{
	"id": "0f70cb85-d1cc-43f0-802f-3fda9bc828a9",
	"created_at": "2026-04-06T00:14:45.350922Z",
	"updated_at": "2026-04-10T03:20:28.478954Z",
	"deleted_at": null,
	"sha1_hash": "2f6888d2d58fba8141380cf12fc4ab5a9dcafbca",
	"title": "Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 290100,
	"plain_text": "Trickbot Expands Global Targets Beyond Banks and Payment\r\nProcessors to CRMs\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 17:17:09 UTC\r\nThe financial trojan TrickBot has been updating its campaigns and targets since F5 malware researchers started\r\nfollowing it in September 2016. This is expected behavior because attackers need to continually update their\r\ntargets and methods to evade detection. Previously, TrickBot, the successor to Dyre (/content/f5-\r\nlabs/en/labs/articles/threat-intelligence/little-trickbot-growing-up-new-campaign-24412.html), targeted financial\r\ninstitutions in Europe, Australia, New Zealand, and Canada (/content/f5-labs/en/labs/articles/threat-intelligence/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-24420.html). TrickBot’s May\r\n2017 campaigns targeted banks in the UK, Australia, US, Canada, New Zealand, Ireland, France, Germany,\r\nSwitzerland, the Netherlands, Bulgaria, India, Singapore, and Hong Kong.\r\nIn the 26 TrickBot configurations F5 researchers analyzed that were active in May 2017, targets expanded beyond\r\nbanks to include two payment processing providers and two Customer Relationship Management (CRM) SaaS\r\nproviders. The fact that payment processors were targets (/content/f5-labs/en/labs/articles/threat-intelligence/marcher-gets-close-to-users-by-targeting-mobile-banking-android-apps-social-media-and-email-26004.html) was a notable change that we also observed in Marcher, an Android banking trojan in March of 2017.\r\nIt appears now that CRMs are a new target of attackers; is it because of their potential for collecting valuable user\r\ndata that could enhance phishing campaigns?\r\nWhat’s also notable (and expected) is that all command and control (C\u0026C) servers tied to the most recent\r\ncampaigns reside within web hosting provider networks and were communicating with their infected hosts over\r\nport 443. We know attackers hide their exploits in encrypted traffic; this is just another point of reference to prove\r\nit is a consistent and common method being used. Additionally, none of the C\u0026Cs we observed in May 2017 were\r\nthe same C\u0026Cs we tracked in late 2016.\r\nMay 2017 Campaigns\r\nThis analysis focuses on the activities of two separate campaigns of different sizes identified in the 26\r\nconfigurations analyzed, versions “1000018” and “1000019.” The smaller campaign detected included 210 URL\r\ntargets focused on banks in Australia, UK, Canada, New Zealand, Singapore, India, and Ireland, and a payment\r\nprocessor in the US. The larger campaign detected included 257 URLs for banks in the UK, Australia, US,\r\nCanada, Ireland, France, Germany, Switzerland, Hong Kong, the Netherlands, and Bulgaria. The same US\r\npayment processor was targeted across both campaigns, however, the CRM targets only appeared in the second\r\ncampaign.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 1 of 7\n\nFigure 1: Smaller campaign and larger campaign with count of URL targets\r\nFigure 1: Smaller campaign and larger campaign with count of URL targets\r\nTrickBot May Targets by Industry and Country\r\nWhen looking at TrickBot’s URL targets, we attributed the country target based on the country code in the URL\r\nrather than the global headquarters of the targeted business. For instance, https://www.citibank.com.sg is attributed\r\nto Singapore, and https://online.citi.eu/GBIPB is attributed to the UK, even though CitiBank is headquartered in\r\nthe US. (Refer to Appendix A for specific targets by country.)\r\nThe smaller campaign focused on targeting banks (83% of URL targets) in Australia, UK, Canada, New Zealand\r\nand Singapore, and a payment processor (PayPal) attributed to the US (although PayPal users are global).\r\nFigure 2: URL targets by industry in the smaller campaign\r\nFigure 2: URL targets by industry in the smaller campaign\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 2 of 7\n\nThe map in Figure 3 shows the number of URLs targeted by country in the smaller campaign. All targets in every\r\ncountry except the US were banks. No US banks were targeted in this campaign, only the payment processor,\r\nPayPal. The 35 unique PayPal URLs targeted were the exact same URLs targeted in both campaigns.\r\nFigure 3: Targeted Countries in the smaller campaign\r\nFigure 3: Targeted Countries in the smaller campaign\r\nFigure 4 shows unique URLs targeted in comparison to unique businesses, because there were often multiple URL\r\ntargets within one business. (For additional details on the businesses targeted by industry and country, see\r\nAppendix A.)\r\nFigure 4 shows unique URLs targeted in comparison to unique businesses, because there were often multiple URL\r\ntargets within one business. (For additional details on the businesses targeted by industry and country, see\r\nAppendix A.)\r\nFigure 4: Unique URLs to unique businesses in the smaller campaign\r\nThe larger campaign expanded its scope of targeted banking URLs and payment processors by adding one new\r\npayment processor URL in the UK and introducing CRMs as new targets. The specific CRMs targeted were\r\nSalesforce.com and an auto sales CRM developed by Reynolds \u0026 Reynolds in the US.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 3 of 7\n\nFigure 5: URL targets by industry in the larger campaign\r\nFigure 5: URL targets by industry in the larger campaign\r\nThe larger campaign was mainly focused on banks in the UK (47% of targets, up from 18% in the smaller\r\ncampaign), followed by Australia, then the US. All Australian targets were banks again. PayPal was the leading\r\nUS target (exactly the same PayPal URLs in both campaigns), followed by 9 other US banks that were not\r\ntargeted in the smaller campaign, and with the addition of new CRM providers. Additional European companies\r\nwere targeted in the larger campaign, including banks in France, Germany, Switzerland, the Netherlands, and\r\nBulgaria. A bank in Hong Kong was the new Asia target in this campaign, however, the banking targets in\r\nSingapore and India from the smaller campaign were not included.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 4 of 7\n\nFigure 6: Targeted countries in the larger campaign\r\nFigure 6: Targeted countries in the larger campaign\r\nThe chart below shows the same data as that shown in Figure 4 for the larger campaign. (For details, see Appendix\r\nA.)\r\nFigure 7: Unique URLs to unique businesses in the larger campaign\r\nC\u0026C Servers in Europe\r\nWhen analyzing the two campaigns, six C\u0026C IP addresses were identified, all of which exist within European\r\nweb hosting provider networks. As shown in the table below, three of the six are operated by hosting firms in Asia\r\nthat use these European web hosting companies’ services. All of them used port 443 / HTTPS as a connection\r\nmethod from the infected machine back to the C\u0026C host, a method commonly used by malware authors to evade\r\ndetection from network security devices that don’t inspect encrypted traffic.\r\nSamples Analyzed\r\nThe following MD5 samples, active in May 2017, were analyzed for this report:\r\na21c6369738446afa16bf5e70da6ccfa\r\n8bf6ee81794c965f38484c0570718971\r\nb4195cf20d59be307a4d7125d51150b7\r\nad8783a32b43f8fa50c5279b712255dc\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 5 of 7\n\n143b01d3edc77ed82c5e5a4ae4d92b5a\r\n5376a68fe2e9899515b4ea0e531f4d4d\r\n645a229bfa994e79286537ea8f0c9381\r\n7a3ecbf2fefa5c329d9d659cbbf7a58d\r\nd4a2a049fe6c23cb1a2e19f804eb4ba8\r\n2073224eda2e5e6bd9e782d6be4d28cb\r\n830ebf2cefb1f6bad8587978b252d0b7\r\n45160aa23d640f8d1bcb263c179f84f9\r\n9d166a822439a47eb2dfad1aeb823638\r\na9bdbd097b9757c23d5600ecfb0e8b45\r\nddf408ce7c4b5df1a57a3ca45197f18e\r\nd5aa87b9f44575c00d6bc803ac31f18b\r\n8cb0af444e90da3b0d9de00e7db0f4f7\r\nfe2d9595a96046e441e43f72deac8cb0\r\n14ffdcecdd3c6056460cc622fef3b061\r\n1082f5c74019f2122bade2dac71f693f\r\n5a137c1dd4a55c06531bdbfeaf15c894\r\n18056207edc1a3384c2c84531fa2817c\r\n1d004f708748b4ce5aa095fd5a42e0ce\r\neb7d15c945324529e28e72ad76f387a4\r\n3ec07fee718360ad1f1a450f7aaa19db\r\n1d3a3922bdcea3a6bca3c8b2f4b40e48\r\nConclusion\r\nIt seems the success of TrickBot thus far has influenced the authors to not only repeat their previous target list of\r\nbanks from previous campaigns but to expand those targets to include new banks globally as well as CRM\r\nproviders. The fact that C\u0026C servers in these two most recent campaigns reside within web hosting companies is\r\nalso significant, along with the fact that the C\u0026C servers were different from those used in previous campaigns.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 6 of 7\n\nGiven the changes we’ve witnessed with each successive campaign, F5 Labs researchers expect to see further\r\nevolution in both the targets and methods used by TrickBot authors, and we will continue to monitor and report on\r\nthis evolving threat. TrickBot’s consistent initial attack pattern is to use email spam campaigns, so users are\r\nadvised not to open suspicious files received by email.\r\nAppendix A\r\nThe following list shows the actual banks targeted by country, and the number of unique URLs per bank as an\r\nindication of their importance to the malware authors.\r\nPayment Processor Targets by Country\r\nCRM Targets by Country\r\nSource: https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms"
	],
	"report_names": [
		"trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms"
	],
	"threat_actors": [],
	"ts_created_at": 1775434485,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f6888d2d58fba8141380cf12fc4ab5a9dcafbca.pdf",
		"text": "https://archive.orkl.eu/2f6888d2d58fba8141380cf12fc4ab5a9dcafbca.txt",
		"img": "https://archive.orkl.eu/2f6888d2d58fba8141380cf12fc4ab5a9dcafbca.jpg"
	}
}