{ "id": "0321f616-70ff-49cb-8cf7-393fc289193e", "created_at": "2026-04-06T00:15:08.997777Z", "updated_at": "2026-04-10T13:12:14.115899Z", "deleted_at": null, "sha1_hash": "238ddd535077b49d3d443f0c6e5a263093a25700", "title": "New malware TrickBot AnchorDNS backdoor upgrades AnchorMail", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 74614, "plain_text": "New malware TrickBot AnchorDNS backdoor upgrades AnchorMail\r\nBy Charlotte Hammond, Ole Villadsen\r\nPublished: 2022-02-25 · Archived: 2026-04-05 13:45:39 UTC\r\nIBM Security X-Force researchers have discovered a revamped version of the Trickbot Group’s AnchorDNS backdoor being\r\nused in recent attacks ending with the deployment of Conti ransomware. The Trickbot Group, which X-Force tracks as\r\nITG23, is a cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in\r\n2016 and initially used to facilitate online banking fraud. The group has adapted in recent years to the ransomware economy\r\nby using its Trickbot and Bazarloader payloads to gain a foothold for ransomware attacks and through its close relationship\r\nwith the Conti ransomware-as-a-service (RaaS).\r\nITG23 is also known for developing the Anchor malware framework, including the AnchorDNS variant, in 2018 for use\r\nduring attacks on high-profile targets following initial infection by Trickbot or Bazarbackdoor, an additional backdoor\r\ndeveloped by ITG23. AnchorDNS is notable for communicating with its Command and Control (C2) server using the DNS\r\nprotocol. The upgraded backdoor, identified by IBM Security X-Force researchers as AnchorMail or Delegatz, now uses an\r\nemail-based C2 server which it communicates with using SMTP and IMAP protocols over TLS. With the exception of the\r\noverhauled C2 communication mechanism, AnchorMail’s behavior aligns very closely to that of its AnchorDNS\r\npredecessor.\r\nThe discovery of this new Anchor variant adds a new stealthy backdoor for use during ransomware attacks and highlights\r\nthe group’s commitment to upgrading its malware.\r\nUpon execution, AnchorMail creates a scheduled task for persistence which is set to run every 10 minutes. It then collects\r\nbasic system information, registers with its C2 and enters a loop of checking for and executing received commands. The\r\nbackdoor’s command structure is also very similar to that of AnchorDNS and both versions appear to accept the same set of\r\ncommand codes, which provide a variety of different options for executing commands and payloads received from the C2.\r\nThe most notable feature of AnchorMail is its novel C2 communication mechanism. The C2 server appears to utilize mail\r\nserver code, and the backdoor communicates with it through the sending and receiving of specially crafted email messages.\r\nAnchorMail uses the encrypted SMTPS protocol for sending data to the C2, and IMAPS is used for receiving it. In the\r\nanalyzed sample the C2 server address was configured as 15906-28547.bacloud[.]info (213.252.247[.]230), with port 465\r\nused for SMTPS communications, and 993 used for IMAPS.\r\nAnchorMail is written in C++ and has so far only been observed targeting Windows systems. However, as AnchorDNS has\r\nbeen ported to Linux, it seems likely that a Linux-variant of AnchorMail may emerge too.\r\nAnchorMail starts by enumerating the scheduled tasks on the system and searching for one which executes itself. If it does\r\nnot find one then it proceeds to create a new scheduled task for persistence.\r\nIt enumerates folders within the task scheduler library and creates a task within a randomly selected folder, using the folder\r\nname as a prefix for the task description followed by one of the following strings: ‘Task’, ‘Updater’, ‘Backup’, ‘Service’,\r\n‘Maintenance’. For example, it may select the Bluetooth folder and create its task within that folder with description\r\n‘BluetoothTask’. The task is configured to run every day, at 10-minute intervals, and the execution path is set as\r\n\u003cmalware_commandline_path\u003e,dllmain. Once the scheduled task is created, the malware then exits.\r\nOtherwise, if the malware finds the scheduled task has already been created, then it continues with its main functionality.\r\nOnce persistence has been achieved, AnchorMail proceeds to collect basic system information and register with its C2\r\nserver. The registration process is almost identical to that of AnchorDNS.\r\nAnchorMail first generates a system id with the following format:\r\n\u003chostname\u003e_W\u003cwindows_version\u003e.\u003crandom_guid\u003e\r\nFor example:\r\nDESKTOP-4LUGU5I_W10019041.D9B3AEAB44F8ED2F85EECD3ED81463CA\r\nThe malware also attempts to identify the external IP address of the system by making requests to the following URLs:\r\ncheckip.amazonaws.com\r\nipecho.net/plain\r\nipinfo.io/ip\r\napi.ipify.org\r\nicanhazip.com\r\nhttps://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/\r\nPage 1 of 3\n\nmyexternalip.com/raw\r\nwtfismyip.com/text\r\nip.anysrc.net/plain/clientip\r\nThe collected information is then combined with a group id, in this case ‘lackey‘, and randomly generated tokens, and\r\nformatted as a type /0/ request as per below:\r\n/\u003cgroup_id\u003e/\u003csystem_id\u003e/0/\u003cos_version\u003e/1001/\u003cexternal_ip\u003e/\u003ctoken_1\u003e/\u003ctoken_2\u003e/\r\nFor example:\r\n/lackey/DESKTOP-4LUGU5I_W10019041.D9B3AEAB44F8ED2F85EECD3ED81463CA/0/Windows_10_x64/1001/0.0.0.0/5E348391753F5C9D25C757E5\r\nThis data is then sent to the C2 and the malware expects to receive a response containing the second token in order to\r\nvalidate that the data was received successfully.\r\nAnchorMail is notable for communicating with its C2 server using SMTP and IMAP protocols over TLS, referred to as\r\nSMTPS and IMAPS respectively. The C2 server appears to utilize mail server code, and the backdoor communicates with it\r\nthrough the sending and receiving of specially crafted email messages. AnchorMail uses the encrypted SMTPS protocol for\r\nsending data to the C2, and IMAPS is used for receiving it.\r\nDuring startup, AnchorMail decrypts the server configuration which contains login credentials and server details. In the\r\nanalyzed sample, these were as follows:\r\n{zakr_kurt1@15906-28547.bacloud.info|ohvohNgaeT6Shoche8Ei|15906-28547.bacloud.info|15906-28547.bacloud.info}{z\r\nHowever, a sample in the public domain was also identified with a different configuration:\r\n{zakr_tom@15906-28547.bacloud.info|OaXah2shei6iL0Oohahj|15906-28547.bacloud.info|15906-28547.bacloud.info}{zak\r\nIn the case of the analyzed sample, both the IMAP and SMTP servers are set to 15906-28547.bacloud[.]info.\r\nTo initiate C2 communications, the malware performs a DNS request to retrieve the IP address of the server, which at the\r\ntime of analysis is set to 213.252.247[.]230. It then creates a TLS connection to SMTPS port 465 using the OpenSSL library,\r\nand then logs into the SMTP server using the configured credentials.\r\nAnchorMail then crafts an email message containing the request string and any data to be sent to the C2. The recipient of the\r\nemail is set as the final value from within the configuration, i.e. z1[@]15906-28547.bacloud[.]info.\r\nAnchorMail generates a 16-byte GUID followed by a string such as ‘1-1‘, which it encodes using a custom encoding\r\nalgorithm that encodes binary data into a series of lowercase letters, which it intersperses with spaces in order to make it\r\nappear like text. It then sets this encoded string as the email message subject.\r\nThe main request string and any accompanying data is also encoded using the encoding algorithm, then added to a zip file\r\nwith the filename such as ‘1-1.txt‘. Finally, it is encoded using base64 and added to the email body.\r\nAn additional set of data consisting of another 16 bytes value followed by the string ‘GET‘ is also encoded and added to the\r\nemail body.\r\nAn example of a constructed email containing a type /0/ request is follows:\r\nFrom: \u003czakr_kurt1@15906-28547.bacloud.info\u003e\r\nTo: \u003cz1@15906-28547.bacloud.info\u003e\r\nSubject: Toduzu vypuwu asetadj tjwytu ycjsapo epeljhiru sohjsi jpjraze piwoge picuwe etetiwo tokoto wi.\r\nMIME-Version: 1.0\r\nContent-Type: multipart/mixed; boundary=”4E7E98B61C1C3A56″\r\n–4E7E98B61C1C3A56\r\nContent-Type: application/octet-stream; name = “file.zip”\r\nContent-Transfer-Encoding: base64\r\nUEsDBBQAAAAIAMdjVFTnUv4FRgIAANUDAAAHAAAAMS0xLnR4dB1TQY4bMQw7t0D/oBfkD0XbQ08tFu1hj8JYzsgNYI0tzUT7+tI5BZ7IJEXSn974bC\r\n–4E7E98B61C1C3A56\r\nContent-Type: text/plain; charset=”us-ascii”\r\nZdr vfl hdz krp srs rst rdl xts qvf rsz srp fps sp.\r\nhttps://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/\r\nPage 2 of 3\n\nTo receive responses from the C2, AnchorMail connects to the C2 server via IMAPS port 993 using TLS. It then logs into\r\nthe IMAP server using the configured credentials and uses the IMAP LIST and STATUS commands to retrieve the status of\r\nthe mailboxes. The malware then uses the SELECT and FETCH commands to retrieve messages which it parses until it\r\nfinds one containing a unique identifier that matches one that the malware sent in its original request to the SMTP server.\r\nThe message contents are then decoded and the response and any commands and command parameters extracted.\r\nIf registration is successful, AnchorMail then sends a type /1/ request to the C2 to check for any commands to be run.\r\n/\u003cgroup_id\u003e/\u003csystem_id\u003e/1/\u003ctoken\u003e/\r\nThe response from the C2 will be formatted as follows:\r\n\u003cincode\u003e/\u003cgroup_id\u003e/\u003csystem_id\u003e/\u003ctoken\u003e/\u003ccmdid\u003e/\u003ccmd_params\u003e\r\nThe incode field contains a number identifying the command which is to be run, and cmd_params contains the parameters\r\nfor that command.\r\nOverall, AnchorMail supports the following command codes.\r\nFunctionality:\r\nUninstall. Delete scheduled task and delete malware file.\r\nThe type /5/ request used by some of the commands to request payload files has the following format:\r\n/\u003cgroup_id\u003e/\u003csystem_id\u003e/5/\u003cfile_name\u003e/\r\nOnce the specified command has been performed, results are sent back to the C2 using a type /10/ request.\r\n/group_id\u003e/\u003csystem_id\u003e/10/\u003cincode\u003e/\u003ccmdid\u003e/\u003cresult\u003e/\r\nMore cybersecurity threat resources are available here.\r\nSource: https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/\r\nhttps://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://securityintelligence.com/posts/new-malware-trickbot-anchordns-backdoor-upgrades-anchormail/" ], "report_names": [ "new-malware-trickbot-anchordns-backdoor-upgrades-anchormail" ], "threat_actors": [ { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434508, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/238ddd535077b49d3d443f0c6e5a263093a25700.pdf", "text": "https://archive.orkl.eu/238ddd535077b49d3d443f0c6e5a263093a25700.txt", "img": "https://archive.orkl.eu/238ddd535077b49d3d443f0c6e5a263093a25700.jpg" } }