
IcedID Botnet to Dagon Locker Ransomware
A banking-trojan infection that smouldered for twenty-nine days before erupting into domain-wide Dagon Locker ransomware. A fake document portal served a JScript dropper that installed IcedID; weeks later the operator handed off to a Cobalt Strike beacon over a separate channel, pushed it across the estate through a Group Policy scheduled task, ran AdFind discovery, dumped domain credentials by replicating the directory (DCSync), moved over SMB administrative shares, exfiltrated to AWS S3 with Rclone, and deployed the encryptor while deleting shadow copies. Reconstruct the full kill chain from SIEM, endpoint XDR, and perimeter firewall telemetry, and classify the key ATT&CK techniques.
Launches in 5 days
Tuesday, July 21, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
10 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 21, 2026, you can jump straight in.
Get Started Free