Threat Intelligence Tarot
pentacles · 12
Criminal (Eastern European)
G0099
risk 4/5
The Frozen Account
IcedID / Bokbot
Bokbot · Gold Swathmore
BanksUS financial sectorHealthcareGlobal enterprise
Active since ~2017 · Banking credential theft, Loader-as-a-service for ransomware, Financial fraud
IcedID began as a banking trojan and became something more valuable: a loader. It gets in, establishes persistence, and rents the access to ransomware operators. The Frozen Account does not care what gets delivered - it cares about the delivery. Access-as-a-service at enterprise scale.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1566.001
Spearphishing Attachment
Initial Access
T1204.002
Malicious File
Execution
T1071.001
Web Protocols
Command and Control
T1105
Ingress Tool Transfer
Command and Control
T1486
Data Encrypted for Impact
Impact
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Banking trojan affecting 100+ financial institutions globally
  • Loader for Quantum, BlackCat, and Conti ransomware
  • US DoJ charges against IcedID operators (2023)
  • Evolved from banking trojan to ransomware delivery platform
Defenses
Reversed: Their Weakness
IcedID's evolution from banking trojan to ransomware loader reflects the maturing criminal ecosystem - operators who built a reliable infection mechanism found more value in the delivery business than the theft business, allowing law enforcement to target them through their ransomware affiliates.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Invisible SkimmerNext →The Side Door
Related Adversaries
The Specter
Lazarus Group
5 shared TTPs
The Broker
TA505
4 shared TTPs
The Merchant
FIN7
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.