article featured image


A new phishing campaign responsible for dropping a new version of the IceXLoader malware has been found. The ongoing campaign is affecting thousands of home and corporate users.

Version 3.3.3 of IceXLoader, a malware loader that was first discovered in the open last summer, has been released by the tool’s creators, who have also added a multi-stage delivery chain and improved functionality.

When first discovered in June 2022 by Fortinet, the malware was in version 3.0 and was missing key features. The current version seems to be a departure from the project’s beta development stage. Any breakthrough of this kind is noteworthy and can cause a dramatic increase in the deployment of the malware loader, which has been vigorously marketed in the cybercrime underground.

How the Malware Spreads

The infection with the IceXLoader begins with the arrival of a ZIP file through phishing emails, containing the first-stage extractor.

The extractor dumps the next-stage executable, “STOREM~2.exe,” into a new hidden folder (.tmp) under “C:\Users\<username>AppData\Local\Temp.”

After the executable stage has been completed, depending on the settings selected by the malware’s operator, the infected system may be rebooted, and a new registry key will be added to delete the temp folder when the computer restarts.

The downloaded file is converted into an obfuscated DLL file, which is the IceXLoader payload, by the dropped executable downloader, which also fetches a PNG file from a hardcoded URL.

After it decrypts the payload, the dropper performs a check to ensure that it’s not running inside an emulator and waits a few seconds before executing the malware loader.

After all the steps have been completed, IceXLoader is injected into the STOREM~2.exe process using process hollowing.

New and Improved Malware

According to BleepingComputer, upon initial launch, IceXLoader 3.3.3 copies itself into two directories with the operator’s nicknames and then gathers and exfiltrates the following host data to the C2:

  • IP address
  • UUID
  • Username and machine name
  • Windows OS version
  • Installed security products
  • Presence of .NET Framework v2.0 and/or v4.0
  • Hardware information
  • Timestamp

The malware uses a method of in-memory patching in AMSI.DLL to bypass Microsoft Defender and other security products.

In comparison to the previous version discovered this summer, the IceXLoader malware supports new features including:

  • Execution Stoppage
  • System info collection and exfiltration to C2
  • Dialog box displaying a specified message
  • It can restart
  • Sending GET request to download a file and open it with “cmd/ C”
  • Sending GET request to download an executable to run it from memory
  • Loading and executing a .NET assembly
  • It can change the C2 server beaconing interval
  • It can update itself
  • Has the ability to remove all copies from the disk and stop running

As hinted by BleepingComputer, the threat actors behind the malware don’t have an interest in securing the stolen data. The SQLite database that holds the stolen information is accessible in the C2 address and it contains records corresponding to thousands of victims.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.