IcedID Malware Evolves into Ransomware Facilitator, Expanding Threat with Updated BackConnect Module

The IcedID malware [1] [2] [3] [4] [5], also known as BokBot [1] [2] [5], has undergone significant changes, transitioning from a banking trojan to a facilitator for other malicious payloads. This evolution has resulted in a shift towards prioritizing ransomware delivery over online banking fraud.


Recent versions of IcedID have seen updates to its BackConnect module, which is responsible for post-compromise activity on compromised systems [1] [2] [3] [4] [5]. Notably, the threat actors behind IcedID have changed the BackConnect traffic from TCP port 8080 to TCP port 443, making it more challenging to detect.

Team Cymru’s findings indicate a rise in the number of BackConnect command-and-control servers [1] [2] [5], increasing from 11 to 34 since January 23, 2023 [4]. However, there has been a significant reduction in server uptime, dropping from an average of 28 days to just eight days. This suggests that the same IcedID operator or affiliate may be targeting multiple victims simultaneously [2] [3] [4].

Furthermore, certain IcedID victims are being utilized as proxies in spamming operations [1] [3] [4] [5], exploiting the SOCKS capabilities of the BackConnect module. This not only leads to compromised data and financial loss for the victims but also aids in the spread of further IcedID campaigns [3].

It is worth noting that the IcedID forks that emerged in February 2023, lacking the banking fraud and BackConnect modules [1] [2] [4], have not been recently detected. This suggests that these forks may have been short-lived experiments.


The evolution of IcedID into a ransomware facilitator highlights the increasing sophistication of malware threats. The shift to TCP port 443 for BackConnect traffic poses challenges for detection and mitigation efforts. The rise in command-and-control servers, coupled with reduced server uptime, indicates a more aggressive and widespread targeting of victims.

The utilization of IcedID victims as proxies in spamming operations further exacerbates the impact, leading to compromised data and financial losses [3]. It is crucial for organizations to remain vigilant and implement robust security measures to protect against IcedID and similar malware campaigns.

The disappearance of IcedID forks without the banking fraud and BackConnect modules suggests the need for continuous monitoring and analysis of emerging malware variants. This will aid in understanding their capabilities, potential threats, and developing effective countermeasures to mitigate their impact.