{ "id": "34ac5f3d-a971-4ab1-8fc0-d4af1ff7b67d", "created_at": "2026-04-06T00:15:13.569658Z", "updated_at": "2026-04-10T13:12:16.213878Z", "deleted_at": null, "sha1_hash": "b5a4298b02741788e9536e6e8619a1cb6c2a2edb", "title": "TrickBot Gang Likely Shifting Operations to Switch to New Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 178378, "plain_text": "TrickBot Gang Likely Shifting Operations to Switch to New\r\nMalware\r\nBy The Hacker News\r\nPublished: 2022-02-24 · Archived: 2026-04-05 13:03:34 UTC\r\nTrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors\r\nto deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new\r\nactivity recorded since the start of the year.\r\nThe lull in the malware campaigns is \"partially due to a big shift from Trickbot's operators, including working\r\nwith the operators of Emotet,\" researchers from Intel 471 said in a report shared with The Hacker News.\r\nThe last set of attacks involving TrickBot were registered on December 28, 2021, even as command-and-control\r\n(C2) infrastructure associated with the malware has continued to serve additional plugins and web injects to\r\ninfected nodes in the botnet.\r\nInterestingly, the decrease in the volume of the campaigns has also been accompanied by the TrickBot gang\r\nworking closely with the operators of Emotet, which witnessed a resurgence late last year after a 10-month-long\r\nbreak following law enforcement efforts to tackle the malware.\r\nhttps://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html\r\nPage 1 of 2\n\nThe attacks, which were first observed in November 2021, featured an infection sequence that used TrickBot as a\r\nconduit to download and execute Emotet binaries, when prior to the takedown, Emotet was often used to drop\r\nTrickBot samples.\r\n\"It's likely that the TrickBot operators have phased TrickBot malware out of their operations in favor of other\r\nplatforms, such as Emotet,\" the researchers said. \"TrickBot, after all, is relatively old malware that hasn't been\r\nupdated in a major way.\"\r\nAdditionally, Intel 471 said it observed instances of TrickBot pushing Qbot installs to the compromised systems\r\nshortly after Emotet's return in November 2021, once again raising the possibility of a behind-the-scenes shake-up\r\nto migrate to other platforms.\r\nWith TrickBot increasingly coming under the lens of law enforcement in 2021, it's perhaps not too surprising that\r\nthe threat actor behind it is actively attempting to shift tactics and update their defensive measures.\r\nAccording to a separate report published by Advanced Intelligence (AdvIntel) last week, the Conti ransomware\r\ncartel is believed to have acqui-hired several elite developers of TrickBot to retire the malware and switch to\r\nupgraded variants such as BazarBackdoor.\r\n\"Perhaps a combination of unwanted attention to TrickBot and the availability of newer, improved malware\r\nplatforms has convinced the operators of TrickBot to abandon it,\" the researchers noted. \"We suspect that the\r\nmalware control infrastructure (C2) is being maintained because there is still some monetization value in the\r\nremaining bots.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html\r\nhttps://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2022/02/trickbot-gang-likely-shifting.html" ], "report_names": [ "trickbot-gang-likely-shifting.html" ], "threat_actors": [], "ts_created_at": 1775434513, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b5a4298b02741788e9536e6e8619a1cb6c2a2edb.pdf", "text": "https://archive.orkl.eu/b5a4298b02741788e9536e6e8619a1cb6c2a2edb.txt", "img": "https://archive.orkl.eu/b5a4298b02741788e9536e6e8619a1cb6c2a2edb.jpg" } }