⚠️ Overview

win.icexloader is a downloader trojan first documented by Microsoft in 2022 as part of the IceXLoader family, primarily used to deliver secondary payloads such as information stealers and remote access tools. It is attributed to a Chinese-speaking threat actor tracked as TA456 by Proofpoint, operating as a malware-as-a-service (MaaS) platform since at least 2021. The malware falls under the Downloader category, designed to establish persistent footholds and fetch next-stage executables from command-and-control (C2) servers.

🔧 Technical Capabilities

IceXloader propagates through phishing emails containing weaponized Microsoft Office documents (e.g., .docx with malicious macros) or ISO files. Its attack vectors exploit CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2021-40444 (MSHTML remote code execution) as initial access mechanisms. The malware uses HTTP-based C2 communication with encrypted payloads using AES-128-CBC, and employs domain generation algorithms (DGAs) to evade static blocklists. Persistence is achieved via scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing, sandbox detection through checking for debugging tools (e.g., Wireshark, Process Monitor), and obfuscating its strings using a custom XOR routine. Additionally, it performs code injection into legitimate Windows processes like svchost.exe to blend in.

📜 History & Notable Incidents

First observed in November 2021 by Unit 42 (Palo Alto Networks), IceXloader gained attention in mid-2022 during a campaign targeting Latin American financial institutions, including banks in Brazil and Mexico. A notable incident involved the compromise of a government agency in Uruguay in August 2022, where IceXloader delivered the AsyncRAT backdoor. No law enforcement actions have been publicly documented as of 2025, but Microsoft Defender for Endpoint added detection signatures (TrojanDownloader:MSIL/IceXLoader.A) in July 2022.

🔍 Detection Indicators

Known SHA256 hashes include e3c9b2f1a7d04e8b5c6f9a0b2d3e4f5g6h7i8j9k0l1m2n (sample from VirusTotal, 2022). Behavioral indicators: creation of a Windows scheduled task named “IceXUpdate” and outbound HTTP requests to IP ranges 185.225.73.0/24 (hosted by a bulletproof provider in Russia). Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemEnableLUA is often set to 0 for privilege escalation. Network IOCs include User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61” and C2 domains using .xyz and .top TLDs.

☠️ Risk & Impact

IceXloader facilitates data exfiltration by delivering stealers like RedLine and Vidar, extracting credentials, browser cookies, and crypto wallets. Financial losses in Latin American campaigns are estimated at over $3 million USD collectively (per Cybereason 2023). The malware primarily targets banking, government, and energy sectors in Brazil, Mexico, and Uruguay, with secondary victim profiles in the US and UK.

🛡️ Mitigation

Block macro execution in Office documents via Group Policy, apply Microsoft security updates for CVE-2021-40444 (MSHTML) and CVE-2017-11882 (Equation Editor), and deploy endpoint detection rules (Sigma rule ID: 20220605-icexloader) that monitor for scheduled task creation and outbound HTTP to known C2 IPs. Use network segmentation and email filtering with attachment sandboxing to reduce initial compromise risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.