{
	"id": "ad00f9a5-832a-4e73-b672-a1d4ffd8274a",
	"created_at": "2026-04-06T00:19:11.448812Z",
	"updated_at": "2026-04-10T03:21:07.126346Z",
	"deleted_at": null,
	"sha1_hash": "dec79d46da11703febf83f3e6c1d302cafb5f84f",
	"title": "IcedID PhotoLoader evolution",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317453,
	"plain_text": "IcedID PhotoLoader evolution\r\nPublished: 2020-04-28 · Archived: 2026-04-05 22:41:29 UTC\r\nIcedID continues to evolve but yet not a lot of attention is given it, Joshua Platt, Vitali Kremez and myself recently\r\nreleased a report[1] detailing how they have been targeting and continue to target tax season in the midst of the\r\nCovid-19 pandemic which has extended tax season in the US to July.\r\nIn light of this they are also continuing to innovate on their malware tools including their PhotoLoader which was\r\ndetailed by MalwareBytes previously[2]. The loader has recently had a number of additions added to it which\r\nappear to be designed towards protecting the payloads and also evading network detection.\r\nConfig\r\nThe loader comes with an onboard configuration which will be decoded:\r\nDecoding this config shows some hex data and a number of domains:\r\nSome of these domains are legit and one of them stands out as suspect, the loader enumerates these domains and\r\nmakes requests to them in a loop.\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 1 of 8\n\nAfter retrieving the content it will look for the first occurrence of ‘url(“‘ or ‘src=”’.\r\nIt will then build another request for this resource from the same domain but depending on the flag value before\r\nthe domain will determine whether or not the second request will have a callback function set on the request for\r\nthe retrieved resource.\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 2 of 8\n\nThe callback will add cookie values to the request headers.\r\nThe cookie values built are based on various information from the infected system.\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 3 of 8\n\nAn example of the request can be seen from this sandbox detonation[3]:\r\nThe _u cookie value holds the username and computername hexlified.\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 4 of 8\n\nInspecting the data from the sandbox detonation:\r\n\u003e\u003e\u003e binascii.unhexlify('4445534B544F502D4A474C4C4A4C44')\r\n'DESKTOP-JGLLJLD'\r\n\u003e\u003e\u003e binascii.unhexlify('61646D696E')\r\n'admin'\r\nA breakdown of what the cookie values are:\r\nCookie Value\r\n_gid Based on physical address of NIC\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 5 of 8\n\nCookie Value\r\n_io Domain identifier from SID\r\n_u Username and Computername\r\n_gat Windows version info\r\n_ga Processor info via CPUID including hypervisor brand if available\r\n_gads\r\nFirst DWORD from decoded config data, flag from inspecting server certificate, a random\r\nDWORD or number passed as parameter with -id=, number of processes\r\nAfter pulling down the fake image file it will look for ‘IDAT’.\r\nUses a byte value to determine the size of the RC4 key before RC4 decrypting the data:\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 6 of 8\n\nThen will perform a hash check on the decoded data to determine if it was correct.\r\nIf the hash check fails it will just continue performing this enumeration through the domain list, effectively turning\r\nthis process into a checkin loop with fake traffic mixed in.\r\nMany of these added features to their photo loader appear to be designed for evading researchers and detections,\r\nthis gives us insights into their operations as what their customers are asking for dictates what their development\r\nteam will prioritize. With the previous photo loader being blogged about and signatures being released, it was only\r\na few months before a new updated system was created to replace it.\r\nIOCs\r\n1a4408ff606936ba91fa759414f1c6dd8b27e825\r\nca792a5d30d3ca751c4486e2d26c828a542a001a\r\nzajjizev[.]club\r\nhxxp://45.147.231[.]107/ldr.exe\r\nhxxps://customscripts[.]us/ldr_2817175199.exe\r\nkarantino[.]xyz\r\nhinkaly[.]club\r\nSignatures\r\nalert http $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"IcedID PhotoLoader Ver2\"; flow:established,to_server; conte\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 7 of 8\n\nReferences:\r\n1. https://labs.sentinelone.com/icedid-botnet-the-iceman-goes-phishing-for-us-tax-returns/\r\n2. https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/\r\n3. https://app.any.run/tasks/d092cd7a-3e1c-479f-93e0-6494e464f44e/\r\nSource: https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nhttps://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html\r\nPage 8 of 8\n\n  https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html  \nAn example of the request can be seen from this sandbox detonation[3]:\nThe _u cookie value holds the username and computername hexlified.\n    Page 4 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sysopfb.github.io/malware,/icedid/2020/04/28/IcedIDs-updated-photoloader.html"
	],
	"report_names": [
		"IcedIDs-updated-photoloader.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434751,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dec79d46da11703febf83f3e6c1d302cafb5f84f.pdf",
		"text": "https://archive.orkl.eu/dec79d46da11703febf83f3e6c1d302cafb5f84f.txt",
		"img": "https://archive.orkl.eu/dec79d46da11703febf83f3e6c1d302cafb5f84f.jpg"
	}
}