{ "id": "e06f185d-23c3-4c02-bf29-36a0b2c06097", "created_at": "2026-04-06T00:10:44.739327Z", "updated_at": "2026-04-10T13:11:45.707531Z", "deleted_at": null, "sha1_hash": "6508ae1f6475630905e1ae4cab81206a420bbd0e", "title": "Inside a TrickBot Cobalt Strike Attack Server - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2071018, "plain_text": "Inside a TrickBot Cobalt Strike Attack Server - SentinelLabs\r\nBy Joshua Platt\r\nPublished: 2020-06-22 · Archived: 2026-04-05 19:33:00 UTC\r\nResearch by Joshua Platt and Jason Reaves\r\nExecutive Summary\r\nTrickbot operators utilized PowerTrick and Cobalt Strike to deploy their Anchor backdoor and RYUK\r\nransomware\r\nWe review the Cobalt Strike portion of the server and how the actors were leveraging it against multiple\r\ntargets.\r\nBackground\r\nTrickBot is the successor of Dyre which at first was primarily focused on banking fraud, even reusing the same\r\nweb-injection systems utilized by Dyre. TrickBot has since shifted focus to enterprise environments over the\r\nyears. Incorporating everything from network profiling, mass data collection and lateral traversal exploits. This\r\nfocus shift is prevalent in their tertiary deliveries that target enterprise environments. Much like a company whose\r\ntarget will shift depending on what generates the best revenue.\r\nThis report aims to expand upon SentinelLabs earlier reports involving TrickBot:\r\nAnchor project’s connection of CyberCrime and APT\r\nPowerTrick custom PowerShell framework for high profile victims\r\nPreviously, in our PowerTrick reporting, we mentioned an IOC ‘wizardmagik[.]best’ (95.179.214[.]127).\r\nTypically, the domains are monitored for some time via VirusTotal in an effort to further any understanding of the\r\nIOC in question. The effort paid off as surprisingly some old attack data from the server containing roughly three\r\nsessions (10/7/2019-10/9/2019) appeared recently. While the log data is only for 3 sessions, data such as this can\r\nprove to be invaluable for defenders through showcasing actions on objectives and attack TTPs from real life\r\nscenarios.\r\nAttack Server\r\nThe server is clearly utilized for further profiling the networks and systems. The actor leverages a myriad of open\r\nsource scripts and tools to gather information and pivot to other systems from existing TrickBot infections.\r\nThis specific server comes into play in the post-Initial Access phase, which is handled by TrickBot. TrickBot\r\nmodules collect large amounts of data on the infected systems and attempt to pivot to the domain controller. At\r\nthis point, actors will jump in and begin the process of mapping out the network and determining what the next\r\ncourse of action will be. Or in other words, they initiate the valuation phase.\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 1 of 6\n\nAnatomy of an Attack\r\nIn the later part of 2019, TrickBot conducted campaigns using the CloudApp folder. We can correlate timestamps\r\nfrom the Cobalt Strike logs to campaign data when TrickBot utilized the folder name[5].\r\nImage1: LS command issued to beacon\r\nThe actor initially makes a note of this infection:\r\nImage2: Operator adds note\r\nOnce the actors decide to take a look at the infection using Cobalt Strike, they issue a task to run the Cobalt\r\nStrike-ToolKits DACheck script, impersonate SYSTEM and run Mimikatz.\r\nImage3: Initial tasks executed after check in\r\nNext, they begin looking for live hosts and port scanning for particular open ports.\r\nImage4: Port Scan task initiated\r\nThey also check the members of the Domain Admin group:\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 2 of 6\n\nImage5: Domain admin checked\r\nAnd dump the hashes:\r\nImage6: hashdump issued\r\nThe actors load in PowerView.ps1 PowerShell script from PowerSploit and begin leveraging the PowerShell script\r\nto find where else they can pivot to.\r\nImage7: PowerShell leveraged for enumeration\r\nDuring this time, other machines in the same domain are pivoted to.\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 3 of 6\n\nImage8: Interactive Logon\r\nEach machine gets profiled out.\r\nImage9: Machine directory listing\r\nEventually leading to Ryuk ransomware:\r\nImage10: Ryuk upload and detonate\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 4 of 6\n\nImage11: Ryuk detonated via PsExec\r\nGoing by the timestamps, we can guess the time period of 2 weeks for dwell time from TrickBot -\u003e Pivot and\r\nProfile -\u003e Ryuk.\r\nTools Leveraged\r\nLaZagne\r\nBloodHound\r\nAdFind\r\nPowerSploit\r\nSMBAutoBrute\r\nSessionGopher\r\nIOCs\r\nwizardmagik[.]best\r\nCobalt Strike directory zip:\r\n0cdfe2572b826dd5f7d22e109009465759fea0d4606c70d273981a73bb4e68ac\r\nReferences\r\n1: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 5 of 6\n\n2: https://www.fidelissecurity.com/threatgeek/archive/trickbot-we-missed-you-dyre/\r\n3: https://www.sentinelone.com/labs/anchor-project-the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\n4: https://www.sentinelone.com/labs/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/\r\n5: https://app.any.run/tasks/8cba0d2f-683a-4402-a42d-25d469e45fc1/\r\nSource: https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nhttps://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/" ], "report_names": [ "inside-a-trickbot-cobaltstrike-attack-server" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434244, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6508ae1f6475630905e1ae4cab81206a420bbd0e.pdf", "text": "https://archive.orkl.eu/6508ae1f6475630905e1ae4cab81206a420bbd0e.txt", "img": "https://archive.orkl.eu/6508ae1f6475630905e1ae4cab81206a420bbd0e.jpg" } }