New IcedID variants shift from bank fraud to malware delivery


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
New IcedID variants have been found without the usual online banking fraud functionality and instead focus on installing further malware on compromised systems.

According to Proofpoint, these new variants have been seen used by three distinct threat actors in seven campaigns since late last year, focusing on further payload delivery, most notably ransomware.

Proofpoint has identified two new variants of the IcedID loader, namely “Lite” (first seen in November 2022) and “Forked” (first observed in February 2023), both delivering the same IcedID bot with a more narrow-focused feature set.

Starting in November 2022, the “Lite” variant of the IcedID loader was delivered as a second-stage payload on systems infected by the newly-returned Emotet malware.

The “Forked” version of the malware loader first appeared in February 2023, distributed directly through thousands of personalized invoice-themed phishing emails.

These messages used Microsoft OneNote attachments (.one) to execute a malicious HTA file that, in turn, runs a PowerShell command which fetches IcedID from a remote resource. At the same time, the victim is served a decoy PDF.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.