{
	"id": "bb72a8bc-bc47-44b9-b36d-c19b7beb88ab",
	"created_at": "2026-04-06T00:12:53.145294Z",
	"updated_at": "2026-04-10T13:12:07.530325Z",
	"deleted_at": null,
	"sha1_hash": "fdd046dff855b1182832756c5f70212cfbefa114",
	"title": "It’s hard to keep a big botnet down: TrickBot sputters back toward full health",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46170,
	"plain_text": "It’s hard to keep a big botnet down: TrickBot sputters back toward\r\nfull health\r\nBy Tim Starks\r\nPublished: 2020-11-30 · Archived: 2026-04-05 20:04:21 UTC\r\nMounting evidence suggests that TrickBot, the vast botnet that both U.S. Cyber Command and a Microsoft-led\r\ncoalition sought to disable around the 2020 elections, is on the mend and evolving.\r\nThe separate campaigns featured Microsoft going to court to disable IP addresses associated with TrickBot\r\ncommand and control servers, as Cyber Command’s operation also targeted command and control servers. \r\nHints of its rebound began in late October, shortly after signs of success in the bids to dismantle the TrickBot\r\nnetwork of zombie computers. While Cyber Command and Microsoft always billed their assaults as a disruption\r\nrather than a full takedown, the TrickBot comeback is proof that it’s difficult to kill a botnet outright.\r\nBotnets are dangerous because they can be used to conduct a range of harmful activities, like distributed denial of\r\nservice attacks that overwhelm a site with traffic or ransomware attacks, the latter of which were a major issue of\r\nconcern for U.S. national security officials going into Election Day.\r\nSeveral security researchers saw a new version of the TrickBot malware, its 100th, appear shortly after the\r\nelection — for which Cyber Command and Microsoft feared TrickBot could cause trouble. The latest iteration\r\ncame with new ways to hide its activity, among other features.\r\n“We believe that this shows a determination on the part of the actors behind Trickbot to defy the disruption\r\nactivity against their operation,” Mark Arena, CEO of Intel 471, said via email.\r\nHuntress Labs published an analysis of the new obfuscation scheme last week. It’s simple, but clever, said John\r\nHammond, senior security researcher.\r\n“It’s using and taking advantage of the Microsoft Windows command prompt and the scripting language that that\r\ninherently uses,” Hammond said. “That is native and built into Windows, so just about every work station\r\ncomputer, and it doesn’t need any external compiler or some other sort of code or language to build that and be\r\nable to execute that on the system. It does that automatically.”\r\nMany organizations saw TrickBot begin to again gain momentum not long after Microsoft published its first\r\nupdate on a disruption campaign. That campaign initially drew skeptical responses, but later won over some\r\nconverts.\r\nSentinelOne’s vice president of research, Brian Hussey, said he asked his team to look at TrickBot activity over\r\nthe past year.\r\nhttps://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/\r\nPage 1 of 2\n\n“The findings were pretty interesting, in that we’ve seen a continual and steady usage for the last year. No real\r\nspikes, but a slight dip in late October that lasted around a week,” Hussey said. “November has not shown a major\r\nspike as they worked to come back online, rather just a continual level that we’ve seen for the entire year.  From\r\nour telemetry it appears to be business as usual.”\r\nESET, which was involved in the Microsoft disruption, said last week that TrickBot remained “weakened” by the\r\neffort in a chart that tracked number of detections. Yet also last week, the Any.Run malware analysis service\r\nportrayed TrickBot as “coming back on track.”\r\nIt might be the case, then, that it’s too early to conclusively assess how TrickBot is faring, even if the evidence\r\npoints toward a rebound of some kind. “I’m sure, as more time goes by we’ll get a better look at ‘post-takedown\r\nactivity and better view of any impact,” Hussey said via email.\r\nIt is possible to fully destroy a botnet, as the case of 3ve shows. 3ve began operation in 2013, and ended in 2018\r\nwhen a joint operation between government agencies and technology companies including Google brought it\r\ndown. But in the case of TrickBot, as Bitdefender put it, “the endeavor proved to be more like a ‘kneecapping’\r\noperation rather than cutting the hydra’s heads.”\r\nCorrected, 11/30/20: Corrected for misnaming of John Hammond.\r\nSource: https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/\r\nhttps://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/"
	],
	"report_names": [
		"trickbot-status-microsoft-cyber-command-takedown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434373,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdd046dff855b1182832756c5f70212cfbefa114.pdf",
		"text": "https://archive.orkl.eu/fdd046dff855b1182832756c5f70212cfbefa114.txt",
		"img": "https://archive.orkl.eu/fdd046dff855b1182832756c5f70212cfbefa114.jpg"
	}
}