{ "id": "ec6d10f7-3cb3-4103-ae3f-51d3558c1882", "created_at": "2026-04-06T00:14:28.478726Z", "updated_at": "2026-04-10T03:20:04.991543Z", "deleted_at": null, "sha1_hash": "a929d6342765e1918976190af9805a7b92ef00ac", "title": "TrickBot malware suddenly got quiet, researchers say, but it’s hardly the end for its operators", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37367, "plain_text": "TrickBot malware suddenly got quiet, researchers say, but it’s\r\nhardly the end for its operators\r\nBy Joe Warminsky\r\nPublished: 2022-02-25 · Archived: 2026-04-05 20:16:41 UTC\r\nThe operators of TrickBot have essentially shut down the notorious malware, multiple reports say, but evidence\r\nsuggests the gang has begun using other platforms or folded operations into another cybercrime group altogether.\r\nResearchers at Intel471 and AdvIntel noted a sharp dip in recent TrickBot activity in separate reports Thursday,\r\neven though the command-and-control infrastructure for the malware remains operational.\r\nIntel471 said “it’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor\r\nof other platforms,” probably Emotet — a development researchers have been tracking for months.\r\nAdvIntel’s Yelisey Boguslavskiy, meanwhile, said in his report that TrickBot’s operators had been subsumed into\r\nConti, a Russia-linked cybercrime group known for offering “ransomware as a service” packages to its affiliates.\r\nResearchers previously had noted TrickBot connections with Conti.\r\n“In name, at least, this means that TrickBot’s four-year saga is now coming to a close — the liaison that has\r\ndefined the cybercrime domain for years has been reborn into a newer, possibly even deadlier form,”\r\nBoguslavskiy wrote. “However, the people who have led TrickBot throughout its long run will not simply\r\ndisappear. After being ‘acquired’ by Conti, they are now rich in prospects with the secure ground beneath them,\r\nand Conti will always find a way to make use of the available talent.”\r\nThe Conti group, meanwhile, put its support behind Russia on Friday, saying it would use its full capabilities to\r\nstrike back at any entity that threatens Russian critical infrastructure.\r\n“See you soon … or not” AdvIntel CEO Vitali Kremez tweeted at Trickbot Thursday.\r\nBusy, but in other ways\r\nTrickBot first drew attention as trojan malware aimed at the banking industry, but it soon developed into a broader\r\nframework of tools for gaining access to sensitive networks in general. Separate takedowns led by U.S. Cyber\r\nCommand and Microsoft in late 2020, as well as prosecutions of TickBot leaders by U.S. law enforcement in\r\n2021, put a significant dent in the gang’s operations.\r\nThe skills of TrickBot’s core group remain sharp, researchers say. A report earlier this month from Check Point\r\nResearch noted recent upgrades to some Trickbot modules. The BazarBackdoor tool, for example, has become a\r\nbrand unto itself for cybercriminals who want access to high-value targets, according to Intel471 and AdvIntel.\r\nAlexander Chailytko, Check Point’s cybersecurity research and innovation manager, told CyberScoop that there\r\nwere some signs of successful requests of TrickBot command-and-control servers as recently as this week. Old\r\nhttps://www.cyberscoop.com/trickbot-shutdown-conti-emotet/\r\nPage 1 of 2\n\ninfrastructure for the malware appeared to be “still maintained and operational” into 2022, Chailytko said, but has\r\nnot been nearly as busy over the past two months.\r\nSource: https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/\r\nhttps://www.cyberscoop.com/trickbot-shutdown-conti-emotet/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cyberscoop.com/trickbot-shutdown-conti-emotet/" ], "report_names": [ "trickbot-shutdown-conti-emotet" ], "threat_actors": [], "ts_created_at": 1775434468, "ts_updated_at": 1775791204, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a929d6342765e1918976190af9805a7b92ef00ac.pdf", "text": "https://archive.orkl.eu/a929d6342765e1918976190af9805a7b92ef00ac.txt", "img": "https://archive.orkl.eu/a929d6342765e1918976190af9805a7b92ef00ac.jpg" } }