IcedID / BokBot
What is IcedID / BokBot?
IcedID / BokBotA modular banking trojan and loader first seen in 2017 that became a primary precursor to ransomware deployments by groups like Conti and Quantum.
IcedID, also known as BokBot, first appeared in 2017 targeting banking and e-commerce customers in North America and Europe. Distributed mainly through malicious ISO, IMG and OneNote attachments, password-protected archives and SEO-poisoned ads, it provides backdoor access, browser web injects, VNC and SOCKS proxy modules. Over time it shifted toward operating as a loader for hands-on-keyboard intrusions, dropping Cobalt Strike, Atera RMM and ransomware such as Quantum, Conti and Dagon Locker. Microsoft and Proofpoint track it as an evolving toolkit used by multiple affiliate clusters. Defenders rely on AppLocker, MOTW, restricted ISO mounting and email file-type policies to slow distribution.
● Examples
- 01
An IcedID infection from a fake invoice ISO escalates to a Quantum ransomware encryption event within 48 hours.
- 02
A SOC blocks ISO and IMG attachments in mail, sharply reducing IcedID hands-on intrusions in 2023.
● Frequently asked questions
What is IcedID / BokBot?
A modular banking trojan and loader first seen in 2017 that became a primary precursor to ransomware deployments by groups like Conti and Quantum. It belongs to the Malware category of cybersecurity.
What does IcedID / BokBot mean?
A modular banking trojan and loader first seen in 2017 that became a primary precursor to ransomware deployments by groups like Conti and Quantum.
How does IcedID / BokBot work?
IcedID, also known as BokBot, first appeared in 2017 targeting banking and e-commerce customers in North America and Europe. Distributed mainly through malicious ISO, IMG and OneNote attachments, password-protected archives and SEO-poisoned ads, it provides backdoor access, browser web injects, VNC and SOCKS proxy modules. Over time it shifted toward operating as a loader for hands-on-keyboard intrusions, dropping Cobalt Strike, Atera RMM and ransomware such as Quantum, Conti and Dagon Locker. Microsoft and Proofpoint track it as an evolving toolkit used by multiple affiliate clusters. Defenders rely on AppLocker, MOTW, restricted ISO mounting and email file-type policies to slow distribution.
How do you defend against IcedID / BokBot?
Defences for IcedID / BokBot typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IcedID / BokBot?
Common alternative names include: BokBot.
● Related terms
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- malware№ 621
Loader
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.