IcedID Macro Ends in Nokoyawa Ransomware

This report documents an October 2022 intrusion targeting Italian organizations that began with an Excel maldoc containing VBA macros which dropped an IcedID DLL; the actor used renamed system utilities, scheduled tasks for persistence, and IcedID’s VNC module to enable interactive access. Within hours they deployed Cobalt Strike beacons (PowerShell and DLLs), performed privilege escalation and LSASS credential dumping, conducted broad Active Directory discovery with AdFind/AdGet, and laterally moved via WMI, WinRM, SMB/ADMIN$, PsExec and RDP. After ~148 hours the actors staged and executed a Nokoyawa ransomware strain via PsExec/WMI across domain hosts (ransom quoted ~$200k, not paid); the report provides extensive IoCs (domains, IPs, filenames, hashes), Cobalt Strike configurations, and recommended detection artefacts.