Tag: icedid

11 Attack Reports | 0 Vulnerabilities

Attack reports

Thunderstruck! Malicious ads for RVTools lead to ThunderShell payload

A security incident involving malicious sponsored ads distributing backdoored administrative tools was detected. Users searching for RVTools were served a tampered version containing ThunderShell, a PowerShell-based remote access tool. The malicious ads, appearing in Google search results, led to a…
malvertising
powershell
icedid
google ads
c2
remote access tool
2025-04-03
thundershell
rvtools
trojanized software
Published: April 3, 2025
Downloadable IOCs: 0

LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER, a Russian-speaking financially motivated threat group, has resumed operations following law enforcement disruptions. They've shifted from using IcedID to leveraging Latrodectus and Brute Ratel C4 malware, targeting financial services through SEO poisoning malvertising campaigns. The g…
ransomware
malvertising
seo poisoning
icedid
latrodectus
2024-10-31
brute ratel c4
financial sector
infrastructure sharing
Published: October 31, 2024
Downloadable IOCs: 0

New Bumblebee Loader Infection Chain Signals Possible Resurgence

A new infection chain for the Bumblebee loader malware has been discovered, potentially indicating its resurgence after Operation Endgame. The sophisticated downloader, first identified in March 2022, is used by cybercriminals to access corporate networks and deliver payloads like Cobalt Strike bea…
loader
pikabot
phishing
cobalt strike
icedid
lnk
darkgate
latrodectus
stealth
2024-10-21
msi
bumblebee
infection-chain
in-memory-execution
Published: October 21, 2024
Downloadable IOCs: 11

Inside the Latrodectus Malware Campaign

The Latrodectus malware campaign employs a combination of traditional phishing techniques and innovative payload delivery methods to target financial, automotive, and healthcare sectors. The attack chain begins with compromised emails containing malicious PDF or HTML attachments, which redirect use…
obfuscation
phishing
icedid
javascript
healthcare
latrodectus
financial
2024-10-21
msi
dll
automotive
activex
rundll32
Published: October 21, 2024
Downloadable IOCs: 20

No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection

This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finan…
cobalt strike
icedid
dns tunneling
data exfiltration
redline stealer
2024-10-05
russiansite
nsfinder
8ns
covert communications
hiloti
finhealthxds
Published: October 5, 2024
Downloadable IOCs: 0

Latrodectus Rapid Evolution Continues With Latest New Payload Features

This report discusses the latest updates to the Latrodectus malware, including a different string deobfuscation approach, a new C2 endpoint, and two new backdoor commands. It provides an in-depth analysis of the new version 1.4, focusing on the new features added or updated in this variant. The rep…
malware
icedid
analysis
payload
latrodectus
2024-08-30
evolution
Published: August 30, 2024
Downloadable IOCs: 10

Chamelgang & Friends | Cyberespionage Groups Attacking Critical Infrastructure with Ransomware

In collaboration with Recorded Future, SentinelLabs has been tracking two distinct activity clusters targeting government and critical infrastructure sectors globally between 2021 and 2023.
ransomware
cobalt strike
icedid
bitlocker
2024-06-26
china chopper
wiper
conti
chamelgang
bestcrypt
beaconloader
silver sparrow
Published: June 26, 2024
Downloadable IOCs: 8

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This report details an intrusion that commenced with a spam campaign distributing a forked IcedID loader. After gaining initial access, the threat actor deployed ScreenConnect and established Cobalt Strike beacons, enabling remote command execution. They also utilized CSharp Streamer, a capable RAT…
backdoor
rat
ransomware
blackcat
alphv
cobalt strike
icedid
exfiltration
2024-06-10
noberus
csharp streamer
Published: June 10, 2024
Downloadable IOCs: 33

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

LATRODECTUS is a malware loader gaining popularity among cybercriminals, with strong connections to the ICEDID malware family. It offers standard capabilities for deploying payloads and conducting post-exploitation activities. Initially discovered by Walmart researchers in 2023, it continues evolvi…
malware
loader
icedid
cybercrime
2024-05-17
latrodectus
financially-motivated
Published: May 17, 2024
Downloadable IOCs: 7

Phishing Campaigns Targeting USPS See as Much Web Traffic as the USPS Itself

Following the 2023 holiday season, Akamai researchers uncovered a significant amount of highly likely malicious activity and domains purporting to be associated with the United States Postal Service (USPS). Akamai researchers compared five months of DNS traffic to the legitimate domain, usps.com, w…
powershell
cobalt strike
icedid
sharefinder
lsass
javascript file
amazon
usps
dns query
dll file
Published: April 29, 2024
Downloadable IOCs: 34

From IcedID to Dagon Locker Ransomware in 29 Days

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. The phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware and victims were directed to a fraudulent website, mimicking an Azure download portal.
powershell
cobalt strike
anydesk
icedid
adfind
rclone
shell
encrypted
discovery
domain account
access token
manipulation
utility
modify system
aws collector
prometheustds
seatbelt
sharefinder
Published: April 29, 2024
Downloadable IOCs: 33
Click here to see more Attack Reports