{ "id": "d5552487-1757-43c3-b5a3-178eb035da02", "created_at": "2026-04-06T00:08:12.858348Z", "updated_at": "2026-04-10T03:36:11.115075Z", "deleted_at": null, "sha1_hash": "fed52e95ab6f5995327f0702bf028dbb95380b65", "title": "Who is Trickbot? - CYJAX", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42060, "plain_text": "Who is Trickbot? - CYJAX\r\nBy Joe Wrieden\r\nPublished: 2022-07-15 · Archived: 2026-04-05 17:47:00 UTC\r\nSince the start of the Russia-Ukraine conflict, Russian based cybercrime groups have been placed into a difficult\r\nposition. With many groups being comprised of a variety of different nationalities, the various members need to\r\nmake decisions on allegiance. Leading the charge was the Conti ransomware group who decided on 25 February\r\n2022 to make a post detailing their full support for the Russian government, shown in Figure 1, communicating\r\ntheir willingness to fight against those who oppose them. This post came only one day after the invasion of\r\nUkraine on 24 February 2022. It is possible that Conti were required to post this, resulting in the fast reaction time\r\nto the invasion, due to the Russian governmental ties the group holds.\r\nFigure 1\r\nThis post caused shockwaves in both the intelligence community and within Conti itself. Many members of the\r\ngroup were unhappy with this decision, either not wishing to be seen supporting the Russian government or being\r\nfrom the victim country Ukraine. This inevitably led to Conti retracting their statement only two days later, now\r\nsaying they only wish to target the “Western warmongers” and “[do] not ally with any governments and [...]\r\ncondemn the ongoing war”.\r\nFigure 2\r\nHowever, this reversal was not enough for most members, resulting in them becoming one of the most targeted\r\nransomware groups by Ukrainian supporting organisations and other threat actors. It did not take long for this\r\nunrest to lead to action when on 27 February 2022, a Twitter account @ContiLeaks began posting links to the logs\r\nof internal communications by the group. Within hours threat intelligence researchers around the world were\r\nbeginning to conduct analysis into the dump, containing over 60,000 messages. This leak caused significant unrest\r\nwithin the group, with the @ContiLeaks account itself tweeting: “We know everything about you Conti, go to\r\npanic, you can’t even trust your gf, we against you!”.\r\nOn 4 March 2022, whilst mass attention was focused on @ContiLeaks, another account @trickleaks was created,\r\nposting the tweet: “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group\r\n(Wizard Spider, Maze, Conti, Diavol, Ruyk)”. After this damning message, tweets began to appear containing\r\nlinks to internal communications from members of the Trickbot group. At time of writing, the @trickleaks account\r\nhas approximately 1,700 followers. This is about five times less followers than the @ContiLeaks account. These\r\nhttps://www.cyjax.com/2022/07/15/who-is-trickbot/\r\nPage 1 of 2\n\nleaks, which I will refer to as the Trickbot Leaks, were posted increasingly quickly as 35 believed member’s\r\nmessages were uploaded over a two-month period. This led to a total of over 1000 communication extracts.\r\nEach file consists of a direct communication or a group chat involving the user, which range in size. Some files\r\ncontain nearly 10,000 messages. In total, there are approximately 250,000 messages which contain over 2,500 IP\r\naddresses, around 500 potential crypto wallet addresses, and thousands of domains and email addresses. This leak\r\nwas like nothing seen before and gave cyber threat intelligence researchers unprecedented access to the Trickbot\r\norganisation. To put this leak into perspective, it was over four times the size of the Conti leaks which was seen by\r\nsome researchers as one of the most useful information dumps of the past few years. Alongside these messages,\r\nPDF files were leaked which contained large amounts of information reportedly about individual members. This\r\nincluded full names, addresses and identification numbers. These “Doxing PDF” files have given us the ability to\r\nanalyse the people behind the usernames, examining how and why they are working for the criminal organisation.\r\nWithin this report we will analyse and discuss the full extent of the content of these leaks, from the infrastructure\r\nand tooling the criminal organisation uses to the inner workings of how the group operates.\r\nLink to PDF\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nSource: https://www.cyjax.com/2022/07/15/who-is-trickbot/\r\nhttps://www.cyjax.com/2022/07/15/who-is-trickbot/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cyjax.com/2022/07/15/who-is-trickbot/" ], "report_names": [ "who-is-trickbot" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434092, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fed52e95ab6f5995327f0702bf028dbb95380b65.pdf", "text": "https://archive.orkl.eu/fed52e95ab6f5995327f0702bf028dbb95380b65.txt", "img": "https://archive.orkl.eu/fed52e95ab6f5995327f0702bf028dbb95380b65.jpg" } }