{
	"id": "5db00644-cb21-4a56-afaf-6fdd0c878e91",
	"created_at": "2026-04-06T00:09:00.596809Z",
	"updated_at": "2026-04-10T03:20:32.816458Z",
	"deleted_at": null,
	"sha1_hash": "bbff301c4f0cee81b02b8102132c058bc52ca925",
	"title": "Trickbot updates its VNC module for high-value targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2472774,
	"plain_text": "Trickbot updates its VNC module for high-value targets\r\nBy Ionut Ilascu\r\nPublished: 2021-07-14 · Archived: 2026-04-05 23:45:13 UTC\r\nThe Trickbot botnet malware that often distributes various ransomware strains, continues to be the most prevalent threat as\r\nits developers update the VNC module used for remote control over infected systems.\r\nIts activity has been increasing constantly since the complete disruption of the Emotet botnet in January, which acted as a\r\ndistributor for both Trickbot and other high-profile threat actors.\r\nMost prevalent threat\r\nTrickbot has been around for almost half a decade and transitioned from a banking trojan to one of the largest botnets today\r\nthat sells access to various threat actors.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nSome of the ransomware operations using this botnet for network access include the infamous Ryuk, Conti, REvil, as well as\r\na new one called Diavol, the Romanian for Devil.\r\nSince Emotet’s takedown by law enforcement, Trickbot activity started to increase to such levels that in May it was the most\r\nprevalent malware on Check Point’s radar.\r\nThe malware maintained its position this month, too, the cybersecurity company notes in a report today, adding that\r\nTrickbot’s maintainers are constantly working to improve it.\r\nAccording to Check Point’s telemetry, Trickbot impacted 7% of organizations across the world, followed by the XMRig\r\ncryptocurrency miner the Formbook info stealer, which affected 3% of the organizations that Check Point monitors\r\nworldwide.\r\nNew VNC module in the works\r\nIn another report, Romanian cybersecurity company Bitdefender says that its systems caught a new version of Trickbot’s\r\nVNC module (vncDLL), used after compromising high-profile targets.\r\nThe updated module is called tvncDLL and allows the threat actor to monitor the victim and collect information that would\r\nenable pivoting to valuable systems on the network.\r\nAlthough tvncDLL was discovered on May 12, the Romanian researchers say that it is still under development, “since the\r\ngroup has a frequent update schedule, regularly adding new functionalities and bug fixes.”\r\nBitdefender’s analysis of the module points out that it uses a custom communication protocol and reaches the command and\r\ncontrol (C2) server through one of nine proxy IP addresses that enable access to victims behind firewalls.\r\nThe VNC component can stop Trickbot and unload it from memory. When an operator initiates communication, the module\r\ncreates a virtual desktop with a custom interface.\r\n“During normal operation, the alternate desktop is created and fully controlled by the module, copying the icons from the\r\ndesktop, creating a custom taskbar for managing its processes and creating a custom right-click menu, containing custom\r\nfunctionality,” Bitdefender researchers write in their report.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nPage 3 of 5\n\nUsing the command prompt, the threat actor can download fresh payloads from the C2 server, open documents and the email\r\ninbox, steal data from the compromised system.\r\nAnother option called Native Browser fires up a web browser by taking advantage of the OLE automation feature in Internet\r\nExplorer.\r\nThe function is under development and its purpose is to steal passwords from Google Chrome, Mozilla Firefox, Opera, and\r\nInternet Explorer.\r\nThe researchers say that while the old vncDLL module has been in use since at least 2018, its successor became active in the\r\nwild on May 11, 2021, according to evidence revealed during their investigation.\r\nTelemetry data from Bitdefender data shows Trickbot’s C2 servers spread on almost all continents, with the largest number\r\n(54) located in North America. According to the company, the number of C2 servers has increased significantly this year,\r\njumping from around 40 in January to more than 140 in June.\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nhttps://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trickbot-updates-its-vnc-module-for-high-value-targets/"
	],
	"report_names": [
		"trickbot-updates-its-vnc-module-for-high-value-targets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bbff301c4f0cee81b02b8102132c058bc52ca925.pdf",
		"text": "https://archive.orkl.eu/bbff301c4f0cee81b02b8102132c058bc52ca925.txt",
		"img": "https://archive.orkl.eu/bbff301c4f0cee81b02b8102132c058bc52ca925.jpg"
	}
}