{
	"id": "0907e818-2d19-4ba4-9468-91a2450e6520",
	"created_at": "2026-04-06T00:12:29.401387Z",
	"updated_at": "2026-04-10T13:12:42.490369Z",
	"deleted_at": null,
	"sha1_hash": "c14572dbe6d64af5fb9054bd93ce677deede6fea",
	"title": "TrickBot is Dead. Long Live TrickBot!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88442,
	"plain_text": "TrickBot is Dead. Long Live TrickBot!\r\nBy Liviu ARSENE\r\nArchived: 2026-04-05 21:02:36 UTC\r\nTrickBot still crawls despite law enforcement kneecapping operation. It’s operators are scrambling to restore the\r\nbotnet back to its former glory, Bitdefender researchers have found. An analysis of samples reveals updated\r\ncommunication mechanisms, new C2 infrastructure that uses Mikrotik routers, and packed modules\r\nTrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors\r\nmostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed\r\none of its modules earlier this year, particularly because it targeted telecom, education, and financial services in\r\nthe US and Hong Kong.\r\nHowever, when Microsoft decided to take down TrickBot before the US elections, fearing the massive botnet\r\ncould be used to thwart the voting process in some way, the endeavor proved to be more like a “kneecapping”\r\noperation rather than cutting the hydra’s heads. This was likely a short-term tactic, potentially just to make sure\r\nthat TrickBot wouldn’t cause any issues during the elections.\r\nKey Findings:\r\nMikrotik routers used as C\u0026C servers\r\nVersion update responses are digitally signed with bcrypt for some\r\nPlugin sever list no longer contains hidden services\r\nThe group behind TrickBot seems to have actively pushed new versions of the Trojan and maintained the full list\r\nof modules used in previous versions. However, in the recently analyzed samples, it seems that the shareDll – or\r\nmshareDll in its packed version – was no longer present. In fact, now there’s only the shareDll, which is packed,\r\nwith mshareDll completely removed. This probably indicates that TrickBot operators are moving away from\r\nunpacked modules, cleaning up their list of lateral movement modules to only use packed ones.\r\nVersioning\r\nBefore Trickbot’s takedown, the latest known version was 1000513 , from August 19, 2020. However, on\r\nNovember 3rd\r\n, we found the new “ 2000016 ” version that seems to feature all the improvements mentioned\r\nabove. TrickBot operators seem to have then settled on going back to the original format, but resetting the\r\nversioning. Consequently, the latest version we’ve found is now “ 100003 ”, available from November 18.\r\nC\u0026C infrastructure\r\nIn terms of communication between victims and C\u0026Cs, TrickBot update responses seem to have been digitally\r\nsigned using bcrypt , potentially in an effort to impede future takedowns. This particular improvement ensures\r\nhttps://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/\r\nPage 1 of 4\n\nthat each new update for TrickBot is legitimate. This particular behavior was observed for the 2000016 version,\r\nbut not for the 100003 version.\r\nThe C\u0026C servers for the “ 100003 ” version seem to involve only the use of Mikrotik routers:\r\nIP   COUNTRY \r\n103.131.157.161   BD \r\n103.52.47.20   ID \r\n102.164.206.129   ZA \r\n103.131.156.21   BD \r\n103.150.68.124   Not found \r\n103.30.85.157   ID \r\n103.131.157.102   BD \r\n103.146.232.5   Not found \r\n103.156.126.232   Not found \r\nAnother interesting change is that, among the updated C\u0026C sever list, there’s also an EmerDNS domain used as a\r\nbackup in case no known C\u0026C server responds. What’s interesting about this particular domain is that the\r\nEmerCoin key ( EeZbyqoTUrr4TpnBk67iApX2Wj3uFbACbr ) used to administer the server, also administers some\r\nC\u0026C servers that belong to the Bazar backdoor. The analyzed sample ( 82e2de0b3b9910fd7f8f88c5c39ef352 )\r\nuses the morganfreeman.bazar domain, which has the 81.91.234.196 IP address and running   Mikrotik\r\nv6.40.4 .\r\nPlugin server configuration\r\nThere are also some major differences between the lists of plugin server configurations, as seen below:\r\nhttps://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/\r\nPage 2 of 4\n\nFig. 1 – Previous versions of TrickBot plugin server configurations\r\nFig. 2 – New versions of TrickBot plugin server configurations\r\nIP  COUNTRY\r\nhttps://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/\r\nPage 3 of 4\n\n156.96.62.82  US\r\n62.108.34.45  DE\r\n185.234.72.248  DE\r\n195.123.241.206  US\r\n194.5.249.216  RO\r\n195.123.240.238  US\r\n46.21.153.247  US\r\n195.123.241.207  US\r\n156.96.119.28  US\r\nTrickBot operators have apparently eliminated the Tor plugin services and have added the new \u003cpsrva\u003e tags,\r\nwhich seem to be obfuscated IPs, a technique also used by the Bazar backdoor. Although these look like legitimate\r\nIP address, they’re not.\r\nThe \u003csrva\u003e tag appears to only be used for C\u0026C servers, a number that seems to have been reduced\r\nconsiderably compared to previous TrickBot versions.\r\nVictims of the new version\r\nBased our own telemetry, the most reports from systems that have encountered this new version of TrickBot seem\r\nto involve connections from Malaysia, followed by the United States, Romania, Russia and Malta.\r\nConclusions\r\nCompletely dismantling TrickBot has proven more than difficult, and similar operations in the past against popular\r\nTrojans has proven that the cybercriminal community will always push to bring back into operation something\r\nthat’s profitable, versatile and popular. TrickBot might have suffered a serious blow, but its operators seem to be\r\nscrambling to bring it back, potentially more resilient and difficult to extirpate than ever before.\r\nSource: https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/\r\nhttps://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/\r\nPage 4 of 4\n\n https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/  \nFig. 1-Previous versions of TrickBot plugin server configurations\nFig. 2-New versions of TrickBot plugin server configurations \nIP   COUNTRY\n  Page 3 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitdefender.com/blog/labs/trickbot-is-dead-long-live-trickbot/"
	],
	"report_names": [
		"trickbot-is-dead-long-live-trickbot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434349,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c14572dbe6d64af5fb9054bd93ce677deede6fea.pdf",
		"text": "https://archive.orkl.eu/c14572dbe6d64af5fb9054bd93ce677deede6fea.txt",
		"img": "https://archive.orkl.eu/c14572dbe6d64af5fb9054bd93ce677deede6fea.jpg"
	}
}