S0483: IcedID
Analyst context for executives and security teams
IcedID matters because ATT&CK describes it as modular Windows banking malware built to steal financial information and associated with follow-on malware distribution relationships. For leaders, the practical issue is not just “banking malware”; it is whether the organization can detect a Windows endpoint compromise that blends web traffic, discovery, persistence, obfuscation, browser session abuse, and data exfiltration behaviors before it becomes a broader incident.
Executive priority
Prioritize IcedID-relevant readiness where Windows endpoints handle financial workflows, privileged access, or sensitive browser-based sessions. Ask whether SOC, IR, and audit teams can prove visibility into endpoint execution, scheduled tasks, WMI activity, process injection indicators, account and network discovery, web-based command-and-control, and encrypted exfiltration patterns. Because ATT&CK provides no official detection text for this malware, coverage should be validated through the related techniques rather than assumed from malware naming alone.
Technical view
ATT&CK lists IcedID on Windows and relates it to techniques spanning initial access, execution, persistence, privilege escalation, defense evasion, discovery, collection, command-and-control, ingress tool transfer, and exfiltration. Detection engineering should map coverage to the specific relationships: drive-by compromise, Visual Basic execution, WMI, Native API use, scheduled tasks, process hollowing/APC injection, packed or encoded payloads, legitimate-looking resource names or locations, domain/account/share/system/network discovery, browser session hijacking, web protocols, tool transfer, and asymmetric encrypted non-C2 exfiltration. Treat IcedID as a behavior cluster: endpoint, identity, browser, and network telemetry must be correlated rather than relying on static signatures alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Scheduled task creation, modification, and execution logs
- WMI activity and remote/local management events
- Endpoint detection telemetry for process injection, process hollowing, APC-style injection, and unusual Native API behavior
- File creation and execution telemetry for packed, encoded, embedded, or misleadingly named payloads
Detection direction
- Validate ATT&CK technique coverage rather than depending on an IcedID signature, since official detection guidance is not provided.
- Tune detections for suspicious chains: script or Visual Basic execution leading to WMI, scheduled task creation, discovery commands, browser interaction, network callbacks, or tool transfer.
- Correlate endpoint and network signals; web protocols can blend with normal traffic, and encrypted exfiltration may not expose content inspection opportunities.
- Review false positives around legitimate administration: WMI, scheduled tasks, Native API-heavy software, and domain/share discovery can be normal in managed Windows environments.
- Look for defense-evasion context such as software packing, encoded files, embedded payloads, process injection, and legitimate-looking names or locations.
Mitigation priorities
- Ensure Windows endpoint protection and logging are configured to retain process, file, scheduled task, WMI, and injection-relevant telemetry.
- Harden browser and endpoint controls around financial and privileged workflows, including restrictions on unauthorized script execution and suspicious downloaded content.
- Limit unnecessary local administrative capability and monitor identity discovery against domain accounts and permission groups.
- Control and monitor outbound web traffic and encrypted egress, with attention to unusual destinations, tool downloads, and data movement patterns.
- Prepare IR playbooks for modular malware incidents: isolate affected Windows hosts, preserve volatile and endpoint evidence, review account/session exposure, and inspect for follow-on tools or persistence.
Analyst notes and limits
The supplied ATT&CK object identifies IcedID as modular banking malware observed since at least 2017 and notes that Emotet downloaded it in multiple campaigns. Relationships also connect it to TA551, TA578, Water Curupira Pikabot Distribution, and multiple ATT&CK techniques. The most defensible operational use is to validate coverage against those related behaviors on Windows rather than infer a single detection strategy.
Official ATT&CK detection text is not provided, tactics are not specified directly on the malware object, aliases are not supplied, and relationship descriptions are partly sparse or truncated. This take does not assert current activity, attribution beyond supplied relationships, guaranteed detection, or exposure in any specific environment. Local telemetry, asset criticality, and incident evidence are required to determine risk and response priority.
IcedID
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497 | Virtualization/Sandbox Evasion | IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.CitationTrendmicro_IcedID |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | IcedID can inject a Cobalt Strike beacon into cmd.exe via process hallowing.CitationDFIR_Quantum_Ransomware |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | IcedID used the following command to check the country/language of the active console: ` cmd.exe /c chcp >&2`.CitationDFIR_Quantum_Ransomware |
| Enterprise | T1482 | Domain Trust Discovery | |
| Enterprise | T1218.007 | Msiexec Sub-technique | |
| Enterprise | T1189 | Drive-by Compromise | IcedID has cloned legitimate websites/applications to distribute the malware.CitationTrendmicro_IcedID |
| Enterprise | T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Sub-technique | IcedID has exfiltrated collected data via HTTPS.CitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1069 | Permission Groups Discovery | IcedID has the ability to identify Workgroup membership.CitationIBM IcedID November 2017 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | IcedID has created a scheduled task to establish persistence.CitationJuniper IcedID June 2020CitationDFIR_Quantum_RansomwareCitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | IcedID has modified legitimate .dll files to include malicious code.CitationTrendmicro_IcedID |
| Enterprise | T1204.002 | Malicious File Sub-technique | IcedID has been executed through Word and Excel files with malicious embedded macros and through ISO and LNK files that execute the malicious DLL.CitationJuniper IcedID June 2020CitationDFIR_Quantum_RansomwareCitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | IcedID can identify AV products on an infected host using the following command: ` WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List`.CitationDFIR_Sodinokibi_RansomwareCitationDFIR_Quantum_Ransomware |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | IcedID has embedded malicious functionality in a legitimate DLL file.CitationTrendmicro_IcedID |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | IcedID has utilzed encrypted binaries and base64 encoded strings.CitationJuniper IcedID June 2020 |
| Enterprise | T1106 | Native API | IcedID has called |
| Enterprise | T1027.003 | Steganography Sub-technique | IcedID has embedded binaries within RC4 encrypted .png files.CitationJuniper IcedID June 2020 |
| Enterprise | T1087.002 | Domain Account Sub-technique | IcedID can query LDAP and can use built-in `net` commands to identify additional users on the network to infect.CitationIBM IcedID November 2017CitationDFIR_Quantum_Ransomware |
| Enterprise | T1047 | Windows Management Instrumentation | IcedID has used WMI to execute binaries.CitationJuniper IcedID June 2020CitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1059.005 | Visual Basic Sub-technique | IcedID has used obfuscated VBA string expressions.CitationJuniper IcedID June 2020 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | IcedID has used |
| Enterprise | T1105 | Ingress Tool Transfer | IcedID has the ability to download additional modules and a configuration file from C2.CitationIBM IcedID November 2017CitationJuniper IcedID June 2020CitationDFIR_Quantum_RansomwareCitationLatrodectus APR 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | IcedID used the `ipconfig /all` command and a batch script to gather network information.CitationDFIR_Quantum_Ransomware |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | IcedID has been delivered via phishing e-mails with malicious attachments.CitationJuniper IcedID June 2020CitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1071.001 | Web Protocols Sub-technique | IcedID has used HTTPS in communications with C2.CitationJuniper IcedID June 2020CitationDFIR_Quantum_RansomwareCitationDFIR_Sodinokibi_Ransomware |
| Enterprise | T1135 | Network Share Discovery | IcedID has used the `net view /all` command to show available shares.CitationDFIR_Quantum_Ransomware |
| Enterprise | T1185 | Browser Session Hijacking | IcedID has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. IcedID can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.CitationIBM IcedID November 2017CitationJuniper IcedID June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | IcedID has established persistence by creating a Registry run key.CitationIBM IcedID November 2017 |
| Enterprise | T1027.002 | Software Packing Sub-technique | IcedID has packed and encrypted its loader module.CitationJuniper IcedID June 2020 |
| Enterprise | T1082 | System Information Discovery | IcedID has the ability to identify the computer name and OS version on a compromised host.CitationIBM IcedID November 2017CitationDFIR_Quantum_Ransomware |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | IcedID has used SSL and TLS in communications with C2.CitationIBM IcedID November 2017CitationJuniper IcedID June 2020 |
Groups, software, and campaigns
G0127: TA551
G1038: TA578
C0037: Water Curupira Pikabot Distribution
Pikabot was distributed in Water Curupira Pikabot Distribution throughout 2023 by an entity linked to BlackBasta ransomware deployment via email attachments. This activity followed the take-down of QakBot, with several technical overlaps and similarities with QakBot, indicating a possible connection. The identified activity led to the deployment of tools such as Cobalt Strike, while coinciding with campaigns delivering DarkGate and IcedID en route to ransomware deployment.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 362532594b1e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
IBM IcedID November 2017
Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
Open source URL -
[2]
Juniper IcedID June 2020
Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
Open source URL -
[3]
mitre-attack S0483Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.