{
	"id": "7a9427e4-d358-431c-a92c-575e1b14d429",
	"created_at": "2026-04-06T00:15:50.405698Z",
	"updated_at": "2026-04-10T03:20:46.254578Z",
	"deleted_at": null,
	"sha1_hash": "9c0a94218e8d5f5241dfd591d0fb1ebcc0ac2ef6",
	"title": "Trickbot: U.S. Court Order Hits Botnet’s Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 53638,
	"plain_text": "Trickbot: U.S. Court Order Hits Botnet’s Infrastructure\r\nBy About the Author\r\nArchived: 2026-04-05 14:01:12 UTC\r\nA global partnership of security, software, telecommunications and financial services firms have struck a blow\r\nagainst the notorious Trickbot botnet by securing a court order directing hosting providers to take down its\r\ninfrastructure. The order was obtained in a U.S. lawsuit filed by Microsoft and the Financial Services Information\r\nSharing and Analysis Center (FS-ISAC) against Trickbot’s anonymous operators and was based on technical\r\nevidence provided by the Symantec, a division of Broadcom (NASDAQ: AVGO) Threat Hunter Team and others.\r\nThe legal action marked the culmination of a years-long, cross-industry collaboration to find innovative ways to\r\nthwart a pernicious botnet that has fueled numerous cyber-crime sprees.\r\nIn written testimony provided to the court, Symantec technical director Vikram Thakur said Trickbot has spread\r\nprolifically across the internet for years and become one of the most commonly blocked types of malware,\r\nsuggesting it is now one of the world’s largest botnets.\r\nThakur described the serious harm caused to users whose computers are infected with Trickbot and whose\r\nbanking credentials and other sensitive information are frequently stolen by the attackers. He also described its\r\nimpact on financial institutions, which have borne significant losses due to Trickbot fraud.\r\nIn recent times, Trickbot has been implicated in targeted ransomware attacks, where credentials stolen by the\r\nmalware were used by the Ryuk ransomware operators to compromise victims’ networks and encrypt all\r\naccessible computers. This assessment has been confirmed by Europol, which recently noted that “the relationship\r\nbetween Emotet [another botnet], Ryuk and Trickbot is considered one of the most notable in the cybercrime\r\nworld”.\r\nThe botnet’s impact on banks and other financial sector organizations prompted a successful and close\r\ncollaboration between the security industry and the financial sector, represented by FS-ISAC.\r\nUnlike prior legal “takedown” actions against botnets, this case did not involve seizure of malicious infrastructure\r\nor redirection of network traffic but instead relied upon intellectual-property laws to effectively evict the botnet\r\noperators from the command-and-control servers they need to maintain access to victim machines.\r\nWhat is Trickbot?\r\nTrickbot is a major botnet consisting of computers that have been infected with the Trickbot Trojan\r\n(Trojan.Trickybot). The Trojan is modular in nature, meaning it can easily be customized with one or more of an\r\narray of custom components designed to carry out a range of malicious activities on infected computers. To date, it\r\nhas mainly been used for two main purposes: stealing credentials from infected computers and acting as a\r\ndistribution channel for other malware. Symantec believes that Trickbot’s operators earn most of their revenue\r\nfrom selling stolen credentials on the cyber underground and leasing out the botnet as a distribution channel for\r\nother malware authors.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption\r\nPage 1 of 4\n\nTrickbot is spread through spam and phishing email campaigns which usually bear a Microsoft Word attachment\r\ncontaining malicious macros. If the document is opened by the unsuspecting user, Trickbot will be installed on the\r\nvictim’s computer. In some cases, other malware, particularly ransomware, is also installed on the victim’s\r\ncomputer.\r\nTrickbot will also attempt to leverage known software vulnerabilities to move across the victim’s network and\r\ninstall itself on other computers.\r\nHow Trickbot works\r\nTrickbot is modular malware, capable of performing a range of different malicious activities. The first module to\r\nbe installed on the victim’s computer is the loader, which contains an encrypted list of IP addresses from which it\r\ncan download its main module.\r\nOnce downloaded, the main module will check the architecture of the victim computer and save this along with\r\nthe bot’s own information. The main component then prepares a framework for additional modules and initiates a\r\nconnection to one of a pre-configured list of command and control (C\u0026C) servers.\r\nThe main module downloads one or more additional modules. Known modules include:\r\nBanking credential stealer (injectDll): For injecting malicious content into browser windows displaying\r\nbanking websites in order to steal credentials\r\nReconnaissance module (networkDll): For gathering system information and network/domain topology to\r\ndetermine whether the device can be infected with ransomware\r\nData stealer (importDll): For stealing data from a web browser \r\nPassword grabber (Pwgrab: For stealing passwords from various locations\r\nCookie stealer (cookiesDll): For stealing cookies from the infected computer\r\nInformation stealer (mailsearcher): For searching all files in all drives in the system looking for specific\r\ninformation\r\nPoint-of-Sale recon (psfin): Reconnaissance module to determine if there are any Point-of-Sale (POS)\r\ndevices connected\r\nRemote control module (vncDll): Virtual Network Computing (VNC) module\r\nSMB spreader (tabDll): For spreading over Server Message Block (SMB) using the EternalRomance\r\nexploit and other vulnerabilities patched by Microsoft in March 2017 (MS17-010)\r\nOutlook stealer (outlookDll): For stealing data saved by Microsoft Outlook\r\nLateral movement module (shareDll): For lateral movement/enumeration via Lightweight Directory Access\r\nProtocol (LDAP) and SMB exploitation\r\nLateral movement module (wormDll): For lateral movement/enumeration via LDAP and SMB\r\nexploitation. The shareDll and wormDll modules work in cooperation.\r\nRDP brute-force module (rdpScanDll): A new module that uses brute-forces the Remote Desktop Protocol\r\n(RDP) for a specific list of victims\r\nStealthy threat\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption\r\nPage 2 of 4\n\nTrickbot includes a number of features designed to minimize the risk of detection by security software. For\r\nexample, the main module is designed to evade execution within “sandboxes,” which are controlled environments\r\nused by security companies to analyze malware.\r\nThis module will also check the current user’s privileges and, if they have low privileges, it will elevate them\r\nusing User Access Control (UAC) bypass, a technique that allows execution of programs with elevated privileges\r\nwithout the user being prompted.\r\nWhen it obtains elevated privileges, Trickbot will attempt to identify any security software that is installed on the\r\ncomputer and attempt to stop it and end any related services.\r\nCredential theft\r\nOne of the main threats for Trickbot victims is credential theft. This is carried out by a module that monitors for\r\nbrowser visits to a pre-configured list of banking websites. If the user visits any of these websites, the module\r\nintercepts and alters network traffic between the computer and the website, allowing the attackers to steal the\r\nvictim’s banking credentials after they are input by the user.\r\nTrickbot will also attempt to steal other credentials from Chrome and Internet Explorer’s password storage\r\nfeatures, from various RDP and SSH related services, and from other password managers.\r\nImmediate threat\r\nWhile infected computers are added to the Trickbot botnet, they yield the most value to attackers immediately\r\nafter infection. Other malware families are usually delivered at the point of initial infection. Credential theft\r\nhappens immediately after infection, while banking credentials are stolen the first time the victim attempts to log\r\ninto their bank. Even if the malware is subsequently detected and the computer is removed from the botnet, much\r\nof the damage will have been done at this point, with stolen credentials exfiltrated by the attackers and likely sold\r\nto other cyber criminals.\r\nOngoing battle\r\nBy pooling resources and intelligence and utilizing available legal avenues, the information security and financial\r\nsectors hope to strike a major blow against Trickbot. Symantec is grateful for the leadership of Microsoft and FS-ISAC and the support of ESET, NTT, and Lumen Technologies. This latest action, however, is just one step in an\r\nongoing campaign. Complete eradication of this botnet will likely require additional actions from government\r\npartners in multiple jurisdictions. However, this action proves that successful private industry collaboration can be\r\neffective in countering cyber-crime and we hope that this set a new precedent for further initiatives.\r\nProtection\r\nThe following protections are in place to protect customers against Trickbot activity:\r\nTrojan.Trickybot\r\nSONAR.Trickybot\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption\r\nPage 3 of 4\n\nTrojan.Trickybot!g7\r\nTrojan.Trickybot!g8\r\nTrojan.Trickybot!g11\r\nTrojan.Trickybot!g13\r\nTrojan.Trickybot!g16\r\nTrojan.Trickybot!gen2\r\nTrojan.Trickybot!gen5\r\nTrojan.Trickybot!gm\r\nMitigation\r\nSymantec recommends users observe the following best practices to protect against Trickbot attacks:\r\nEnable 2FA to prevent compromise of credentials.\r\nHarden security architecture around email systems to minimize the amount of spam that reaches end-user inboxes and ensure you are following best practices for your email system, including the use of SPF\r\nand other defensive measures against phishing attacks.\r\nRestrict access to RDP Services: Only allow RDP from specific known IP addresses and ensure you are\r\nusing multi-factor authentication.\r\nImplement proper audit and control of administrative account usage: You could also implement one-time credentials for administrative work to help prevent theft and usage of admin credentials.\r\nCreate profiles of usage for admin tools: Many of these tools are used by ransomware attackers to move\r\nlaterally undetected through a network. A user account that has a history of running as admin using\r\nPsInfo/PsExec on a small number of systems is probably fine, but a service account running PsInfo/PsExec\r\non all systems is suspicious.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption"
	],
	"report_names": [
		"trickbot-botnet-ransomware-disruption"
	],
	"threat_actors": [],
	"ts_created_at": 1775434550,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c0a94218e8d5f5241dfd591d0fb1ebcc0ac2ef6.pdf",
		"text": "https://archive.orkl.eu/9c0a94218e8d5f5241dfd591d0fb1ebcc0ac2ef6.txt",
		"img": "https://archive.orkl.eu/9c0a94218e8d5f5241dfd591d0fb1ebcc0ac2ef6.jpg"
	}
}