{ "id": "3e496883-b491-4342-b971-042268fd0de4", "created_at": "2026-04-06T01:31:08.054261Z", "updated_at": "2026-04-10T13:12:42.823531Z", "deleted_at": null, "sha1_hash": "dc03af29183822156e3b20e25965abd79725b80c", "title": "Trickbot disrupted", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 352868, "plain_text": "Trickbot disrupted\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-10-12 · Archived: 2026-04-06 00:24:25 UTC\r\nAs announced today, Microsoft took action against the Trickbot botnet, disrupting one of the world’s most\r\npersistent malware operations. Microsoft worked with telecommunications providers around the world to disrupt\r\nkey Trickbot infrastructure. As a result, operators will no longer be able to use this infrastructure to distribute the\r\nTrickbot malware or activate deployed payloads like ransomware.\r\nMicrosoft actively tracks the threat landscape, monitoring threat actors, their campaigns, specific tactics, and\r\nevolution of malware. We share this intelligence with the community and use our research to continuously\r\nimprove our products. Below, we will detail the evolution of the Trickbot malware, associated tactics, recent\r\ncampaigns, and dive into the anatomy of a particular attack we observed.\r\nTrickbot was first spotted in 2016 as a banking trojan that was created as a successor to Dyre and designed to steal\r\nbanking credentials. Over the years, Trickbot’s operators were able to build a massive botnet, and the malware\r\nevolved into a modular malware available for malware-as-a-service. The Trickbot infrastructure was made\r\navailable to cybercriminals who used the botnet as an entry point for human-operated campaigns, including\r\nattacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware, in\r\ntarget networks.\r\nTrickbot was typically delivered via email campaigns that used current events or financial lures to entice users to\r\nopen malicious file attachments or click links to websites hosting the malicious files. Trickbot campaigns usually\r\nused Excel or Word documents with malicious macro codes, but other types of attachments have been used. The\r\ncampaigns were observed in a wide range of verticals and geolocation, with operators frequently reusing\r\npreviously compromised email accounts from earlier campaigns to distribute emails without narrowing targets.\r\nIn addition to phishing emails, Trickbot was also deployed through lateral movement via Server Message Block\r\n(SMB) or as a second-stage payload of other malware like Emotet. Once Trickbot was launched, operators utilized\r\nit to install reconnaissance tools like PowerShell Empire, Metasploit, and Cobalt Strike. They used these tools to\r\nsteal credentials and network configuration information, move laterally to high-value assets, or deliver additional\r\nmalicious payloads.\r\nThreat data from Microsoft 365 Defender, which correlates signals from endpoints, email and data, identities, and\r\ncloud apps to deliver comprehensive protection against threats, shows that Trickbot showed up in both large and\r\nsmall enterprises across the globe, helped no doubt by its modular nature and widespread misconception of it\r\nbeing a “commodity” banking trojan.\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 1 of 7\n\nAnatomy of a Trickbot campaign\r\nTrickbot is one of the most prolific malware operations in the world, churning out multiple campaigns in any\r\ngiven period. In one specific campaign, the Trickbot operators used several disparate compromised email accounts\r\nto send out hundreds of malicious emails to both enterprise and consumer accounts. Recipients were from a\r\nvariety of industry verticals and geolocations and do not appear to have been specifically targeted. This campaign\r\nused a shipping and logistics theme, and had the following subject lines:\r\nShipment receipt\r\nDelivery finished\r\nUrgent receipt comment\r\nEssential receipt reminder\r\nRequired declaration\r\nThe emails contained a malicious Excel attachment that, when opened, prompted the user to enable macros. If\r\nenabled, the macro wrote a malicious JScript Encoded (JSE) file to the disk, which is then executed via WScript.\r\nThe JSE script connected to the affected organization’s domain controller and performed several LDAP queries to\r\ngather information about Active Directory, including the schema and user lists. The script then exfiltrated the\r\ninformation to attacker-controlled infrastructure. The script used the jscript.encode command to encode both\r\nserver-side and client-side files in order to obfuscate content and evade detection.\r\nNext, the JSE file performed several reconnaissance queries to obtain information about the device’s network\r\nadapter, antivirus products, domain role, and email. Once the exfiltration was completed, a dropped .bat file\r\nestablished a connection with two separate C2 servers: an IP address and a domain hosted on a separate IP\r\naddress. Trickbot used both these C2 servers to evade network filtering configurations. The .bat file performed\r\nreconnaissance commands to find domain administrators on the network. It then dropped and launched the\r\nGreenshot screenshot tool and Cobalt Strike beacon on the device.\r\nAt this point, the operators had gained control of the affected device, only 8.5 hours after the user opened the\r\nmalicious email attachment. The operators then started to copy the freeware tool ADFind.exe, which they used for\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 2 of 7\n\ndiscovery as well as for gathering domain configuration and organization information. They then archived data\r\nfound during this discovery to a .7z file for later exfiltration.\r\nThe attackers ran several commands to obtain information about the domain controller and gather Kerberos\r\ntickets, conducted port scanning on SMB port 445, NetBIOS 139, and queried LDAP for multiple server devices.\r\nUsing the information gathered, attackers pinged several potentially high-value devices. From there, they viewed\r\nthe contents of specific text and log files, likely gleaned from their reconnaissance. Upon finding a device with an\r\nopen port 445, they used runas /netonly (logon type 9, which is intentionally used to confuse analysis of logon\r\nevents) for authentication and interactively executed commands on the device.\r\nOnce authenticated, the attackers viewed existing RDP files from prior unrelated sessions for RDP settings and\r\ncredentials. From there, they dropped a Trickbot executable and stole credentials from the Windows Vault and\r\nCredentials Manager, allowing the attackers to evade many well-known security mechanisms that monitor\r\nprocesses accessing Local Security Authority Subsystem Service (LSASS) memory to dump the credentials. They\r\nused a .bat file to view multiple shares, ping additional servers, and read several text files. Finally, the attackers\r\nexfiltrated all gathered data.\r\nThe attackers persisted in the network via a copy of the malicious .jse file in the Startup folder. Using this .jse file,\r\nthey have the capability to return to this network later and attempt to log on to other, more valuable devices and\r\nsteal additional information or drop additional payloads. This highlights the importance of comprehensive\r\nresponse to “commodity malware” like Trickbot: the original banking trojan infection may be triaged and\r\nremediated, but without a full understanding of Trickbot as an entry vector to human adversaries, the real threat\r\nremains in the network.\r\nModular, multi-stage malware\r\nTrickbot is a multi-stage malware typically composed of a wrapper, a loader, and a main malware module. The\r\nwrapper, which uses multiple templates that constantly change, is designed to evade detection by producing\r\nunique samples, even if the main malware code remains the same.\r\nWhen the wrapper process runs, it runs the loader fully in its memory. The loader has a highly modular design. It\r\ndecrypts each function at runtime before running it, and then encrypts it back. Likewise, all human-readable\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 3 of 7\n\nstrings are decrypted and all APIs are resolved at runtime. In some scenarios, Trickbot uses UAC bypasses to\r\nelevate the privileges of its processes. On 64-bit systems, Trickbot uses the “Heaven’s Gate” technique to switch\r\n32-bit code to 64-bit, and has an additional stage where a 64-bit loader injects the main module into the suspended\r\nprocess.\r\nThe loader runs the main malware module directly in memory. After creating scheduled tasks for persistence, the\r\nmain malware module decrypts a configuration file, which contains the information it needs for its next steps:\r\nEstablish HTTPS communication with command and control (C2) server\r\nDownload modules from the C2 server\r\nMonitor the status of the downloaded modules\r\nSynchronize communication between the main module and the downloaded modules\r\nThe modules are likewise run in memory via injection into the suspended process. Over the years, Trickbot has\r\nused a wide range of modules for various malicious activities. These include the following:\r\nModules Purpose\r\npwgrab Gathers credentials, autofill data, history and so on from browsers\r\nnetworkDll Gathers network and system information\r\nimportDll Gathers browser data\r\ninjectDll\r\nMain banker module; uses static and dynamic web browser injection and\r\ndata theft\r\ntabDll Propagates Trickbot via EternalRomance Exploit\r\n  Propagates Trickbot via SMB EternalBlue Exploit\r\nshareDll Propagates Trickbot via Windows network shares\r\nvncDll,\r\nBCTestDll\r\nRemote control/Virtual Network Computing module; provides backdoor for\r\nfurther module downloads\r\nrdpscanDll\r\nLaunches brute force attacks against selected Windows systems running\r\nRemote Desktop Protocol (RDP) connection exposed to the Internet\r\nSysteminfo Gathers system information\r\nmailsearcher\r\nSearches all files on disk and compares their extensions to a predefined list\r\nto harvest emails addresses\r\noutlookDll Gather Outlook credentials\r\npsfin Gathers point of sale (POS) software credentials\r\nsqulDll Gathers email addresses stored in SQL servers\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 4 of 7\n\naDll\r\nRuns various commands on a Windows domain controller to steal Active\r\nDirectory credentials\r\nTrickbot sends information like domain names and IP ranges of compromised networks back to operators, who\r\nthen select some of these networks for additional exploitation and reconnaissance activities. On selected networks,\r\nTrickbot operators installed additional tools like Cobalt Strike, and switch to a hands-on-keyboard attacks. Once\r\nthe operators gain foothold on a network, they used tools like Mimikatz and LaZagne to steal additional\r\ncredentials and tools like BloodHound and ADFind to perform reconnaissance actions. Apart from using the stolen\r\ncredentials and collected data to further the attack, operators also exfiltrated data. They then leave multiple\r\npersistence points on the network to enable the eventual delivery of other payloads like Ryuk ransomware.\r\nWhile much has been made of the Trickbot’s supposed antivirus evasion capabilities, it’s a simple PowerShell\r\ncommand being run to turn off Microsoft Defender Antivirus, but it can perform this action only if the user has\r\nadministrative rights.\r\nRecent prominent Trickbot campaigns\r\nIn June 2020, we tracked multiple Trickbot campaigns. As is typical with Trickbot, some of the email campaigns\r\ntook advantage of current events as lures to entice users to click on malicious attachments. These lures include\r\nBlack Lives Matter and COVID-19. Earlier in the year, we reported that Trickbot was the most prolific malware\r\noperation using COVID-19-themed lures. Many other simultaneous campaigns used more generic lures, such as\r\nshipping and logistics, invoicing and payments, customer complaints, and various financial lures.\r\nThe email body was often simple but maintained consistency with the lure used in the subject line. The emails\r\nused a wide range of attachment types, including:\r\nWord macro attachments\r\nExcel VBA macro attachments\r\nExcel 4.0 macro attachments\r\nJava Network Launch Protocol (.jnlp) attachments\r\nSome campaigns do away with the attachments and instead use malicious links to websites that host malicious\r\nfiles.\r\nThe sender infrastructure for all these emails varied as well. In most campaigns, operators used compromised\r\nlegitimate email accounts and compromised marketing platforms to distribute the malicious emails. However, in\r\none instance, the operators registered several domains using less popular top-level domains (TLDs) such as\r\n“.monster” and “.us” to create their own mail server and send malicious emails from attacker-defined email\r\naddresses. At least one of these campaigns used attacker-owned email sender infrastructure that was later used to\r\ndeliver Dridex malware in a separate campaign. The Dridex malware is known to be associated with the\r\nCHIMBORAZO (also known as TA505) crime group. Additionally, CHIMBORAZO ran simultaneous campaigns\r\nthat delivered Trickbot.\r\nThe following graphic illustrates the various campaigns, tactics, and techniques used by the operators. The\r\ncomplexity of these simultaneous campaigns and techniques indicates that this is a coordinated and professional\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 5 of 7\n\neffort conducted by a sophisticated activity group.\r\nExtended detection and response for the full range of threats\r\nThe action against Trickbot is one of the ways in which Microsoft provide real-world protection against threats.\r\nThis action will result in protection for a wide range of organizations, including financial services institutions,\r\ngovernment, healthcare, and other verticals from malware and human-operated campaigns delivered via the\r\nTrickbot infrastructure.\r\nIn the recently released Microsoft Digital Defense Report, we called out that cybercriminals of all skill sets take\r\nadvantage of the perception that commodity threats are less impactful to businesses. Trickbot is proof that this\r\nassumption is obsolete, and organizations need to treat and address Trickbot and other malware infections as the\r\nbroadly damaging threats that they are.\r\nTo help protect customers from the full range of threats, from common malware to highly modular, multi-stage\r\nthreats like Trickbot, as well as nation-state level attacks, Microsoft 365 Defender delivers coordinated protection\r\nfor identities, endpoints, cloud apps, email and documents. Microsoft Defender for Office 365 detects malicious\r\nattachments and links in email campaigns. Microsoft Defender for Endpoint detects and blocks the Trickbot\r\nmalware and all related components, as well as malicious activities on endpoints. Microsoft Defender for Identity\r\nidentifies and detects suspicious user activities and compromised identities.\r\nThis breadth of cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively\r\ndetect and resolve attack chains. Security operations teams can then use the rich set of tools in Microsoft 365\r\nDefender to further hunt for threats and gain insights for hardening networks from compromise.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nMicrosoft 365 Defender Research Team\r\nDigital Crimes Unit (DCU)\r\nDetection and Response Team (DART)\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 6 of 7\n\nRead all Microsoft security intelligence blog posts.\r\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nhttps://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/" ], "report_names": [ "trickbot-disrupted" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439068, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc03af29183822156e3b20e25965abd79725b80c.pdf", "text": "https://archive.orkl.eu/dc03af29183822156e3b20e25965abd79725b80c.txt", "img": "https://archive.orkl.eu/dc03af29183822156e3b20e25965abd79725b80c.jpg" } }