Icedid

Category: banking_trojan · Aliases: Trojan.IcedID, Banking.BokBot, Win32/IcedID · Sample count (EMBER 2018): 118 · Enrichment: curated_sourced · Updated: 2026-07-02T07:47:42Z

Overview

Executive Summary

IcedID (also known as BokBot) is a highly sophisticated, modular Banking Trojan and Initial Access Broker (IAB) malware. Initially discovered in 2017 targeting financial information via web injection, it has evolved into a formidable initial access vector for ransomware syndicates. Its primary function today is to establish a stealthy foothold within a corporate network, steal domain credentials, and facilitate the deployment of catastrophic secondary payloads like Egregor or REvil ransomware.

Infection Vector and Technical Capabilities

IcedID is typically distributed via high-volume malspam campaigns utilizing malicious Office documents (macros) or heavily obfuscated JavaScript files. It is also frequently dropped as a secondary payload by other prevalent loaders like Emotet or TrickBot. Its technical sophistication rivals state-sponsored tools:

Threat Assessment

An IcedID detection is an enterprise crisis. It is a Tier-1 threat indicating that the organization has been breached by highly capable cybercriminals. If not contained immediately, a full-scale, network-wide ransomware deployment is highly probable within days or hours.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1185 T1055 T1027.003 T1078

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_ICEDID {
    meta:
        description = "Detects Icedid (banking_trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "icedid" ascii wide nocase
        $s2 = "trojan.icedid" ascii wide nocase
        $s3 = "banking.bokbot" ascii wide nocase
        $s4 = "win32/icedid" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Icedid Activity
id: 024ed2a92920088ceff69104f680c98f
status: experimental
description: Detects generic indicators of the icedid malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*icedid*"
            - "*trojan.icedid*"
            - "*banking.bokbot*"
            - "*win32/icedid*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is IcedID?

A modular banking trojan, observed since at least 2017, designed to steal financial information; it can also load further malware.

How does IcedID relate to Emotet?

MITRE documents that IcedID has been downloaded by Emotet in multiple campaigns, so the two were often seen together.

Is IcedID associated with ransomware?

Yes; as a banking trojan and loader it has been used as an initial-access stage that can precede ransomware deployment.

What is another name for IcedID?

It is also tracked as BokBot.

How does IcedID spread?

Mainly through phishing emails and as a payload dropped by other malware such as Emotet.

How can organizations defend against IcedID?

Block phishing, restrict macros, monitor for credential theft and lateral movement, and keep tested offline backups in case it leads to ransomware.

Where is the authoritative reference?

MITRE ATT&CK's IcedID entry (S0483), linked on this page.

Related Families (Category: banking_trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/icedid.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.