The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

IcedID and Zimbra Exploits Target Ukrainian Government Entities

Apr 22, 2022 1:38:37 PM / by PolySwarm Tech Team

IcedID blog post cover image


CERT-UA recently released an advisory on IcedID, a modular banking trojan being dropped via a social engineering campaign targeting Ukrainian government entities, and related Zimbra exploits.
What is IcedID?

IcedID, also known as BokBot, is a modular banking trojan supporting a full-fledged stealer and next stage implants, such as ransomware and Cobalt Strike beacons. According to CERT-UA, a threat actor group dubbed UAC-0098 is engaging in social engineering campaigns delivering IcedID and leveraging Zimbra exploits. The threat actors are sending phishing emails containing a malicious Microsoft Excel document that uses macros to deploy IcedID. The file used in the phishing email is named Мобілізаційний реєстр.xls or Mobilization Register.xls.


A screenshot showing elements of the malicious Microsoft Excel file. Credit CERT-UA

Figure 1 A screenshot showing elements of the malicious Microsoft Excel file. Credit CERT-UA

CERT-UA also reported a second set of intrusions perpetrated by another threat actor group, UAC-0097. In this campaign, the phishing emails included a number of image attachments with a Content-Location header pointing to a remote server. The server hosted a piece of JavaScript code that activated an exploit leveraging CVE-2018-6882, a Zimbra cross-site scripting vulnerability. In the final stage of the attack, the JavaScript is used to forward the victim’s emails to a threat actor controlled email address for espionage purposes.


PolySwarm has multiple samples associated with IcedID.






You can use the following CLI command to search for all IcedID samples in our portal:

$ polyswarm link list -f IcedID

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe
to our reports

Topics: Ukraine, Threat Bulletin, Infostealer, IcedID, BokBot, UAC-0098, UAC-0097, Zimbra

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts