Skip to main content
IcedID Botnet to Dagon Locker Ransomware operation cover
COMING SOONIntermediatePRO

IcedID Botnet to Dagon Locker Ransomware

A banking-trojan infection that smouldered for twenty-nine days before erupting into domain-wide Dagon Locker ransomware. A fake document portal served a JScript dropper that installed IcedID; weeks later the operator handed off to a Cobalt Strike beacon over a separate channel, pushed it across the estate through a Group Policy scheduled task, ran AdFind discovery, dumped domain credentials by replicating the directory (DCSync), moved over SMB administrative shares, exfiltrated to AWS S3 with Rclone, and deployed the encryptor while deleting shadow copies. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.

1h
10 tasks
50 points
Pro

Launches in 5 days

Jul 21, 2026

Tuesday, July 21, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

10 objectives unlock when this operation goes live.

1Incident brief
2Recover the banking-trojan payload
3Separate the interactive channel from the botnet
4Classify the estate-wide beacon distribution
5Classify the domain credential theft
6Recover the harvested administrator
7Trace the exfiltration
8Classify the exfiltration channel
9Recover the encryptor indicator
10Classify the recovery sabotage

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.

Get Started Free