The CrowdStrike Falcon® OverWatch™ team has discovered a sophisticated post-exploitation framework named IceApple, which is primarily used for intelligence collection in long-term campaigns and has been observed in various sectors, including technology, academia, and government. This .NET-based framework, capable of running under Internet Information Services (IIS) web applications, employs 18 distinct modules for tasks such as discovery, credential harvesting, and data exfiltration. Notably, IceApple prioritizes maintaining a low forensic footprint and uses in-memory-only techniques to evade detection. While the intrusions align with China-nexus, state-sponsored activities, CrowdStrike has not yet attributed IceApple to a specific threat actor. The discovery of IceApple by OverWatch was facilitated by the team's expertise in identifying anomalies and their proactive threat-hunting efforts, which include developing detections for reflective .NET assembly loads. These efforts underscore the importance of agile defense mechanisms in countering evolving cyber threats.