{
	"id": "a4a26c37-e290-4930-9c89-644c9b261f80",
	"created_at": "2026-04-06T00:09:12.689412Z",
	"updated_at": "2026-04-10T03:24:30.248402Z",
	"deleted_at": null,
	"sha1_hash": "77e6210c614a4730b9d556b57f9893adfe8b158c",
	"title": "Attacks Aimed at Disrupting the Trickbot Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53025,
	"plain_text": "Attacks Aimed at Disrupting the Trickbot Botnet\r\nPublished: 2020-10-02 · Archived: 2026-04-05 13:33:40 UTC\r\nOver the past 10 days, someone has been launching a series of coordinated attacks designed to disrupt Trickbot,\r\nan enormous collection of more than two million malware-infected Windows PCs that are constantly being\r\nharvested for financial data and are often used as the entry point for deploying ransomware within compromised\r\norganizations.\r\nA text snippet from one of the bogus Trickbot configuration updates. Source: Intel 471\r\nOn Sept. 22, someone pushed out a new configuration file to Windows computers currently infected with\r\nTrickbot. The crooks running the Trickbot botnet typically use these config files to pass new instructions to their\r\nfleet of infected PCs, such as the Internet address where hacked systems should download new updates to the\r\nmalware.\r\nBut the new configuration file pushed on Sept. 22 told all systems infected with Trickbot that their new malware\r\ncontrol server had the address 127.0.0.1, which is a “localhost” address that is not reachable over the public\r\nInternet, according to an analysis by cyber intelligence firm Intel 471.\r\nIt’s not known how many Trickbot-infected systems received the phony update, but it seems clear this wasn’t just\r\na mistake by Trickbot’s overlords. Intel 471 found that it happened yet again on Oct. 1, suggesting someone with\r\naccess to the inner workings of the botnet was trying to disrupt its operations.\r\n“Shortly after the bogus configs were pushed out, all Trickbot controllers stopped responding correctly to bot\r\nrequests,” Intel 471 wrote in a note to its customers. “This possibly means central Trickbot controller\r\ninfrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot\r\nbotnet operations.”\r\nhttps://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/\r\nPage 1 of 3\n\nIntel 471 CEO Mark Arena said it’s anyone’s guess at this point who is responsible.\r\nIt could be someone in the security research community, a government, a disgruntled insider, or a rival\r\ncybercrime group. We just don’t know at this point.\r\n“Obviously, someone is trying to attack Trickbot,” Arena said. “It could be someone in the security research\r\ncommunity, a government, a disgruntled insider, or a rival cybercrime group. We just don’t know at this point.”\r\nArena said it’s unclear how successful these bogus configuration file updates will be given that the Trickbot\r\nauthors built a fail-safe recovery system into their malware. Specifically, Trickbot has a backup control\r\nmechanism: A domain name registered on EmerDNS, a decentralized domain name system.\r\n“This domain should still be in control of the Trickbot operators and could potentially be used to recover bots,”\r\nIntel 471 wrote.\r\nBut whoever is screwing with the Trickbot purveyors appears to have adopted a multi-pronged approach: Around\r\nthe same time as the second bogus configuration file update was pushed on Oct. 1, someone stuffed the control\r\nnetworks that the Trickbot operators use to keep track of data on infected systems with millions of new records.\r\nAlex Holden is chief technology officer and founder of Hold Security, a Milwaukee-based cyber intelligence firm\r\nthat helps recover stolen data. Holden said at the end of September Trickbot held passwords and financial data\r\nstolen from more than 2.7 million Windows PCs.\r\nBy October 1, Holden said, that number had magically grown to more than seven million.\r\n“Someone is flooding the Trickbot system with fake data,” Holden said. “Whoever is doing this is generating\r\nrecords that include machine names indicating these are infected systems in a broad range of organizations,\r\nincluding the Department of Defense, U.S. Bank, JP Morgan Chase, PNC and Citigroup, to name a few.”\r\nHolden said the flood of new, apparently bogus, records appears to be an attempt by someone to dilute the\r\nTrickbot database and confuse or stymie the Trickbot operators. But so far, Holden said, the impact has been\r\nmainly to annoy and aggravate the criminals in charge of Trickbot.\r\n“Our monitoring found at least one statement from one of the ransomware groups that relies on Trickbot saying\r\nthis pisses them off, and they’re going to double the ransom they’re asking for from a victim,” Holden said. “We\r\nhaven’t been able to confirm whether they actually followed through with that, but these attacks are definitely\r\ninterfering with their business.”\r\nIntel 471’s Arena said this could be part of an ongoing campaign to dismantle or wrest control over the Trickbot\r\nbotnet. Such an effort would hardly be unprecedented. In 2014, for example, U.S. and international law\r\nenforcement agencies teamed up with multiple security firms and private researchers to commandeer the\r\nGameover Zeus Botnet, a particularly aggressive and sophisticated malware strain that had enslaved up to 1\r\nmillion Windows PCs globally.\r\nTrickbot would be an attractive target for such a takeover effort because it is widely viewed as a platform used to\r\nfind potential ransomware victims. Intel 471 describes Trickbot as “a malware-as-a-service platform that caters to\r\na relatively small number of top-tier cybercriminals.”\r\nhttps://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/\r\nPage 2 of 3\n\nOne of the top ransomware gangs in operation today — which deploys ransomware strains known variously as\r\n“Ryuk” and “Conti,” is known to be closely associated with Trickbot infections. Both ransomware families have\r\nbeen used in some of the most damaging and costly malware incidents to date.\r\nThe latest Ryuk victim is Universal Health Services (UHS), a Fortune 500 hospital and healthcare services\r\nprovider that operates more than 400 facilities in the U.S. and U.K.\r\nOn Sunday, Sept. 27, UHS shut down its computer systems at healthcare facilities across the United States in a bid\r\nto stop the spread of the malware. The disruption has reportedly caused the affected hospitals to redirect\r\nambulances and relocate patients in need of surgery to other nearby hospitals.\r\nSource: https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/\r\nhttps://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/"
	],
	"report_names": [
		"attacks-aimed-at-disrupting-the-trickbot-botnet"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434152,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/77e6210c614a4730b9d556b57f9893adfe8b158c.pdf",
		"text": "https://archive.orkl.eu/77e6210c614a4730b9d556b57f9893adfe8b158c.txt",
		"img": "https://archive.orkl.eu/77e6210c614a4730b9d556b57f9893adfe8b158c.jpg"
	}
}