win.photofork (Back to overview)


PHOTOFORK is a downloader which is a modified version of GZIPLOADER. It was first detected in February 2023 and was distributed by TA581 along with an unattributed threat activity cluster that facilitated initial access. In this version, the configuration file is no longer encrypted using a simple XOR algorithm with a 64-byte key. Instead, it uses a custom algorithm previously used by the Standard core loader. This algorithm decrypts DLL strings that are needed to resolve handles to the necessary DLLs later on. The strings are decrypted using an algorithm that splits the data into DWORDs and XORs it against a random key. The main objective of PHOTOFORK remains the same as GZIPLOADER, i.e. to deliver an encrypted bot and core DLL loader (forked) that loads the Forked ICEDID bot into memory using a custom PE format.

2023-03-27ProofpointPim Trouerbach, Kelsey Merriman, Joe Wise
@online{trouerbach:20230327:fork:62e7699, author = {Pim Trouerbach and Kelsey Merriman and Joe Wise}, title = {{Fork in the Ice: The New Era of IcedID}}, date = {2023-03-27}, organization = {Proofpoint}, url = {}, language = {English}, urldate = {2023-08-11} } Fork in the Ice: The New Era of IcedID

There is no Yara-Signature yet.