{ "id": "272f5e49-acb9-4065-8867-f7118cee32a5", "created_at": "2026-04-06T00:14:44.853762Z", "updated_at": "2026-04-10T13:11:26.248426Z", "deleted_at": null, "sha1_hash": "6a12c2e72cdd4f397b9966e3ca0a8ea896e212a4", "title": "Like the Energizer Bunny, Trickbot Goes On and On", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 66606, "plain_text": "Like the Energizer Bunny, Trickbot Goes On and On\r\nBy Jai Vijayan\r\nPublished: 2020-11-12 · Archived: 2026-04-05 17:22:27 UTC\r\nOperators of the Trickbot botnet that has infected more than 1 million systems worldwide with ransomware and\r\nother malware are providing a textbook example of just how difficult it can be to truly take out international\r\ncybercrime operations.\r\nWeeks after US Cyber Command, Microsoft, and several others took coordinated action to extensively disrupt\r\nTrickbot activity, there are signs the botnet operators have still not fully given up yet.\r\nThreat intelligence firm Intel 471 this week reported it had observed signs that a new version of Trickbot is being\r\ndistributed via spam even as the operators of the malware have begun using a different tool known as BazarLoader\r\nto distribute Ryuk ransomware.\r\nAccording to Intel 471, BazarLoader appears to have been developed by the same group behind Trickbot, sharing\r\nsome of the same code and infrastructure as the latter. It's presently unclear whether Trickbot operators have\r\nswitched completely to BazarLoader or if they would return to using the Trickbot botnet at a later date, the threat\r\nintelligence firm said in a report this week.\r\nThe Ryuk ransomware version that's being distributed in growing numbers has also been associated with Trickbot,\r\nIntel 471 said. Together, the data indicates that the group behind Trickbot is still successfully launching targeted\r\nransomware attacks, though their original infrastructure appears to have been all but wiped out, Intel 471 said.\r\nKacey Clark, threat researcher at Digital Shadows, says Ryuk and Conti ransomware delivery has increased in\r\nrecent weeks, as has threat groups who are purchasing access to Trickbot-infected machines to leverage in their\r\nown attacks. \r\n\"Throughout the takedown efforts carried out by security practitioners, Trickbot operators have continuously\r\nattempted to spin up new [command-and-control] instances,\" Clark says. \"[As a result], Trickbot operators still\r\nmaintain access to non-US-based infrastructure, allowing them to continue their attacks.\"  \r\nTrickbot and the group behind it have presented a persistent problem for defenders for several years. The malware\r\nfirst surfaced in 2016 as a banking Trojan and over the years has morphed into a sophisticated tool for delivering\r\nransomware, cryptominers, and other banking Trojans. The operators of the malware itself have established what\r\nis believed to be a lucrative crimeware-as-a-service operation that, among other things, sells access to thousands\r\nof networks they have previously breached.\r\nThe group has been associated with a particularly sophisticated malware toolset called Anchor, which is designed\r\nfor use against high-value targets. Last year, Trickbot operators are believed to have provided North Korea's\r\nLazarus Group with access to Anchor in a first-of-its-kind collaboration between a cybercrime group and an\r\nhttps://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432\r\nPage 1 of 3\n\nadvanced persistent threat actor. Earlier this year there were concerns about the group potentially targeting\r\nelection infrastructure as well.\r\nCoordinated Takedown Attempts\r\nBetween September and early November, US Cyber Command, Microsoft, and several others including the\r\nFinancial Services Information Sharing and Analysis Committee (FS-ISAC) took a series of steps to disrupt and\r\nbreak Trickbot activities. The efforts included disrupting the group's back-end servers and seizing numerous IP\r\naddresses associated with Trickbot command-and-control (C2) servers.\r\nMark Arena, CEO of Intel 471, says US Cyber Command, among other actions, likely breached the back end of\r\nTrickbot's infrastructure and used that to modify the configuration files that were sent to Trickbot infected\r\nsystems.\r\n\"The tactics used by US Cyber Command appeared to be orientated toward cutting off the actors behind Trickbot\r\nfrom the systems they had infected,\" Arena says. It's likely that the action caused Trickbot operators to lose access\r\nto a \"decent amount\" of infected systems, he says.\r\nMicrosoft's focus, meanwhile, was on taking down Trickbot's control servers by contacting the respective hosting\r\ncompanies and ISPs using court orders.\r\nThe actions have considerably disrupted Trickbot operations but have not erased them completely. With each\r\ninfrastructure hit, the group has kept devising ways to regain control of it. For instance, when Cyber Command\r\ninitially succeeded in poisoning Trickbot configuration files, the group was able to restore working files on their\r\nC2 servers in 24 hours Intel 471 said. Similarly, when Microsoft began its takedown operations, Trickbot kept\r\nsetting up new infrastructure in response.\r\nFor the moment, the substantial efforts to squelch Trickbot activity appear to have largely worked. At the very\r\nleast, the actions have forced the threat actors to spend time devising new ways to respond.\r\n\"It's expected that they will invest greater efforts in redundancy, including globally distributed command-and-control servers and backup command-and-control methods that are resistant to takedowns,\" Arena says. \"The only\r\nreal long-term blow that we expect to be effective at halting Trickbot permanently would be arrests of the\r\ncriminals behind Trickbot.\"  \r\nClark says the continued Trickbot activity shows how resilient and quick on their feet malware operators can be\r\nwhen pressured.\r\n\"As the takedown efforts forced a significant amount of Trickbot infrastructure offline, operators identified new\r\nC2 servers and leveraged out-of-band infrastructure to continue their campaign,\" she says. \"Unfortunately,\r\noperations of this caliber are resilient and complex, making it very challenging to rid the malware from existence\r\nentirely.\"\r\nAbout the Author\r\nhttps://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432\r\nPage 2 of 3\n\nContributing Writer\r\nJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was\r\nmost recently a Senior Editor at Computerworld, where he covered information security and data privacy issues\r\nfor the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other\r\ntechnology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to\r\nComputerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's\r\ndegree in Statistics and lives in Naperville, Ill.\r\nSource: https://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432\r\nhttps://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.darkreading.com/threat-intelligence/like-the-energizer-bunny-trickbot-goes-on-and-on-/d/d-id/1339432" ], "report_names": [ "1339432" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434484, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a12c2e72cdd4f397b9966e3ca0a8ea896e212a4.pdf", "text": "https://archive.orkl.eu/6a12c2e72cdd4f397b9966e3ca0a8ea896e212a4.txt", "img": "https://archive.orkl.eu/6a12c2e72cdd4f397b9966e3ca0a8ea896e212a4.jpg" } }