{
	"id": "7ca6689d-641b-4078-8158-e12d5be9d84c",
	"created_at": "2026-04-06T00:15:20.231497Z",
	"updated_at": "2026-04-10T13:12:58.319806Z",
	"deleted_at": null,
	"sha1_hash": "beede9258e85eff177c70f6f47a82b8edc2eba64",
	"title": "Trickbot Malware: new year—old lure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 644335,
	"plain_text": "Trickbot Malware: new year—old lure\r\nBy Vinay Pidathala\r\nPublished: 2021-01-27 · Archived: 2026-04-06 00:05:00 UTC\r\n2021 will be a challenging year for security professionals. The fall out from the SUNBURST attack and the\r\nSolarwinds hack is yet to be fully understood and we all remain in an elevated state of awareness and concern.\r\nOur Threat labs team is constantly looking for new emerging threats by analyzing security events and over 40\r\nmillion sessions a day on our isolation-powered cloud security company and recently observed the re-emergence\r\nof a previously known threat, commonly known as Trickbot.\r\nTrickbot is a prolific malware that has persisted through the times. In 2020 it was greatly responsible for\r\ndistributing ransomware and was the most popular malware operation that used COVID-19 lures. It was so\r\nprolific that in Oct 2020, Microsoft along with its partners obtained a court order to disrupt and take down the\r\ninfamous Trickbot. It did so by bringing down the infrastructure that was used by the attackers to distribute and\r\nsend commands to infected endpoints.\r\nIn this blog, we are going to detail analysis of a campaign that shows how Trickbot infections might be back\r\nand active. In the most recent campaign we observed across our global Menlo Security cloud platform, we\r\nnoticed the attackers used an interesting lure to get users to click and install the Trickbot malware on the endpoint.\r\nThis ongoing campaign that we identified exclusively targeted legal and insurance verticals in North America.\r\nThe initial vector appears to be an email, which includes a link to a URL. While in the past Trickbot has used\r\nweaponized documents, the infection mechanism detailed in this campaign seems to be a new modus operandi\r\nused by this group.Once the user clicks on the initial url in the email, the user is redirected to a compromised\r\nserver that coaxes the user into downloading a malicious payload. The figure below shows the redirection chain.\r\nThe final page that the user lands on, looks like the screenshot below. The Trickbot attackers are trying to scare the\r\nuser into downloading a malicious payload, by using the lure of a traffic infringement.\r\nhttps://www.menlosecurity.com/blog/trickbot-new-year-old-lure\r\nPage 1 of 3\n\nClicking on the “Download Photo Proof” button, downloads a zip archive with a malicious javascript file to the\r\nendpoint.\r\nThe embedded javascript is heavily obfuscated, which has been a TTP typical of the Trickbot malware. If the user\r\nopens the downloaded javascript file, an HTTP request is made to the CnC server to download the final malicious\r\nbinary.\r\nBoth the initial URL from which the malware is downloaded and the CnC that it connects to are tagged as\r\nTrickbot on URLHaus, which is a popular threat feed.\r\nAt the time of writing this blog, some of the URLs identified in this Trickbot campaign have very little to no\r\ndetection on VT.\r\nhttps://www.menlosecurity.com/blog/trickbot-new-year-old-lure\r\nPage 2 of 3\n\nMenlo Labs is still analyzing the heavily obfuscated javascript and the binary payload that gets downloaded to the\r\nendpoint. We intend to publish additional details about similarities and differences if any between pre and post\r\ntakedown efforts of this botnet.\r\nConclusion:\r\nWhere there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind trickbot’s\r\noperations. While Microsoft and it’s partners' actions were commendable and trickbot activity has come down to a\r\ntrickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat\r\nenvironment. Shut the door on threat actors for good with Menlo Security solutions.\r\nSource: https://www.menlosecurity.com/blog/trickbot-new-year-old-lure\r\nhttps://www.menlosecurity.com/blog/trickbot-new-year-old-lure\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.menlosecurity.com/blog/trickbot-new-year-old-lure"
	],
	"report_names": [
		"trickbot-new-year-old-lure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434520,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/beede9258e85eff177c70f6f47a82b8edc2eba64.pdf",
		"text": "https://archive.orkl.eu/beede9258e85eff177c70f6f47a82b8edc2eba64.txt",
		"img": "https://archive.orkl.eu/beede9258e85eff177c70f6f47a82b8edc2eba64.jpg"
	}
}