{
	"id": "23e64b45-33a4-4ad4-91d3-59c1aba92ad8",
	"created_at": "2026-04-06T00:06:39.362822Z",
	"updated_at": "2026-04-10T03:21:08.201471Z",
	"deleted_at": null,
	"sha1_hash": "e3c0298fce6b7932a2a3af26f4679f428220eb3a",
	"title": "Little Trickbot Growing Up: New Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1348702,
	"plain_text": "Little Trickbot Growing Up: New Campaign\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 15:55:24 UTC\r\nRecently there have been several reports of a financial malware named TrickBot1. The malware’s code looked\r\nsimilar to Dyre’s code but was lacking in functionality in comparison to the old Dyre samples. It also had a fairly\r\nbasic module configuration, including:\r\na system information collecting module\r\na browser injection module\r\nThe malware had no VNC, SOCKS, and form grabber modules. The samples that were observed in the field had a\r\npersistency mechanism, browser function hooks (also known as man-in-the-browser) and a short list of Australian\r\ntargets that were fetched from the command and control (C\u0026C) server.\r\nThis week our research team came across a new campaign of TrickBot malware. The previous webinjects\r\nconfiguration was partial and looked like a part of a testing version of the TrickBot malware. After analyzing this\r\ncampaign, we noticed a change in the webinjects configuration.\r\nMany new targets, including Germany and the UK, were added to the previous targets of Canada, Australia, and\r\nNew Zealand.\r\nFigure 1: TrickBot target evolution\r\nFigure 1: TrickBot target evolution\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 1 of 6\n\nDynamic Injects\r\nTrickBot has server-side webinjects, meaning, when the user connects to the targeted bank’s site, a replication of\r\nthe target’s response source is sent to the C\u0026C, where Javascript injections are inserted.\r\nAfter the targeted source has been injected with malicious code, it is returned to the user as if it actually came\r\nfrom the bank.\r\nIn the following illustrations, one can see the fields that were added. These are intended to filter out certain file\r\ntypes as they can be fetched from the real bank site.\r\nFigure 2: TrickBot’s old configuration\r\nFigure 2: TrickBot’s old configuration\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 2 of 6\n\nFigure 3: TrickBot's new configuration\r\nFigure 3: TrickBot's new configuration\r\nStatic Injections\r\nStatic injections, also known as “redirects,” are now fully functional in TrickBot. When the user tries to connect to\r\na targeted site, the malware redirects the request to a malicious C\u0026C server and returns a fake page that looks\r\nexactly like the bank’s original page.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 3 of 6\n\nFigure 4: TrickBot's new configuration\r\nFigure 4: TrickBot's new configuration\r\nInside the browser function hook, the request page is forwarded to the fake domain containing Bot ID inside the\r\n“ClientInfo” header.\r\nFigure 5: A redirected request to a malicious domain\r\nFigure 5: A redirected request to a malicious domain\r\nPing Request\r\nA ping request, which is sent from every page in the site, is launched by a “start_ping” function on a\r\n“document.ready” event in an endless loop every two seconds (like Dyre).\r\nThese requests are also redirected to the malware’s server inside the browser network hook.\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 4 of 6\n\nFigure 6: A ping is sent by the malicious code in the page\r\nFigure 6: A ping is sent by the malicious code in the page\r\nHello Dyre, My Old Friend\r\nSimilar to Dyre, TrickBot uses pipes for its inter-process communication.\r\nOnce a browser is launched, a malicious module (“core-dll.dll”) is injected into its memory by the main TrickBot\r\nmodule in svchost.exe.\r\nFigure 7: TrickBot’s module in Firefox’s address space\r\nFigure 7: TrickBot’s module in Firefox’s address space\r\nThe browser module waits for incoming pipe connections. The main module connects to the browser module\r\nusing a named pipe “\\Device\\NamedPipe\\ \u003cPID \u003elacesomepipe” where PID is the process ID number of the\r\nbrowser.\r\nFigure 8: The pipe in the infected svchost.exe process\r\nFigure 8: The pipe in the infected svchost.exe process\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 5 of 6\n\nThe commands are one byte long. Each command is a letter that signifies the data to transfer.\r\nFigure 9: Handling pipe commands\r\nFigure 9: Handling pipe commands\r\nAdditional commands include:\r\n“i” – get client_id, e.g.: ADMIN-PC_W617601.A9B4C7FF18D0126F481CA1758B0A0FEF\r\n“a” – get self ip, e.g.: 8.8.8.8\r\n“g” – get group_id, e.g.: lindoc3\r\n“q” – quit and disconnect the pipe\r\nThe browser module asks the main module for every one of these data pieces and if one of the data pieces is not\r\nreceived, the malcious thread will terminate and the browser will not be patched by the malware.\r\nA security improvement from Dyre’s pipe is implemented by closing the pipe right after all the commands are\r\nsent. Meaning that if a researcher is inspecting the malware, connecting to the pipe in order to get the\r\nconfiguration is not as trivial as it was in Dyre.\r\nSampled MD5: 104923556ace17b4f1e52a50be7a8ea0\r\nConclusion\r\nIt seems that the creators of this malware are rolling it out to the field gradually, testing its spreading capabilities\r\nand adding targets as they go along. It is highly likely that we will witness its functionality expand and its target\r\nlist will continue to grow.\r\nSource: https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nhttps://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412"
	],
	"report_names": [
		"little-trickbot-growing-up-new-campaign-24412"
	],
	"threat_actors": [],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3c0298fce6b7932a2a3af26f4679f428220eb3a.pdf",
		"text": "https://archive.orkl.eu/e3c0298fce6b7932a2a3af26f4679f428220eb3a.txt",
		"img": "https://archive.orkl.eu/e3c0298fce6b7932a2a3af26f4679f428220eb3a.jpg"
	}
}