CrowdStrike has detailed a new post-exploitation framework that could be the work of a state-sponsored threat actor, one likely linked to China.
Dubbed IceApple and targeting Microsoft Exchange servers, the framework is an in-memory-only tool designed to evade detection and provide long-time access to the compromised environments. The framework can also run on Internet Information Services (IIS) web server software.
CrowdStrike’s researchers have been tracking IceApple since late 2021, with the observed attacks spanning across the technology, academic and government sectors in multiple geographies. The observed activity, they say, aligns with China’s information gathering interests.
IceApple, the researchers note, is a highly sophisticated IIS post-exploitation framework focused on increasing an adversary’s visibility of the target environment, without offering exploitation or lateral movement capabilities.
[ READ: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor ]
To date, the researchers have identified 18 different IceApple modules that offer various types of functionality, and also observed that the framework is under active development and that the modules are constantly updated.
The modules support directory listing, writing to files, file and directory deletion, retrieval of network adapter configuration details, making HTTP requests, retrieving IIS server variables, credential dumping, Active Directory query execution, file exfiltration, and OWA credential capturing.
“Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software. One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers,” the researchers note.
CrowdStrike observed that in some cases, shortly after initial environment compromise, IceApple was deployed on multiple hosts for reconnaissance, credential harvesting, and data exfiltration purposes.
The researchers also observed the attackers returning daily to the compromised environments to continue their activities. As part of the identified long-running operations, the adversary would return every 10 to 14 days, using IceApple for credential harvesting and reconnaissance.
Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report
Related: Sophisticated Threat Actor Targets Governments, Defense Industry in Western Asia
Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage

More from Ionut Arghire
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- 820k Impacted by Data Breach at Zacks Investment Research
- US Government Agencies Warn of Malicious Use of Remote Management Software
- Chinese Hackers Adopting Open Source ‘SparkRAT’ Tool
- CISA Provides Resources for Securing K-12 Education System
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
