{ "id": "0ed40146-431a-492d-b9fc-e1fb1817695d", "created_at": "2026-04-06T00:15:34.388398Z", "updated_at": "2026-04-10T03:35:53.005074Z", "deleted_at": null, "sha1_hash": "8d5086ad506782bbd906bd664436df51a7b8da38", "title": "Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1785534, "plain_text": "Trickbot Delivery Method Gets a New Upgrade Focusing on\r\nWindows 10\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 23:03:03 UTC\r\nEDITOR’S NOTE: The previous version of this blog post mis-identified the source of this attack as the FIN7\r\ngroup; GRIFFON and OSTAP are both very long javascripts that have many similarities. This caused the\r\nconfusion in identifying the attack as coming from FIN7. This is still an important find though, as Trickbot is one\r\nof the most advanced malware frameworks. \r\nOver the past few weeks, Morphisec Labs researchers identified a couple dozen documents that execute the\r\nOSTAP javascript downloader.\r\nThis time we have identified the use of the latest version of the remote desktop activeX control class that was\r\nintroduced for Windows 10. The attackers utilize the activeX control for automatic execution of the malicious\r\nMacro following an enable of the Document content.\r\nAs newer features are introduced to a constantly updating OS, so too the detection vendors need to update their\r\ntechniques to protect the system. This may become very exhausting and time–consuming work, which can lead to\r\nthe opposite effect of pushing defenders even farther behind the attacker. Trickbot distributors have yet again\r\ntaken advantage of the opportunity this change presents.\r\nWhile tracing this group abusing the remote activeX control we also identified other groups misusing the same\r\nand earlier controls although with a slightly different technique.\r\nTechnical Details\r\nDocument\r\nMost of the targeted documents were following the naming convention “i\u003c7-9 random digits\u003e.doc“, as each\r\ndocument usually contained an image to convince targets to enable the content. This leads to the execution of the\r\nmalicious macro, only this time the image also hid an ActiveX control slightly below it. The malicious OSTAP\r\nJavaScript downloader is then hidden in white colored letters in between the content, so it’s not visible to people\r\nbut can be seen by machines.\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 1 of 8\n\nExamining the activeX control revealed the use of the MsRdpClient10NotSafeForScripting class (which is used\r\nfor remote control). The Server field is empty in the script, which will later cause an error that the attackers will\r\nactually abuse to properly execute their own code.\r\nMacro\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 2 of 8\n\nInspection of the macro revealed an interesting trigger method — “\u003cname\u003e_OnDisconnected” — which will be\r\nthe main function that is first executed. This method didn’t execute immediately as it takes time for it to try and\r\nresolve DNS to an empty string and then return an error. The OSTAP will not execute unless the error number\r\nmatches exactly to “disconnectReasonDNSLookupFailed” (260); the OSTAP wscript command is concatenated\r\nwith a combination of characters that are dependent on the error number calculation.\r\nGoing over the documentation for the msrdpclient10 reveals that it will not work on workstations that are not\r\nupdated to windows 10.\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 3 of 8\n\nAs soon as OSTAP is created in the form of a BAT file, this file is executed, and the word document form is\r\nclosed.\r\nGRIFFON\r\nThe BAT will execute wscript back with its own content —  an old trick using comments that the BAT will\r\ndisregard during the execution of wscript (non-recognized command) while skipped together with its content\r\nwhen executed by wscript (or any other interpreter that adheres to the comments syntax).\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 4 of 8\n\nAs soon as the JavaScript is beautified, we get back to the same old GRIFFON obfuscation pattern.\r\nConclusion\r\nUpdating your operating system is necessary for better security, even though it doesn’t always serve that purpose.\r\nThis example with OSTAP makes it clear that this doesn’t always work. Even with an updated OS, there remains a\r\nneed for preventive measures such as attack surface reduction, Moving Target Defense, and hardening.\r\nThere are hundreds more objects that have been introduced in the latest Windows 10 and even dozens more\r\nmethods in the described object that sophisticated attackers can abuse. There might also be opportunities for\r\nvulnerability exploitation with every new feature but this is not in the scope of this blog post.\r\nAppendix\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 5 of 8\n\nHashes\r\n74422ee3e1274bad11f5ac44712b1d10fce3a1e7fd9acc0a82fe88d9e9b7b78e\r\n891c716d059459d97a726a9bb262bc20f369b6c810097ff312fd710a4d4da577\r\n3d0c3f3d464a8229480b6d4a024d2982c72d67942d8ee245dd91da1a26ddd22a\r\nff7334237ad5a76d682c32267ffbada9ef091eb87f3683981b71e1d84c3990a9\r\n414744acddc03bb095a31708c66f33ae456af58ae85ab2887e9781b528034064\r\n8b975bcdc73d28d299b60b7c1ab81c0a5b3a30153725dc41e836659a4ea78831\r\n005a1e42bb3e5092124dfa40b9a765339c7ab9ea00c276ba2f2af32ce2ed81ce\r\n200a0cc130113fedd2e3baa0e5988ca18102a652909b2530785242fd800dd4f5\r\nc1374ddd0b06eb942a7d5224ebf3c6a10802902dd8eee03fe9603292714f8bf1\r\nbb7a43ea1a305228e6ff36abef475e046e549e309fddf334d97707bfbc47aef4\r\n683a9df3e291669e6a1ee35aa08222e228bd553f76ba049c4b8873f6d9eb8880\r\n6226065b170ad402b35ff8307eab843f46b54cc7a93a3717af0fa9cf2eb433df\r\n0d25947452fbd14301f660f357845760693eabf61e99bd55c7ab47a44a88ccd5\r\n…\r\nDomains:\r\ninsiderppe.cloudapp[.]net\r\nAbout the author\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 6 of 8\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 7 of 8\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nhttps://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows" ], "report_names": [ "trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d5086ad506782bbd906bd664436df51a7b8da38.pdf", "text": "https://archive.orkl.eu/8d5086ad506782bbd906bd664436df51a7b8da38.txt", "img": "https://archive.orkl.eu/8d5086ad506782bbd906bd664436df51a7b8da38.jpg" } }