDB path in the new core loader fork E:\\source\\anubis\\int-bot\\x64\\Release\\int-bot.pdb\r\nindicates that this new version is internally referred to as `int-bot`.\r\nWeekly Threat Hunting\r\nAs in recent weeks, we continue to see an almost even distribution between Downloaders, InfoStealers, and\r\nRemote Access Trojans (RATs). Analysis of the top user submitted files shows a near identical trend as last week\r\nwith the top threats being AgentTesla, Amadey, SmokeLoader, and SnakeKeylogger. One notable change was an\r\noverall drop in submitted FormBook samples.\r\nContinued analysis of .NET based malware families confirmed some of our suspicions last week regarding the use\r\nof XorStringsNET. We have been tracking samples from additional .NET malware families such as RedLine\r\nStealer and XWorm leveraging the tool for an additional layer of obfuscation.\r\nOver the past week, monitoring of the UnpacMe Threat Feed has corroborated our suspicions regarding the\r\nincrease of AgentTesla samples. We are seeing that over 80% of submitted AgentTesla samples are using the\r\nXORStringsNET string encryption. We expect that over the next couple of weeks we will likely see an increase in\r\nseveral .NET malware families that leverage the tool, as it gains popularity among less-skilled threat actors.\r\nhttps://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader\r\nPage 2 of 4\n\nLast Week's Top Submitted Threats\r\nThreat Coverage\r\nWe've added and improved coverage for the following malware families.\r\nIcedId Fork(s) - A new fork of the previously forked IcedId first observed by ProofPoint in 2023. New\r\nversions of the forked loader and forked core loader were first observed by UnpacMe on April 30, 2023.\r\nThis new fork contains significant changes from the previous version including a new custom decryption\r\nalgorithm used by the core loader, and the inclusion of the bot in the core loader rather than deployed via\r\nseparate .dat files. We have added a configuration extractors for both the forked loader and forked core\r\nloader.\r\nLegionLoader - LegionLoader (aka Satacom) a downloader and cryptocurrency stealer primarily\r\ndistributed via the Nullmixer pay-per-install service. Nullmixer uses SEO to poison search results with\r\nhigh ranked links to their malware for common search terms such as \"free pdfs\" and \"cracked software\".\r\nWe've added a new configuration extractor for LegionLoader to extract the command-and-control (C2) and\r\nencrypted strings.\r\nMinodoBackdoor - Previously referred to as DominoBackdoor is a Downloader possibly linked to\r\nWIZARD SPIDER or a subset of Conti affiliates.\r\nAs always, if you have any feedback or issues please let us know.\r\nHappy Unpacking!\r\nhttps://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader\r\nPage 3 of 4\n\nSource: https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader\r\nhttps://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.unpac.me/2023/05/03/unpacme-weekly-new-version-of-icedid-loader"
	],
	"report_names": [
		"unpacme-weekly-new-version-of-icedid-loader"
	],
	"threat_actors": [
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434722,
	"ts_updated_at": 1775792171,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d7cd0450f7a98fc6d79b3eb8adeec29e746a6bf2.pdf",
		"text": "https://archive.orkl.eu/d7cd0450f7a98fc6d79b3eb8adeec29e746a6bf2.txt",
		"img": "https://archive.orkl.eu/d7cd0450f7a98fc6d79b3eb8adeec29e746a6bf2.jpg"
	}
}