Banking trojan / Loader
IcedID
aka BokBot
A banking trojan turned modular loader that became a major initial-access vector for ransomware after Emotet and TrickBot were disrupted.
IcedID (BokBot) launched in 2017 as a banking trojan and matured into a flexible loader. As Emotet and TrickBot faced disruption, IcedID stepped in as a leading initial-access vector, delivering reconnaissance tools and ultimately ransomware.
Delivery
IcedID campaigns leaned on malspam with ISO/LNK attachments and thread-hijacked emails to bypass macro defenses. Once resident, it profiled the host and pulled additional modules.
Role in intrusions
IcedID frequently preceded Cobalt Strike and hands-on-keyboard ransomware operations, making any detection a serious warning. Campaigns are tracked on Cyber Breaches; a loader analysis lives on the Reverse Engineering Hub.
Defense
Block ISO/LNK delivery, monitor for post-exploitation frameworks, and respond to IcedID as pre-ransomware activity.