{ "id": "73145884-7ab5-43b4-84d6-53bc6d7d9fc9", "created_at": "2026-04-06T00:15:26.274505Z", "updated_at": "2026-04-10T03:35:52.910575Z", "deleted_at": null, "sha1_hash": "c48a9d8e3c79e34a4e9c7921d83c2575577425cd", "title": "LightBot: TrickBot\u0026rsquo;s new reconnaissance malware for high-value targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3099874, "plain_text": "LightBot: TrickBot\u0026rsquo;s new reconnaissance malware for high-value\r\ntargets\r\nBy Lawrence Abrams\r\nPublished: 2020-11-20 · Archived: 2026-04-05 19:33:16 UTC\r\nThe notorious TrickBot has gang has released a new lightweight reconnaissance tool used to scope out an infected victim's\r\nnetwork for high-value targets.\r\nOver the past week, security researchers began to see a phishing campaign normally used to distribute TrickBot's\r\nBazarLoader malware switch to installing a new malicious PowerShell script.\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 1 of 7\n\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 2 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 3 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nLike BazarLoader phishing campaigns, LightBot phishing emails pretend to be from human resources or the legal\r\ndepartment about a customer complaint or the termination of the recipient's employment.\r\nAs seen from a LightBot email sent to my email address, they contain links to a document on https://drive.google.com.\r\nLightBot phishing email sent to BleepingComputer\r\nWhen users click on the embedded link, they will be brought to a Google Docs page that states \"Previewing is disabled\" and\r\nprompts you to download the file instead.\r\nGoogle Docs landing page\r\nThe downloaded file is a JavaScript file that will launch the LightBot PowerShell script.\r\nLightBot: A lightweight reconnaissance tool\r\nDubbed LightBot by Advanced Intel's Vitali Kremez, this PowerShell script is a lightweight reconnaissance tool that gathers\r\ninformation about a victim's network to determine if they are high-value and should be targeted in further attacks.\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 4 of 7\n\n\"The new TrickBot group \"LightBot\" is a PowerShell reconnaissance script used by the same group linked to the high-level\r\nransomware and breach incidents involving Universal Health Service (UHS). LightBot is focused on reconnaissance for\r\nhigh-value targets via network and active directory (similar to the FIN7 reconnaissance profiler script).\"\r\n\"We suspect LightBot is used as another means (on top of the lightweight covert BazarBackdoor) to handpick Ryuk\r\nransomware targets via network/domain parsing part of Cobalt Strike to Ryuk ransomware kill chain,\" Kremez told\r\nBleepingComputer in a conversation.\r\nAfter learning of and receiving a phishing email pushing this new script, BleepingComputer analyzed the tool to determine\r\nwhat information is collected during its operation.\r\nWhen the LightBot PowerShell script is executed, it will make repeated connections to a command and control (C2) server\r\nto receive additional PowerShell scripts to execute and to send data collected during previous runs.\r\nFiddler showing LightBot connections to C2\r\nThe scripts sent from the C2 are all the same but with different commands to collect data desired by the threat actors. For\r\nexample, below, you can see the script used to collect information about the computer's IP address configuration and\r\nWindows domain.\r\nExample PowerShell script used to collect Domain info\r\nFrom our runs of the malicious script, LightBot collects the following data:\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 5 of 7\n\nComputer name\r\nHardware info\r\nUser name\r\nWindows version\r\nList of Windows domain controllers\r\nName of the primary domain controller (PDC)\r\nConfigured IP address\r\nDNS domain\r\nType of network card\r\nList of installed programs\r\nAs part of this process, the scripts will also create two files in the %Temp% folder. The first is a text file containing an\r\nencrypted base64 encoded string and the second file is a PowerShell script that decodes the base64 string and executes it.\r\nThis PowerShell script is launched every day at 7 AM through a created scheduled task.\r\nScheduled task to launch script\r\nThe C2 generated an error when the encrypted PowerShell script was downloaded, so it not known what actions this\r\nscheduled task performs. It is believed to be a persistence method.\r\nWhen done with the initial commands sent by the C2, LightBot will continue running in the background and routinely\r\nconnects to the C2 for new commands.\r\nLast month, Microsoft and other security firms performed a coordinated takedown of TrickBot, which impacted their\r\noperations. This continued evolution of new tools, though, shows the hacking group's adaptability and resiliency.\r\nAll admins should be on the lookout for LightBot phishing campaigns as the end result will likely be a network-wide Ryuk\r\nor Conti ransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nhttps://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/" ], "report_names": [ "lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c48a9d8e3c79e34a4e9c7921d83c2575577425cd.pdf", "text": "https://archive.orkl.eu/c48a9d8e3c79e34a4e9c7921d83c2575577425cd.txt", "img": "https://archive.orkl.eu/c48a9d8e3c79e34a4e9c7921d83c2575577425cd.jpg" } }