{ "id": "5b8a4148-b0cc-4982-afd8-9385c8305e9d", "created_at": "2026-04-06T00:18:00.208179Z", "updated_at": "2026-04-10T03:24:16.924182Z", "deleted_at": null, "sha1_hash": "ba9f4b1da4dea58b943e8e4db40200d1ab131f97", "title": "TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 489949, "plain_text": "TrickBot botnet survives takedown attempt, but Microsoft sets new\r\nlegal precedent\r\nBy Catalin Cimpanu\r\nPublished: 2020-10-13 · Archived: 2026-04-05 23:48:36 UTC\r\nThe TrickBot botnet has survived a takedown attempt orchestrated by a coalition of tech companies on Monday.\r\nTrickBot command and control (C\u0026C) servers and domains seized yesterday have been replaced with new\r\ninfrastructure earlier today, multiple sources in the infosec community have told ZDNet.\r\nSources from companies monitoring TrickBot activity described the takedown's effects as \"temporal\" and\r\n\"limited,\" but praised Microsoft and its partners for the effort, regardless of its current results.\r\n\"Our estimate right now is what the takedown did was to give current victims a breather,\" a security researcher\r\nsaid.\r\nWhile some companies agreed to go on the record, ZDNet decided to refrain from using any of our interviewed\r\nsource's names to avoid indirectly criticizing the entities involved in the takedown (Microsoft's\r\nDefender team, FS-ISAC, ESET, Lumen's Black Lotus Labs, NTT, and Broadcom's cyber-security division\r\nSymantec).\r\nBut in private interviews, even security researchers at ESET, Microsoft, and Symantec told ZDNet that they never\r\nexpected to take down TrickBot for good in one quick hit.\r\nOne source described Monday's action as \"kneecapping\" the botnet rather than \"cutting its head. ZDNet was told\r\nthat even from the early planning phases, the involved parties expected TrickBot to make a comeback, and\r\nplanned ahead for follow-up actions.\r\nhttps://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/\r\nPage 1 of 3\n\n\"As we've seen with prior [takedown] operations, the results of a global disruption involving multiple partners\r\nshows up in stages,\" Tom Burt, CVP of Customer Security and Trust at Microsoft, told ZDNet in an email on\r\nMonday.\r\n\"We anticipate Trickbot's operators will attempt to revive their operations, and we will take additional legal and\r\ntechnical steps to stop them if necessary,\" Burt added.\r\nThis multi-phased approach to disrupting TrickBot is a direct result of the botnet's complex infrastructure, much of\r\nwhich runs on bulletproof hosting systems, which are unresponsive or slow to react to takedown attempts.\r\nIn a threat intelligence bulletin with restricted distribution shared with ZDNet on Monday night, security firm\r\nIntel471 noted that TrickBot began moving C\u0026C servers to the EmerDNS decentralized domain name system as a\r\nway to counter the ongoing takedown attempt. By Tuesday morning, the botnet's infrastructure had recovered,\r\nalthough it wasn't as active as in previous days.\r\nEven a failed takedown attempt has its effects\r\nBut speaking to ZDNet, sources said the disruption efforts weren't only focused on taking down TrickBot servers,\r\nwhich they knew would be temporary and would have no long-standing effects.\r\nOther goals were also discussed and taken into consideration. This included incurring adding additional costs to\r\nTrickBot authors and delaying current malware operations, such as ransomware attacks that are usually delivered\r\nusing TrickBot as a conduit.\r\nFurthermore, security researchers also sought to damage TrickBot's reputation in cybercrime circles.\r\nTrickBot is one of today's Top 3 most successful Malware-as-a-Service (MaaS) operations on the cybercrime\r\nunderworld. The botnet uses email spam campaigns to infect computers, downloads its malware, and then steals\r\ndata from infected hosts that it later resells for profit. But the botnet also rents access to infected computers to\r\nother criminal groups, which also accounts for a significant portion of its profits. These \"customers\" include\r\noperators of infostealer trojans, BEC fraud groups, ransomware gangs, and even nation-state hacking groups.\r\nMicrosoft and its partners wanted to damage this reputation among other cybercrime gangs and send a message\r\nthat TrickBot isn't as untouchable as its \"customers\" might think.\r\nA botnet that can be disrupted risks exposing and compromising the operations of \"customers,\" some of which\r\nmay not want to be exposed to law enforcement tracking. A botnet that can be disrupted isn't reliable\r\nbusinesswise, especially for TrickBot's regular customers who are paying considerable fees to have access to\r\ninfected systems at precise times.\r\nResearchers hope the slap TrickBot received this week reverberates across its business.\r\nA new legal precedent\r\nBut the TrickBot takedown also played another role, one that was invisible to most observers. The court case that\r\npreceded the takedown also helped Microsoft set a new legal precedent.\r\nhttps://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/\r\nPage 2 of 3\n\nIn court, the OS maker argued that the TrickBot malware abused Windows code for malicious purposes, against\r\nthe terms of service of the standard Windows software development kit (SDK), on which all Windows apps are\r\nused.\r\nMicrosoft successfully argued that TrickBot was infringing on Microsoft's copyright of its own code by copying\r\nand using its SDKs for malicious purposes.\r\nSome might call this approach to taking down a botnet as petty or pedantic, but it's also a genius legal move.\r\nIn previous cases, Microsoft or law enforcement usually had to present evidence and be ready to prove that the\r\nmalware was incurring financial damages to victims in a certain jurisdiction, steps that usually meant identifying\r\nand contacting victims.\r\nThe new approach focused on the misuse of its Windows SDK code is both easier to prove and argue, but it can\r\nalso be used in any jurisdiction, providing Microsoft's legal team with a more agile approach to going after\r\nmalware gangs — which is why Microsoft is likely to reuse it for faster crackdown in the future.\r\nSource: https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/\r\nhttps://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/" ], "report_names": [ "trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent" ], "threat_actors": [ { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775791456, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba9f4b1da4dea58b943e8e4db40200d1ab131f97.pdf", "text": "https://archive.orkl.eu/ba9f4b1da4dea58b943e8e4db40200d1ab131f97.txt", "img": "https://archive.orkl.eu/ba9f4b1da4dea58b943e8e4db40200d1ab131f97.jpg" } }