IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

In October 2023 a spam campaign delivered a forked IcedID loader via a malicious ZIP/VBS, which established persistence and downloaded additional IcedID stages; the intruder then installed ScreenConnect (renamed) and used Impacket/wmiexec and RDP to move laterally, deployed Cobalt Strike beacons and the CSharp Streamer RAT to harvest credentials (LSASS access and DCSync), staged and exfiltrated sensitive data using a custom tool and Rclone, and after approximately eight days executed ALPHV ransomware across domain-joined Windows hosts—accompanied in the report by detailed IOCs, malware hashes, network addresses, and detection guidance.