{
	"id": "e5734756-b9c6-406c-8bc7-04597d4fb0d1",
	"created_at": "2026-04-06T00:08:43.078663Z",
	"updated_at": "2026-04-10T03:23:51.729153Z",
	"deleted_at": null,
	"sha1_hash": "2147721c502c195bd95e8b0a4759ffbfddf89773",
	"title": "VB2020: Anchor, Bazar, and the Trickbot Connection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56662,
	"plain_text": "VB2020: Anchor, Bazar, and the Trickbot Connection\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 22:25:17 UTC\r\nVB2020, the annual Virus Bulletin international conference “featuring the latest and best research on malware,\r\nmalicious actors and threat intelligence,” has gone virtual this year and will be live-streamed 30 Sept - 2 Oct,\r\n2020. The conference is free of charge, and offers a wide selection of presentations for on-demand viewing in\r\naddition to the live sessions.\r\nCybereason Nocturnus Team members Daniel Frank and Lior Rochberger will be presenting a session titled,\r\nAnchor, Bazar, and the Trickbot Connection, examining some new developments regarding a familiar threat actor.\r\nThe Session\r\nIn March, a new loader emerged that lures its victims with double extension executables, pretending to be\r\nlegitimate PDF and DOC files downloaded from Google Drive. Sound familiar? That’s right, the Trickbot gang is\r\nback with a couple of new tricks up its sleeve after dropping the Anchor malware in late 2019.\r\nIn their presentation, the researchers will dive into the Trickbot gang’s arsenal, focusing on the efforts made into\r\ndeveloping two of their latter malware variants, Anchor and Bazar Loader, which emerged in 2020.\r\nFirst, they will go over the Trickbot gang timeline from when they became famous in 2016 through to today,\r\nbriefly reviewing their go-to tools. Next, they will review Anchor and Bazar Loader and present the development\r\ncycles and just how much the authors invested in advanced obfuscation and evasion techniques. They will show\r\nhow the threat actors were determined to hinder their analysis, improving that aspect of their code from one\r\ndevelopment cycle to another. \r\nFinally, they will dive into some of the more interesting similarities among the different malware variants\r\npresented and how these similarities point us to the conclusion that these popular malware variants were all\r\ndeveloped by the notorious Trickbot gang.\r\nPresenters\r\nDaniel Frank, Senior Malware Researcher, Cybereason\r\nWith a decade in malware research, Daniel uses his expertise with malware analysis and reverse engineering to\r\nunderstand APT activity and commodity cybercrime attackers. Daniel has previously shared research at RSA\r\nConference, the Microsoft Digital Crimes Consortium, and Rootcon.\r\nLior Rochberger, Senior Threat Researcher and Threat Hunter, cybereason\r\nhttps://www.cybereason.com/blog/vb2020-anchor-bazar-and-the-trickbot-connection\r\nPage 1 of 2\n\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse\r\nengineering and malware analysis teams. Lior has also been a contributing researcher to multiple threat and\r\nmalware blogs including Bitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC\r\noperations within the Israeli Air Force.\r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/vb2020-anchor-bazar-and-the-trickbot-connection\r\nhttps://www.cybereason.com/blog/vb2020-anchor-bazar-and-the-trickbot-connection\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/vb2020-anchor-bazar-and-the-trickbot-connection"
	],
	"report_names": [
		"vb2020-anchor-bazar-and-the-trickbot-connection"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2147721c502c195bd95e8b0a4759ffbfddf89773.pdf",
		"text": "https://archive.orkl.eu/2147721c502c195bd95e8b0a4759ffbfddf89773.txt",
		"img": "https://archive.orkl.eu/2147721c502c195bd95e8b0a4759ffbfddf89773.jpg"
	}
}