The IceXLoader malware has evolved and is striking via a phishing email, dropping the malware payload capable of advanced, evasive, and persistent system presence to exfiltrate data. This text shares IceXLoader’s history, how IceXLoader works, new features, IceXLoader attack pattern, how the IceXLoader malware can harm organizations, and what organizations need to do to stay protected.

The IceXLoader malware is back with new capabilities and a multi-chained approach and infects home and corporate systems worldwide. The latest version, 3.3.3, is an advanced malware with unique features and attracts many threat actors. With the phishing campaign for the deployment of the IceXLoader malware spreading like fire and underground cybercriminal forums applauding the malware, here is everything you need to know about the IceXLoader malware.


IceXLoader Discovery in June

Security researchers at FortiGuard Labs of Fortinet encountered the malware in June 2022, which was then dubbed as IceXLoader and was significantly promoted in cybercriminal forums. The latest version of the malware was written in Nim and was a part of the ICE_X project, known as its v3.0. The malware loader downloaded and executed payloads on victim machines and was a part of a wide variety of malware and malicious service available on the threat actor’s website.

The threat actor behind the IceXLoader malware boasted 14 years of experience and was a team of 4 members with 200 clients at the time and provided services for hacking, crypting, and development of malware. IceXLoader generated standalone executables that were hard-coded into files that were distributed to victims worldwide. With persistence, advanced evasive maneuvers, and a C2 (Command and Control) server, the threat actors could exfiltrate information and cause all kinds of harm with IceXLoader.


How Does IceXLoader work?

The latest version of the IceXLoader was analyzed at Minerva labs, and it was identified that it follows a multi-chained approach to attack the victim systems.

  1. Phishing: The initial delivery of the malicious file utilized phishing emails. The emails could be targeted or not, but they contain ZIP files holding the initial extractor that begins the malware campaign.
  2. First Stage Dropper: The victim receives the ZIP file containing the first-stage extractor, which contains all the executables for the following stages and settings for the resources. The extractor creates a temporary folder under the user’s directory, drops stage II files, and creates a new registry key. The  registry key is set to “rundll32.exe C:\Windows\system32\advpack.dll, DelNodeRunDLL32 “C:\Users\username\AppData\Local\Temp\IXP000.TMP\” so it deletes the temporary folder at the restart.
  3. Malware Downloader: The extractor drops the stage II file, i.e., the “STOREM~2.EXE” file, which is a .NET download that utilizes a hardcoded URL (Uniform Resource Locator) to download a PNG file. The download stream is a byte array loaded into a new threat which invokes another method hardcoded by the threat actors.
  4. IceXLoader Dropper: The malicious download is converted into an obfuscated DLL (Dynamic Link Library) file, which is the payload in disguise. The file decrypts the IceXLoader and ensures that it is not executed in Microsoft Defender’s emulator. The file delays execution for 35 seconds using encrypted commands to check if the file is being run in a sandbox and then injects the IceXLoader malware into a new process utilizing process hollowing.



IceXLoader v3.3.3 Features

The latest version of the IceXLoader malware is also written in Nim. The malware is adept at collecting various information from the victim’s system and sending it to the threat actor’s C2 server. The information exfiltrated includes:

  • Nickname
  • IP (Internet Protocol) Address
  • UUID (Universally Unique Identifier)
  • Username and Machine Name
  • Windows OS version
  • Security Products Installed
  • Presence of .NET Framework
  • IceXLoader Version
  • RAM, CPU, and GPU information
  • Timestamp


Attack Pattern of the IceXLoader Malware

The malware creates copies into two directories when executed for the first time. The malware also creates a registry key under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run named “Opus” and sets it to “C:\Users\<username>\AppData\Roaming\Opus.exe”, with both these efforts made for persistence in the system. The directories are:

  • C:\Users\username\AppData\Roaming\Opus.exe
  • C:\Users\ username \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Opus.exe

The malware loader executes commands with delayed executions, so the current files are deleted and bypass AMSI (Antimalware Scan Interface) by patching the memory’s AmsiScanBuffer API (Application Programming Interface). IceXLoader also bypasses Windows Defender’s real-time scanning by executing a .bat file and prevents further scanning of the malware’s source directory by adding exclusions to Windows Defender.

The malware patches the AMSI as a tactic since the AMSI API is the application that allows programs and applications to patch with an antivirus product. Following these, the malware downloads executables from the C2 server that are saved in the temp folder.

The threat actors can execute various commands on the victim’s machine using the IceXLoader for

  • Execution Halts
  • Collecting and Exfiltrating System Information
  • Displaying Dialogs with Messages
  • Restarting the Malware Loader
  • Sending GET requests to download, open, and run files
  • Load and Execute .NET assemblies
  • Modify the C2 Server’s Interval
  • Update the IceXLoader
  • Clearing all malware copies and halting processes


How can Organizations Protect against IceXLoader?

IceXLoader is an advanced malware with a chained approach, capable of taking over the victim’s system to steal information. If any employee or individual associated with the organization gains entry into a system, the effect would be cascaded, wreaking havoc for the entire organization with threat actors taking over multiple organizational systems to exfiltrate database records and confidential customer and workforce data.



Since the initial delivery of the ZIP file is made via phishing emails, organizations must adopt anti-phishing measures and protect against phishing attacks.


How to Protect Against Phishing?

Phishing tactics keep evolving, but the threat actors cannot forcibly open a malicious link; that choice remains with the individual. As such, it would be best for organizations to focus on the following:

  1.     Workforce Education: The employees, executives, and the C-Suite need to be aware of the phishing threat to identify phishing emails and stop malicious actors in their tracks. Regular phishing exercises and knowledge about the latest phishing campaigns can keep the workforce privy to changing tactics for phishing resilience. The workforce should also be taught basic giveaways for phishing emails, such as impersonation, grammatical errors, unsolicited emails, urgency in approach, and weird-looking links.
  1.     Intelligent Tools: With AI (Artificial Intelligence) and ML (Machine Learning) tools and technologies, recognizing threats and phishing emails have become easier. Intelligent tools can look for anomalies and warning signals in emails by analyzing historical data for phishing protection. Furthermore, these tools keep evolving to keep up with the latest cybercriminal tactics and analyze message content to flag phishing and malicious emails.


Final Words

IceXLoader’s features and its wide suite of exfiltration methods perfectly showcase how threat actors continually develop and improve malicious tools to strike organizations worldwide. With exfiltration, persistence, evasion, and executing procedures, IceXLoader poses a significant threat to the security of systems and organizations.



However, following strict cybersecurity procedures, protecting against phishing emails, and investing in cyber insurance are steps that organizations need to take to protect against this malware threat and the ones coming.