Proofpoint analysts uncovered variants of the IcedID banking Trojan—Lite, and Forked—that focus on additional payload and bot delivery, respectively. According to experts, the initial developers of Emotet and IcedID operators have worked together on the Lite version. Meanwhile, the new threat group TA581 was observed using the Forked version. All in all, at least three threat actors exploited the new variants of IcedID.