{
	"id": "f0a421fb-4f75-4037-8807-bb45d61961ce",
	"created_at": "2026-04-06T00:19:54.008819Z",
	"updated_at": "2026-04-10T13:12:36.714961Z",
	"deleted_at": null,
	"sha1_hash": "b7c4de0d31d547bd89af38eb238da421bebec370",
	"title": "Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 219260,
	"plain_text": "Notorious TrickBot Malware Gang Shuts Down its Botnet\r\nInfrastructure\r\nBy The Hacker News\r\nPublished: 2022-02-25 · Archived: 2026-04-05 20:30:31 UTC\r\nThe modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday\r\nafter reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end\r\nto one of the most persistent malware campaigns in recent years.\r\n\"TrickBot is gone... It is official now as of Thursday, February 24, 2022. See you soon... or not,\" AdvIntel's CEO\r\nVitali Kremez tweeted. \"TrickBot is gone as it has become inefficient for targeted intrusions.\"\r\nAttributed to a Russia-based criminal enterprise called Wizard Spider, TrickBot started out as a financial trojan in\r\nlate 2016 and is a derivative of another banking malware called Dyre that was dismantled in November 2015.\r\nOver the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to\r\nsteal information via web injects and drop additional payloads.\r\nTrickBot's activities took a noticeable hit in October 2020 when the U.S. Cyber Command and a consortium of\r\nprivate security companies led by Microsoft attempted to disrupt most of its infrastructure, forcing the malware's\r\nhttps://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html\r\nPage 1 of 2\n\nauthors to scale up and evolve its tactics.\r\nThe criminal entity is said to have invested more than $20 million into its infrastructure and growth, security firm\r\nHold Security was quoted as saying in a WIRED report earlier this month, calling out TrickBot's \"businesslike\r\nstructure\" to run its day-to-day operations and \"hire\" new engineers into the group.\r\nThe development comes as twin reports from cybersecurity firms AdvIntel and Intel 471 hinted at the possibility\r\nthat TrickBot's five-year-saga may be coming to an end in the wake of increased visibility into their malware\r\noperations, prompting the operators to shift to newer, improved malware such as BazarBackdoor (aka\r\nBazarLoader).\r\n\"TrickBot, after all, is relatively old malware that hasn't been updated in a major way,\" Intel 471 researchers said.\r\n\"Detection rates are high and the network traffic from bot communication is easily recognized.\"\r\nIndeed, malware tracking research project Abuse.ch's Feodo Tracker shows that while no new command-and-control (C2) servers have been set up for TrickBot attacks since December 16, 2021, BazarLoader and Emotet are\r\nin full swing, with new C2 servers registered as recently as February 19 and 24, respectively.\r\nBazarBackdoor, which first appeared in 2021, originated as a part of TrickBot's modular toolkit arsenal but has\r\nsince evolved into a fully autonomous malware mainly used by the Conti (previously Ryuk) cybercrime gang to\r\ndeploy ransomware on enterprise networks.\r\nTrickBot's demise has also come as the operators of Conti ransomware recruited top talent from the former to\r\nfocus on stealthier replacement malware like BazarBackdoor. \"TrickBot has been linked with Conti for a while, so\r\nfurther synergy there is highly possible,\" Intel 471 told The Hacker News.\r\nConti has also been credited with resurrecting and integrating the Emotet botnet into its multi-pronged attack\r\nframework starting November 2021, with TrickBot, ironically, utilized as a delivery vehicle to distribute the\r\nmalware after a gap of 10 months.\r\n\"However, the people who have led TrickBot throughout its long run will not simply disappear,\" AdvIntel noted\r\nlast week. \"After being 'acquired' by Conti, they are now rich in prospects with the secure ground beneath them,\r\nand Conti will always find a way to make use of the available talent.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html\r\nhttps://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html"
	],
	"report_names": [
		"notorious-trickbot-malware-gang-shuts.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434794,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b7c4de0d31d547bd89af38eb238da421bebec370.pdf",
		"text": "https://archive.orkl.eu/b7c4de0d31d547bd89af38eb238da421bebec370.txt",
		"img": "https://archive.orkl.eu/b7c4de0d31d547bd89af38eb238da421bebec370.jpg"
	}
}