{
	"id": "35cfb1b9-8676-4dfa-9029-11857d1a59fc",
	"created_at": "2026-04-06T00:08:20.56555Z",
	"updated_at": "2026-04-10T13:12:07.217219Z",
	"deleted_at": null,
	"sha1_hash": "a95c1a09c7df687497874f6ce9f108fa772d6564",
	"title": "Evolving Trickbot Adds Detection Evasion and Screen-Locking Features",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39967,
	"plain_text": "Evolving Trickbot Adds Detection Evasion and Screen-Locking\r\nFeatures\r\nArchived: 2026-04-05 15:09:37 UTC\r\nThe malware known as Trickbot started off as a banking trojan that used phishing techniquesnews- cybercrime-and-digital-threats – primarily malicious spam – to trick users into visiting copycat websites to steal their\r\ncredentials. Its authors continue to develop the already-troublesome malware by adding features designed to make\r\nit more difficult to counter.\r\nSecurity researchers discovered a new module called spreader_x86.dll that contains two files, SsExecutor_x86.exe\r\nand screenLocker_x86.dll that form part of Trickbot’s new arsenal. The first file, SsExecutor_x86.exe increases\r\nthe malware’s evasion capabilities by attempting to add a link to the trojan's startup path by taking over registry\r\nuse profiles to maintain persistence. ScreenLocker_x86.dll, on the other hand, gives Trickbot behavior that is\r\nsimilar to ransomware, as it attempts to lock victims' machines.\r\nThe module's locking mechanism deploys after the main infection chain runs, which could indicate that it is being\r\nused to attack unpatched corporate networks. The new functions could have been added to expand the\r\nmonetization schemes – corporate networks will often have built-in security that prevents employees from visiting\r\nmalicious URLs to minimize the impact of these kinds of attacks. On the other hand, ransomware-style attacks\r\ncould act as a backup strategy, as well as a proven source of revenue for the attackers.\r\nCybersecurity is like a cat and mouse game between security providers and malware authors. While security\r\nvendors constantly update and refine their software with new technology and features, the same can be said about\r\nmalware. Thus, while traditional security methods have become effective at preventing threats from affecting an\r\norganization, there are methods of maximizing security with a proactive incident response strategy. This is\r\nespecially true for targeted attacks such as the recent Chessmaster campaign, which use a wide array of\r\nsophisticated tools and tactics, or with evolving malware such as Trickbot, which can be challenging to mitigate\r\nfor traditional security methods alone, especially if they add evasion tools that allow them to slip through\r\nperimeter based security.\r\nCryptocurrency miners are examples of elusive malware that are on the rise in 2018. Many of these kinds of\r\nmalware work in the background, without showing obvious signs that they are already using resources for mining\r\n– something that can be problematic for certain traditional security solutions. Employees that use personal laptops\r\nor works remotely compounds this issue, as perimeter-based security is even more limited in this scenario. With a\r\nproactive incident response strategy, the organization's security personnel can collect and analyze endpoint data, as\r\nwell as provide intelligence on how to detect similar future attacks.\r\nA successful attack can be devastating to both a company’s finances and reputation, especially when it comes to\r\nthreats that directly affect customers and shareholders. Once an attack has done its damage to an organization,\r\nremediation can often take a large amount of time and resources. This is why it's important to address threats\r\nbefore they can do their damage. Given the sophisticated nature of many modern-day attacks, this often means\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features\r\nPage 1 of 2\n\nthat traditional security solutions have to be supplemented with a human element – often involving IT personnel\r\nand system administrators working with security tools to monitor the network, detect and respond to any threats\r\non the network.\r\nOther proactive incident response strategies that organizations can implement:\r\nKeeping comprehensive logs of what happens within the network, which will allow IT personnel to track\r\nany suspicious activity such as C\u0026C server communication and traffic from malicious URLs\r\nOnce an activity or data is deemed as suspicious, it should automatically be investigated to determine if it\r\nis malicious\r\nSifting through logs and data can be a challenge, but standardized alerts will help with streamlining the\r\nmonitoring process\r\nActively monitoring the network for any potential threats, as well as quickly responding to these threats as they\r\nappear, can provide the organization’s security team the threat intelligence that they will need to identify malicious\r\nactivities that may not be visible to traditional security solutions.\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-scre\r\nen-locking-features\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features"
	],
	"report_names": [
		"evolving-trickbot-adds-detection-evasion-and-screen-locking-features"
	],
	"threat_actors": [],
	"ts_created_at": 1775434100,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a95c1a09c7df687497874f6ce9f108fa772d6564.pdf",
		"text": "https://archive.orkl.eu/a95c1a09c7df687497874f6ce9f108fa772d6564.txt",
		"img": "https://archive.orkl.eu/a95c1a09c7df687497874f6ce9f108fa772d6564.jpg"
	}
}