{
	"id": "24f4ba5b-e876-47c5-b579-adbaf3d90389",
	"created_at": "2026-04-06T00:22:13.159207Z",
	"updated_at": "2026-04-10T03:20:18.067071Z",
	"deleted_at": null,
	"sha1_hash": "b3d3c0fa62b2d1b354d4fabe895082cb4d84391d",
	"title": "Something strange is going on with Trickbot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48264,
	"plain_text": "Something strange is going on with Trickbot\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 15:27:50 UTC\r\nIt’s been a turbulent 18 months for Trickbot.\r\nThe notorious modular malware has been in the spotlight, largely due to actions taken by both private companies\r\nand the U.S. government to thwart the attacks. Even as U.S. Cyber Command and Microsoft seized servers and\r\nthe U.S. Department of Justice arrested several people alleged to be involved with the group that runs the\r\nmalware, Trickbot stayed active throughout 2021 with various infection campaigns.\r\nThese sporadic periods of activity have not continued into 2022. From December 28, 2021 until February 17,\r\n2022, Intel 471 researchers have not seen new Trickbot campaigns. While there have been lulls from time-to-time,\r\nthis long of a break can be considered unusual. Our team assesses with high confidence that this break is partially\r\ndue to a big shift from Trickbot’s operators, including working with the operators of Emotet.\r\nTrickbot’s recent behavior\r\nExamination of individual malware campaigns, tracked by identifiers known as “gtags,” further show there has\r\nbeen a lull in activity since mid-December 2021. These gtags are often listed as a three-letter term followed by a\r\nthree-number sub-tag that further delineates individual campaigns. Intel 471 researchers tracking “lipXXX”\r\ncampaigns show that the latest builds, categorized as “lip166,” came on December 28, 2021. That was one of three\r\nmalware campaigns that were active during the month. As a contrast, eight different “lipXXX” builds were\r\ndiscovered in November 2021.\r\nWe found a similar pattern in campaigns with a “topXXX” gtag. The last known build came from the “top166”\r\ngtag on December 28, 2021, which was one of three “topXXX” builds in December. Yet eight separate “topXXX”\r\nbuilds were discovered the prior month.\r\nIn addition to the unusual disappearance of new builds (gtags), we have also observed that the onboard malware\r\nconfiguration files (mcconf), which contain a list of controller addresses the bot can connect to, have gone\r\nuntouched for long periods of time. The most recent mcconf version numbers are 100021 (Dec 9) and 2000036\r\n(Oct 25). These were once updated frequently, but are receiving fewer and fewer updates. It should be mentioned\r\nthat Trickbot can receive controller address list updates on-the-fly, so the lack of updates could mean that there\r\nisn’t anyone cleaning up Trickbot controllers nor is there any pressure to update the on-board controller list.\r\nThe scarcity of campaigns only tells part of the story. While the campaigns themselves have been quiet, command\r\nand control infrastructure tied to Trickbot continues to operate normally, serving additional plugins, web injects\r\nand additional configurations to bots in the botnet. This activity shows that while there haven’t been any new\r\ncampaigns, there is evidence of some effort to maintain Trickbot’s command and control infrastructure, even if\r\nthat effort is essentially an automated one.\r\nhttps://intel471.com/blog/trickbot-2022-emotet-bazar-loader\r\nPage 1 of 3\n\nLooking at this holistically, this is unusual behavior, but it’s part of a trend that Intel 471 and other researchers\r\nhave been observing for several months. The amount of Trickbot campaigns observed by researchers has\r\ncontinuously decreased over time. However, the amount of ransomware deployments of ransomware families\r\nlinked with Trickbot, such as Conti, has continued. What can we deduce from this behavior?\r\nTrickbot’s new teammates\r\nOur team assesses with high confidence that Trickbot operators are working closely with the operators of Emotet.\r\nThere is clear evidence of this relationship, for example, the resurrection of Emotet began with Trickbot. On\r\nNovember 14, 2021, we observed Trickbot pushing a command to its bots to download and execute Emotet\r\nsamples. This marked the beginning of the return of Emotet.\r\nEven before this event, Trickbot and Emotet operators had a relationship. Emotet was often used to drop Trickbot\r\nsamples until the Emotet takedown. These Trickbot samples often had the gtag “morXXX.” The relationship\r\nworked both ways: Intel 471 has observed commands from Trickbot controllers to download and execute Emotet,\r\nlong before the Emotet’s 2021 return.\r\nIntel 471 cannot confirm, but it’s likely that the Trickbot operators have phased Trickbot malware out of their\r\noperations in favor of other platforms, such as Emotet. Trickbot, after all, is relatively old malware that hasn’t\r\nbeen updated in a major way. Detection rates are high and the network traffic from bot communication is easily\r\nrecognized.\r\nAnother crucial piece of the puzzle is the Bazar malware family, which has development ties to the Trickbot\r\ngroup. Multiple threat actors leverage this stealthy backdoor to gain an initial foothold into high-value targets and\r\nexecute follow-up payloads, such as Cobalt Strike and IcedID aka Bokbot. We have also seen Bazar controllers\r\npushing commands to download and execute Trickbot (mid-2021) and Emotet (November 2021). These events\r\nconnect Bazar to Trickbot operators, as well as to the revival of Emotet.\r\nBazar, Bokbot and Emotet likely aren’t the only tools leveraged by the threat actor group ditching Trickbot. Our\r\nmonitoring registered instances of Trickbot pushing Qbot installs to bots of the Trickbot botnet shortly after the\r\nEmotet return from November 2021. This observation is yet another indicator that the Trickbot bots are being\r\nmigrated to other malware platforms.\r\nDate\r\nBot\r\nTransfer\r\nPayload URL Notes\r\nFeb 7,\r\n2020\r\nTrickbot -\u003e\r\nEmotet\r\nhttp://66[.]85.173[.]43/59Emotic1.jpg\r\nonly morXXX bots received this\r\ncommand\r\nApr 1,\r\n2020\r\nTrickbot -\u003e\r\nEmotet\r\nnone, payload direct from C2\r\nonly morXXX bots received this\r\ncommand\r\nhttps://intel471.com/blog/trickbot-2022-emotet-bazar-loader\r\nPage 2 of 3\n\nSep\r\n16,\r\n2020\r\nTrickbot -\u003e\r\nEmotet\r\nhttp://104[.]193.252[.]221/FortiPlan1.gif\r\nonly morXXX bots received this\r\ncommand\r\nNov\r\n14,\r\n2021\r\nTrickbot -\u003e\r\nEmotet\r\nhttp://141[.]94.176[.]124/Loader_90563_1.dll\r\nFirst stage of Emotet’s\r\nresurrection campaign (bots with\r\nall gtags received the command)\r\nNov\r\n24,\r\n2021\r\nBazar -\u003e\r\nBokbot\r\nnone, payload direct from C2 Bokbot project ID BA205ACA\r\nNov\r\n26,\r\n2021\r\nBazar -\u003e\r\nEmotet\r\nnone, payload direct from C2\r\nDec 9,\r\n2021\r\nTrickbot -\u003e\r\nQbot\r\nhttp://46[.]30.41[.]173/stager2.dll Qbot botnet ng_domain\r\nAvoiding the spotlight\r\nDespite the takedowns by U.S. Cyber Command in October 2020, Trickbot remained active into 2021. However,\r\nwith the arrests of two alleged Trickbot developers and an in-depth Wired article that details alleged internal\r\nconversations from the group’s leadership, Trickbot is under more scrutiny than ever before.\r\nPerhaps a combination of unwanted attention to Trickbot and the availability of newer, improved malware\r\nplatforms has convinced the operators of Trickbot to abandon it. We suspect that the malware control\r\ninfrastructure (C2) is being maintained because there is still some monetization value in the remaining bots.\r\nIntel 471 will continue to track Trickbot and will report on any further observations in the future.\r\nSource: https://intel471.com/blog/trickbot-2022-emotet-bazar-loader\r\nhttps://intel471.com/blog/trickbot-2022-emotet-bazar-loader\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://intel471.com/blog/trickbot-2022-emotet-bazar-loader"
	],
	"report_names": [
		"trickbot-2022-emotet-bazar-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434933,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3d3c0fa62b2d1b354d4fabe895082cb4d84391d.pdf",
		"text": "https://archive.orkl.eu/b3d3c0fa62b2d1b354d4fabe895082cb4d84391d.txt",
		"img": "https://archive.orkl.eu/b3d3c0fa62b2d1b354d4fabe895082cb4d84391d.jpg"
	}
}