IcedID GZIPLOADER Analysis

Binary Defense analyzes a new IcedID variant delivered by Qakbot's TR malspam affiliate that replaces the photoloader with a novel 'gziploader' first stage and updated encryption to hide configuration and embedded strings. The report reverse-engineers the loader and main bot, documents payload layout and memory loading, describes post-infection behaviors (credential and cookie theft, browser hooking, DLL injection, Exec/ExecAdmin behavior, and Cobalt Strike staging), provides detection opportunities and IOCs (files, commands, domains, IPs), and releases a decryption tool to assist defenders.