{
	"id": "629497ef-5bc7-4670-84c5-249a83ca25b0",
	"created_at": "2026-04-10T03:21:52.871157Z",
	"updated_at": "2026-04-10T03:22:19.418579Z",
	"deleted_at": null,
	"sha1_hash": "504d5f57a94560cd8d01a0bd5fdfa1b4192f8669",
	"title": "Conti ransomware gang takes over TrickBot malware operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1623129,
	"plain_text": "Conti ransomware gang takes over TrickBot malware operation\r\nBy Ionut Ilascu\r\nPublished: 2022-02-18 · Archived: 2026-04-10 02:52:21 UTC\r\nAfter four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top\r\nmembers move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier\r\nBazarBackdoor malware.\r\nTrickBot is a Windows malware platform that uses multiple modules for various malicious activities, including\r\ninformation stealing, password stealing, infiltrating Windows domains, initial access to networks, and malware\r\ndelivery.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nPage 1 of 5\n\nTrickBot has dominated the malware threat landscape since 2016, partnering with ransomware gangs and causing\r\nhavoc on millions of devices worldwide.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nPage 2 of 5\n\nThe Ryuk ransomware gang initially partnered with TrickBot for initial access to works, but were replaced Conti\r\nRansomware gang who has been using the malware for the past year to gain access to corporate networks.\r\nIt is estimated that the group handling TrickBot campaigns - an elite division known by the name Overdose, has\r\nmade at least $200 million from its operations, \r\nConti takes over TrickBot operation\r\nResearchers at cybercrime and adversarial disruption company Advanced Intelligence (AdvIntel) noticed that in\r\n2021 Conti had become the only beneficiary of TrickBot’s supply of high-quality network accesses.\r\nBy this time, TrickBot’s core team of developers had already created a stealthier piece of malware,\r\nBazarBackdoor, used primarily for remote access into valuable corporate networks where ransomware could be\r\ndeployed.\r\nAs the TrickBot trojan had become easily detectable by antivirus vendors, the threat actors began switching to\r\nBazarBackdoor for initial access to networks as it was developed specifically to stealthily compromise high-value\r\ntargets.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nPage 3 of 5\n\nHowever, by the end of 2021, Conti managed to attract “multiple elite developers and managers” of the TrickBot\r\nbotnet, turning the operation into its subsidiary rather than a partner, AdvIntel notes in a report shared with\r\nBleepingComputer.\r\nBased on internal Conti conversations that the researchers had access to and shared with BleepingComputer,\r\nAdvIntel says that BazarBackdoor moved from being part of TrickBot’s toolkit to a standalone tool whose\r\ndevelopment is controlled by the Conti ransomware syndicate.\r\nThe main admin for the Conti group said that they took over TrickBot. However, as the \"bot is dead\" they are\r\nmoving Conti from TrickBot to BazarBackdoor as the primary way of gaining initial access.\r\n“After being “acquired” by Conti, [TrickBot leaders] are now rich in prospects with secure ground beneath them,\r\nand Conti will always find a way to make use of the available talent” - AdvIntel\r\nEver since its launch, the Conti operation maintained a code of conduct that allowed it to rise as one of the most\r\nresilient and lucrative ransomware groups, unfazed by law enforcement crackdowns on its competitors.\r\nAdvIntel says that the group was able to run their normal cybercriminal business by adopting a “trust-based, team-based” model instead of working with random affiliates that would cause action from law enforcement due to the\r\norganizations they hit.\r\nWhile TrickBot malware detections will become less common, AdvIntel's recent findings show that the operation\r\nis not finished and it just moved to a new control group that takes it to the next level with malware better suited\r\nfor high-value targets.\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nhttps://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/"
	],
	"report_names": [
		"conti-ransomware-gang-takes-over-trickbot-malware-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775791312,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/504d5f57a94560cd8d01a0bd5fdfa1b4192f8669.pdf",
		"text": "https://archive.orkl.eu/504d5f57a94560cd8d01a0bd5fdfa1b4192f8669.txt",
		"img": "https://archive.orkl.eu/504d5f57a94560cd8d01a0bd5fdfa1b4192f8669.jpg"
	}
}