From IcedID to Dagon Locker Ransomware in 29 Days

In August 2023 an intrusion began via a PrometheusTDS phishing campaign delivering IcedID, which established persistence, downloaded and executed Cobalt Strike beacons, performed extensive discovery and lateral movement (SMB, WMIC, AdFind, Sharefinder), exfiltrated data (Rclone and a custom AWSCollector to S3), and after ~29 days deployed Dagon Locker ransomware across the domain; the report includes detailed IoCs, memory and file artifacts, YARA and Sigma detection rules, and analysis of attacker tooling and procedures.