{
	"id": "d7b12421-b11b-468e-b455-495953ddab0b",
	"created_at": "2026-04-06T00:22:06.935875Z",
	"updated_at": "2026-04-10T13:11:48.94837Z",
	"deleted_at": null,
	"sha1_hash": "2bf9be2d86811cefa89e279a0b9f7800cfced808",
	"title": "TrickBot gang shuts down botnet after months of inactivity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89130,
	"plain_text": "TrickBot gang shuts down botnet after months of inactivity\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-17 · Archived: 2026-04-05 17:32:14 UTC\r\nThe operators of the TrickBot malware botnet have shut down their server infrastructure today after months of\r\ninactivity, bringing to an end one of the most dangerous and persistent malware operations seen in recent years.\r\nPrior to today's voluntary shutdown, the TrickBot gang hadn't set up new servers or tried to carry out email spam\r\ncampaigns since mid-December 2021.\r\nBut today's shutdown comes as no surprise, Vitali Kremez, CEO of security firm AdvIntel, told The Record in a\r\nphone call earlier today.\r\nIt comes after the group's malware has become \"highly detectable\" by security products, which appears to have\r\ndamaged the group's ability to infect and then sell access to Windows systems to its criminal clientele, security\r\nfirms AdvIntel and Intel471 wrote in separate reports analyzing the malware's recent slump.\r\n\"Trickbot, after all, is relatively old malware that hasn't been updated in a major way. Detection rates are high, and\r\nthe network traffic from bot communication is easily recognized,\" Intel471 said earlier today before Kremez\r\nconfirmed that TrickBot had decided to call it quits.\r\nTrickBot is gone...It is official now as of Thursday, February 24, 2022\r\nSee you soon ... or not pic.twitter.com/zWCCpngUI7\r\n— Vitali Kremez (@VK_Intel) February 24, 2022\r\nKremez also cited recent recruitment from the Conti ransomware gang as a primary factor in TrickBot's recent\r\ndemise.\r\nAfter resurrecting and integrating the Emotet botnet into its \"cybercrime cartel\" towards the end of 2021, Kremez\r\nsaid that the Conti gang has now also recruited several top members of the TrickBot gang as well.\r\nUnder its new leadership, the old TrickBot malware codebase and infrastructure appears to have been abandoned,\r\nand Kremez said that the Conti gang is working with the former TrickBot devs to further develop and deploy\r\nBazaarBackdoor, one of TrickBot's former modules, as a replacement for TrickBot itself.\r\nTrickBot goes out on its own terms\r\nThe TrickBot gang fading its old malware and morphing into a new operation cames after both US\r\nauthorities and security firms have tried to forcibly take down its command and control server infrastructure in\r\nOctober 2020.\r\nDespite losing roughly 94% of its servers, the botnet survived and returned with new servers days later and with\r\nnew attacks after a few weeks.\r\nhttps://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/\r\nPage 1 of 3\n\nBut the failed takedown attempt didn't dissuade US authorities and they responded in 2021 by charging and\r\ndetaining two of TrickBot's programmers, Alla Witte and Vladimir Dunaev.\r\nHowever, the arrests didn't touch the group's leadership, which remained intact, and continued to operate the\r\nbotnet throughout 2021 before entering their recent Conti collaboration and moving on to a new malware\r\ncodebase.\r\nIn December 2021, just days before TrickBot ceased operations, Check Point reported seeing the malware\r\non more than 140,000 systems throughout the year (2021).\r\nIn a Wired feature on TrickBot, security firm Hold Security said saw the TrickBot gang invested more than $20\r\nmillion in its infrastructure last year, which shows the scale of its operation, which dwarfs many legitimate\r\nsoftware firms today.\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nhttps://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/\r\nPage 2 of 3\n\nSource: https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/\r\nhttps://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/trickbot-gang-shuts-down-botnet-after-months-of-inactivity/"
	],
	"report_names": [
		"trickbot-gang-shuts-down-botnet-after-months-of-inactivity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434926,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2bf9be2d86811cefa89e279a0b9f7800cfced808.pdf",
		"text": "https://archive.orkl.eu/2bf9be2d86811cefa89e279a0b9f7800cfced808.txt",
		"img": "https://archive.orkl.eu/2bf9be2d86811cefa89e279a0b9f7800cfced808.jpg"
	}
}