Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘IceApple’ Post-Exploitation Framework Created for Long-Running Operations

CrowdStrike has detailed a new post-exploitation framework that could be the work of a state-sponsored threat actor, one likely linked to China.

CrowdStrike has detailed a new post-exploitation framework that could be the work of a state-sponsored threat actor, one likely linked to China.

Dubbed IceApple and targeting Microsoft Exchange servers, the framework is an in-memory-only tool designed to evade detection and provide long-time access to the compromised environments. The framework can also run on Internet Information Services (IIS) web server software.

CrowdStrike’s researchers have been tracking IceApple since late 2021, with the observed attacks spanning across the technology, academic and government sectors in multiple geographies. The observed activity, they say, aligns with China’s information gathering interests.

IceApple, the researchers note, is a highly sophisticated IIS post-exploitation framework focused on increasing an adversary’s visibility of the target environment, without offering exploitation or lateral movement capabilities.

[ READ: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor ]

To date, the researchers have identified 18 different IceApple modules that offer various types of functionality, and also observed that the framework is under active development and that the modules are constantly updated.

The modules support directory listing, writing to files, file and directory deletion, retrieval of network adapter configuration details, making HTTP requests, retrieving IIS server variables, credential dumping, Active Directory query execution, file exfiltration, and OWA credential capturing.

“Detailed analysis of the modules suggests that IceApple has been developed by an adversary with deep knowledge of the inner workings of IIS software. One of the modules was even found to be leveraging undocumented fields that are not intended to be used by third-party developers,” the researchers note.

CrowdStrike observed that in some cases, shortly after initial environment compromise, IceApple was deployed on multiple hosts for reconnaissance, credential harvesting, and data exfiltration purposes.

The researchers also observed the attackers returning daily to the compromised environments to continue their activities. As part of the identified long-running operations, the adversary would return every 10 to 14 days, using IceApple for credential harvesting and reconnaissance.

Related: China-Linked Winnti APT Group Silently Stole Trade Secrets for Years: Report

Related: Sophisticated Threat Actor Targets Governments, Defense Industry in Western Asia

Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.