{
	"id": "d448c5af-1457-49f3-801b-718ed2677b02",
	"created_at": "2026-04-06T00:13:50.11234Z",
	"updated_at": "2026-04-10T13:12:07.1298Z",
	"deleted_at": null,
	"sha1_hash": "58cb039f112b98ff582cc5dd4fbba97224b7451f",
	"title": "Tricky Trickbot Runs Campaigns Without Redirection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 686762,
	"plain_text": "Tricky Trickbot Runs Campaigns Without Redirection\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 20:27:39 UTC\r\nDuring June and July, F5 researchers first noticed Trickbot campaigns aimed at a smaller set of\r\ngeographically oriented targets and did not use redirection attacks—a divergence from previous Trickbot\r\ncharacteristics.\r\nIn this research, we compared two different target configurations, one older, more “traditional”\r\nconfiguration that uses redirection, and a new Trickbot configuration that does not us redirection and\r\nexclusively uses dynamic injection.\r\nThe vast majority of all spotted Trickbot campaigns target US financial services institutions; a much\r\nsmaller percentage target other industries, including cryptocurrencies, credit card companies, and e-commerce.\r\nNotably, the access pages of financial services institutions, including single sign-on pages, are the most\r\ntargeted, which indicates that access is still imperative in order to conduct lucrative cybercriminal attacks.\r\nTrickbot, one of today’s most active banking trojans, was first reported on in 2016. It was originally known for its\r\ngeographically centered campaigns targeting only the financial services industry. But it quickly expanded its\r\ntargets to include credit card, wealth management, customer relationship management software companies. (For\r\nmore background on Trickbot, check out the F5 Labs banking malware reference guide (/content/f5-labs-v2/en/archive-pages/education/banking-trojans-a-reference-guide-to-the-malware-family-tree.html).)\r\nSince 2016, Trickbot campaigns have continued to evolve. New campaigns are pivoting to be much more\r\nregionally focused, and they exploit using only one type of attack: dynamic Injection (Dinj), also known as server-side injection. The details of these attacks are stored in Dinj files. While the dynamic injection technique isn’t\r\nnew, it is the first time it has been applied by Trickbot in such a geographically centered campaign.\r\nOver the last few months, F5 researchers have gathered target configuration files from Trickbot campaigns and,\r\nfor this analysis, compared two of the most different ones. (Note that the traditional Trickbot configuration we\r\nanalyzed has not been active over the last four months.) Since there is such a stark difference in Trickbot’s current\r\ntactics, we used the older configuration as a comparison, which highlights Trickbot’s transition to attacking\r\nwithout redirection, because it is so much more sophisticated. The configurations we compared are v459,\r\ncomposed of new Trickbot tactics of shorter target lists and no redirection, and v420, a more traditional\r\nconfiguration that utilizes both redirection and dynamic injection attacks and has a very long target list.\r\nActive Campaigns Without Redirection\r\nHistorically known for using redirection attackA user is forwarded from a trusted site to another, possibly\r\nmalicious site.s, Trickbot is not using this tactic in some of its latest target configurations. This change, first\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 1 of 9\n\nnoticed by F5 researchers in June and July, continues in August and September 2019. Along with the absence of\r\ntarget lists, redirection is also absent in the encrypted webinject files from the latest campaigns. There is no trace\r\nof the previous redirection targets alongside Dinj elements. While this seems to be an intentional shift in tactics,\r\nTrickbot continues to target the financial services industry, with 91% of targets on the v459 target list falling into\r\nthis industry.\r\nFigure 1. Industries targeted in the Trickbot v459 configuration\r\nBreaking down the financial services industry further, these campaigns using dynamic injection are mostly\r\ncontinuing to target banking institutions and investment arms of banks.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 2 of 9\n\nFigure 2. Breakdown of Trickbot v459’s dynamic injection targets in the financial services industry\r\nWe postulate that Trickbot continues to target financial services with a narrow scope since server-side injection is\r\na dynamic injection technique and needs to be very precise. Dynamic injection needs to make sure the injected\r\ncontent doesn’t break legitimate page behavior, and it must take into account that there could be other scripts\r\ndefending the target page. This is an expensive attack, both in time to set up and insight needed about the target\r\npage infrastructure, which helps to explain the whittled down target list for campaigns using only this dynamic\r\ninjection technique. It is also possible that the v459 target list is under maintenance, with targets that have\r\nperformed poorly in past campaigns being culled out.\r\nThe current campaigns we sampled didn’t use redirection attacks. The geographic targeting is clearly against the\r\nU.S.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 3 of 9\n\nFigure 3. Trickbot v459 target list by geolocation, broken out by country\r\nActive Campaigns With Redirection\r\nAs stated earlier, the v420 Trickbot campaign utilizes traditional Trickbot tactics. Geographically, the top targeted\r\ncountries are similar, but the v420 campaign has a broader reach, attempting to target users either logging into\r\nbanks around the world or users based in certain locations for global institutions. Further, v420 has a much longer\r\ntarget list with 1,135 unique URIs, compared with v459’s 360 unique URIs. Along with that, the v420 target list\r\ncasts a larger net. There are more smaller financial services institutions that are geographically dispersed. Along\r\nwith the clear industry targeting included in the target list are a number of general extensions, redirection attempts,\r\nor URLs that do not resolve.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 4 of 9\n\nFigure 4. Trickbot v420’s targeted industries by unique URL targeted\r\nSimilar to the v459 target configuration, when the financial services industry is broken out by segment, banks and\r\ninvestment banks are heavily targeted. Cryptocurrency exchanges also make up a portion of this list, which makes\r\nsense, due to their anonymity. Notably, due to the larger list size and the focus on Italy and Italian financial\r\nconsulting firms, there is a broader spread in subindustry across the financial services industry.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 5 of 9\n\nFigure 5. Trickbot v420 breakdown of the financial services industry by unique URL targeted\r\nGeographically, the Trickbot v420 target file is more scattered than the v459 target file—not really targeting\r\nregionally, but targeting wealthy countries or countries known for their relaxed banking laws. Notably, Russia and\r\nChina do not appear on this list at all. As of this analysis, Trickbot does not have official attribution to either a\r\ncountry or a group, and the list of nations not on this list may be telling.\r\nFigure 6. Trickbot v420 target list geographic distribution showing unique URLs targeted by country\r\nFurther breaking down the “global” category of the geographic distribution from the v420 configuration, there\r\nwere a number of URLs. Most URLs are general extensions/redirection attempts, which mean that they do not\r\ntarget one website specifically; instead, they are meant as a catchall. These were not seen in the same volume in\r\nthe v420 configuration. Along with that, cryptocurrency exchanges are categorized as targeting a global market\r\ninstead of an individual country anyone in the world can access them.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 6 of 9\n\nFigure 7. Breakdown of Trickbot v420 global targets by specific industry\r\nOverall, the Trickbot v420 and the v459 target files are similar in that they both heavily target financial services\r\ninstitutions and are geographically centered around the US. Digging a little deeper, the Trickbot v459 target list\r\nseems to be a more focused version of the v420 target file.\r\nThe behavior exhibited from the v420 target list is much more of a traditional Trickbot campaign and is more\r\nrepresentative of the direction, based on previous behaviors, in which analysts thought Trickbot seemed to be\r\ngoing. F5 threat researchers speculate that the recent change could be in defense of some action taken against the\r\nmalware’s authors or supporting infrastructure.\r\nHow Banks React\r\nTargeting users is not uncommon. Banks have known from inception of the Internet that they would be an obvious\r\ntarget for attackers. In response, banks have hardened their websites to the point where the best way in is through\r\na human. So instead of attacking the bank’s website, malicious actors go after users. On the target files analyzed,\r\nmany of the targets are specific access points to the institution. Notably, some banks that were on the v420 target\r\nlist have acknowledged this publicly and warn users about this danger.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 7 of 9\n\nFigure 8. Example of a bank warning users about Trickbot and other banking trojans\r\nThe example shown in Figure 8 is from a bank only seen in the v420 target list, but these warnings are not only\r\nput out by smaller institutions. Banks need to find ways to let users know who to trust and make them aware of the\r\nresources available to them. Making sure this information is on the page of Google search results helps them to try\r\nto keep users safe.\r\nConclusion\r\nResearchers can only speculate why Trickbot has dropped the redirection attack vector in some of its newest,\r\nactive campaigns. The v459 target list is much more focused and may be under maintenance, to just fixate on the\r\ntop preforming targets. Researchers hypothesize that this may be due to the need for a lot of computing power and\r\nservers to support the large waves of spam campaigns—and to keep steady pressure on infected users in order to\r\nsteal money. Whatever the reason for the change, Trickbot remains an active and engaged threat to financial\r\nservices institutions and their users.\r\nSecurity Controls\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 8 of 9\n\nThe following security controls (/content/f5-labs-v2/en/archive-pages/education/what-are-security-controls.html) are recommended in order to mitigate these malware attacks.\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nhttps://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/tricky-trickbot-runs-campaigns-without-redirection"
	],
	"report_names": [
		"tricky-trickbot-runs-campaigns-without-redirection"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58cb039f112b98ff582cc5dd4fbba97224b7451f.pdf",
		"text": "https://archive.orkl.eu/58cb039f112b98ff582cc5dd4fbba97224b7451f.txt",
		"img": "https://archive.orkl.eu/58cb039f112b98ff582cc5dd4fbba97224b7451f.jpg"
	}
}