BleepingComputer reports that IcedID malware operators have been leveraging slightly different infection pathways, as well as command-and-control server IPs in various phishing campaigns last month. IcedID malware has been delivered using five different delivery methods from September 13 to 21, three of which involve a password protected ZIPs, in campaigns using either English or Italian, with the latter being more successful, according to a Cymru report. Usage of the ISO-LNK chain proved to be most successful for attackers, followed by PrivateLoader campaigns, while using CHM files amounted to the least success. The report also showed that IcedID operators commenced reusing IP addresses and domains for their C2 servers beginning mid-September before resuming unique IP use per campaign by the end of the month. Moreover, IcedID C2 IP addresses' lifespan has been observed to have shortened, which researchers noted resulted in sloppy provisioning in the part of IcedID operators..