CrowdStrike’s white paper introduces IceApple, a sophisticated post-exploitation framework targeting Microsoft IIS servers. Discovered by the Falcon OverWatch™ team in late 2021, IceApple operates entirely in memory to evade detection and is believed to support state-sponsored intelligence collection, likely China-linked. With at least 18 identified modules, the framework is actively evolving. The paper details IceApple’s capabilities, its use in real-world intrusions, and offers mitigation strategies. CrowdStrike Falcon detects known modules, and OverWatch continues to hunt for new variants.

Join for free to read