{
	"id": "2eda3b59-02fb-4ff8-adb9-07d47e2ae070",
	"created_at": "2026-04-06T00:16:00.104787Z",
	"updated_at": "2026-04-10T13:12:37.837718Z",
	"deleted_at": null,
	"sha1_hash": "98146073c39a809706283206c7bacad1115013f9",
	"title": "Trickbot Activity Increases; new VNC Module On the Radar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 774852,
	"plain_text": "Trickbot Activity Increases; new VNC Module On the Radar\r\nBy Radu TUDORICA\r\nArchived: 2026-04-05 19:59:58 UTC\r\nTrickbot has been around since late 2016, when it appeared in the form of a banker and credential-stealing\r\napplication. Drawing inspiration from Dyre (or Dyreza), Trickbot consists of an ecosystem of plugin modules and\r\nhelper components. The Trickbot group, which has infected millions of computers worldwide, has recently played\r\nan active role in disseminating ransomware.\r\nWe have been reporting on notable developments in Trickbot’s lifecycle, with highlights including the analysis in\r\n2020 of one of its modules used to bruteforce RDP connections and an analysis of its new C2 infrastructure in the\r\nwake of the massive crackdown in October 2020.\r\nDespite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an\r\nupdated version of the vncDll module that Trickbot uses against select high-profile targets. This module, known as\r\ntvncDll, is used for monitoring and intelligence gathering. It seems to be still under development, since the group\r\nhas a frequent update schedule, regularly adding new functionalities and bug fixes.\r\nIn addition to upgraded modules, Bitdefender has noted a significant increase in command-and-control centers\r\ndeployed around the world.\r\nThis new research focuses on an updated VNC module, which includes new functionalities for monitoring and\r\nintelligence gathering.\r\nAdditionally, Bitdefender researchers have identified the software application that the attackers use to interact\r\nwith the victims through the C2 servers. This tool is described in a dedicated chapter.\r\nhttps://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar\r\nPage 1 of 2\n\nA complete analysis of the new component can be found in the researcher paper available below. An up-to-date\r\nand complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.\r\nDownload the whitepaper\r\nSource: https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar\r\nhttps://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar"
	],
	"report_names": [
		"trickbot-activity-increases-new-vnc-module-on-the-radar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434560,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98146073c39a809706283206c7bacad1115013f9.pdf",
		"text": "https://archive.orkl.eu/98146073c39a809706283206c7bacad1115013f9.txt",
		"img": "https://archive.orkl.eu/98146073c39a809706283206c7bacad1115013f9.jpg"
	}
}