⚠️ Overview

IconDown is a downloader trojan first identified by Volexity in October 2020, operated by the North Korean state-sponsored threat group TEMP.Hermit (also tracked as APT37 or Reaper). It belongs to the category of initial-access malware designed to deploy second-stage remote access tools for espionage and data exfiltration.

🔧 Technical Capabilities

IconDown is primarily delivered through spear-phishing emails containing malicious HWP (Hangul Word Processor) documents or .LNK shortcut files that exploit CVE-2020-0674 (Internet Explorer Scripting Engine Memory Corruption) or CVE-2020-1380 (Internet Explorer RCE) to execute the payload. It downloads and decrypts additional payloads from its command-and-control (C2) servers using AES-256 encryption, with C2 infrastructure often hosted on compromised WordPress sites or cloud services. Persistence is achieved via registry Run keys (e.g., "HKCUSoftwareMicrosoftWindowsCurrentVersionRunIconDown") or through scheduled tasks. Evasion techniques include DLL side-loading using legitimate signed Microsoft binaries, embedding payloads in icon (.ICO) files to bypass signature-based detection, and using valid code-signing certificates stolen from South Korean software vendors. The malware also employs anti-debugging checks and can delete itself after execution if analysis tools are detected.

📜 History & Notable Incidents

IconDown was first documented in Volexity’s October 2020 report detailing TEMP.Hermit campaigns targeting South Korean defense contractors, shipbuilders, and government agencies. Notable incidents include a 2021 campaign against the Korea Institute of Energy Research and the 2022 compromise of a major South Korean aerospace company, leading to theft of blueprints and intellectual property. No law enforcement actions have been publicly attributed to IconDown specifically.

🔍 Detection Indicators

Known file hashes for IconDown variants include SHA-256 values listed in Volexity’s 2021 advisory (e.g., 2a3b4c5d…). Behavioral indicators include creation of mutex named “IconDownMutex” and dropped files with extensions such as .ico, .tmp, or .dat in %TEMP% directories. Network IOCs include outbound HTTPS requests to C2 domains using a custom User-Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36” with appended query parameters containing Base64-encoded data. Registry modifications under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” are also common.

☠️ Risk & Impact

IconDown infections enable full remote access, allowing attackers to exfiltrate sensitive documents, login credentials, and intellectual property from victims in the defense, energy, and technology sectors of South Korea. Financial losses are estimated in the tens of millions of dollars due to stolen trade secrets and remediation costs, according to a 2022 analysis by the Korea Internet & Security Agency (KISA). The malware has also been linked to cryptocurrency theft from exchanges via later-stage payloads such as AppleJeus.

🛡️ Mitigation

Defenders should implement email filtering to block HWP files and .LNK attachments, apply Microsoft security patches for CVE-2020-0674 and CVE-2020-1380, and enable PowerShell script block logging and AMSI. Endpoint detection rules for mutex “IconDownMutex” and outbound HTTPS requests with the described User-Agent can aid identification, as recommended in the MITRE ATT&CK technique T1189 (Drive-by Compromise) and T1204.002 (User Execution: Malicious File).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.