December 8, 2023

The operators of TrickBot have shut down the notorious malware, but evidence suggests the gang has begun using other platforms or folded operations into another cybercrime group altogether.

Researchers at Intel471 and AdvIntel noted a sharp dip in recent TrickBot activity, though the command-and-control infrastructure for the malware remains operational.


It’s likely that the Trickbot operators have phased Trickbot malware out of their operations in favor of other platforms,” especially Emotet  

Intel471 Statement

TrickBot’s operators had been subsumed into Conti, a Russia-linked cybercrime group known for offering “ransomware as a service” packages to its affiliates. Researchers previously had noted TrickBot connections with Conti.

AdvIntel Statement

The Conti group, meanwhile, put its support behind Russia, saying it would use its full capabilities to strike back at any entity that threatens Russian critical infrastructure.

TrickBot first drew attention as trojan malware aimed at the banking industry, but it soon developed into a broader framework of tools for gaining access to sensitive networks in general. Separate takedowns led by U.S. Cyber Command and Microsoft in late 2020, as well as prosecutions of TrickBot leaders by U.S. law enforcement in 2021, put a significant dent in the gang’s operations.


The skills of TrickBot’s core group remain sharp, researchers say. A report earlier this month from Check Point Research noted recent upgrades to some Trickbot modules. The BazarBackdoor tool, has become a brand unto itself for cybercriminals who want access to high-value targets, according to Intel471 and AdvIntel.

Old infrastructure for the malware appeared to be “still maintained and operational” into 2022, but has not been nearly as busy over the past two months.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.