Connect with us

Hi, what are you looking for?


TrickBot malware operation shuts down, devs move to stealthier malware

trickbot header

TrickBot malware

The TrickBot malware operation has shut down after its core developers move to the Conti ransomware gang to focus development on the stealthy BazarBackdoor and Anchor malware families.

TrickBot is a notorious Windows malware infection that has dominated the threat landscape since 2016.

The malware is commonly installed via malicious phishing emails or other malware, and will quietly run on a victim’s computer while it downloads modules to perform different tasks.

These modules perform a wide range of malicious activities, including stealing a domain’s Active Directory Services databasespreading laterally on a networkscreen lockingstealing cookies and browser passwords, and stealing OpenSSH keys.

TrickBot also has a long relationship with ransomware operations who partnered with the TrickBot group to receive initial access to networks infected by the malware.

In 2019, the TrickBot Group partnered with the Ryuk ransomware operation to provide the ransomware gang initial access to networks. In 2020, the Conti ransomware group, believed to be a rebrand of Ryuk, also partnered with TrickBot for initial access.

In 2021, TrickBot attempted to launch their own ransomware operation called Diavol, which has never really picked up steam, possibly because one of its developers was arrested.

Advertisement. Scroll to continue reading.

Despite numerous takedown attempts by law enforcement, TrickBot had successfully rebuilt its botnet and continued to terrorize Windows networks.

That is until December 2021, when TrickBot distribution campaigns suddenly ceased.

TrickBot operation shuts down

Over the last year, Conti has become one of the most resilient and lucrative ransomware operations, responsible for numerous attacks on high-profile victims and amassing hundreds of millions of dollars in ransom payments.

As reported by BleepingComputer last week, due to the enormous wealth and capital at their disposal and TrickBot primarily being used by Conti, the ransomware gang slowly took control of the operation.

However, Conti did not recruit these “elite developers and managers” to work on the TrickBot malware, but rather to work on the more stealthy BazarBackdoor and Anchor malware families as seen by internal conversations shared with BleepingComputer by cybersecurity firm AdvIntel.

AdvIntel explained last week that the shift in development is because the TrickBot malware is too easily detected by security software and that the operation would be shut down shortly.

Yesterday, AdvIntel CEO Vitali Kremez told BleepingComputer that the TrickBot Group shut down all of the infrastructure for the TrickBot malware operation.

In a conversation with Kremez, BleepingComputer was told that the Conti ransomware now controls the TrickBot Group’s malware development for their own needs.

Advertisement. Scroll to continue reading.

With this shutdown, Kremez explained that TrickBot crime ring, who initially launched to pursue fraud, now focuses almost entirely on ransomware and breaching networks.

report released yesterday by cyber intelligence firm Intel471 also confirmed that the operation was shutting down in favor of more profitable platforms.

While it is always good to see a malware operation shut down, the reality is that the ransomware gangs have already transitioned over to the more stealthy BazarBackdoor family.

BazarBackdoor has already seen increased distribution via email over the past six months, but with TrickBot’s shutdown, we will likely see it become more prevalent in network breaches of corporate entities.

Click to comment

Leave a Reply



President Biden is currently dangling a tantalizing clean energy opportunity in front of the Gulf Coast, one that seems tailor-made for Texas to seize....


SACRAMENTO — Legislation to decriminalize certain psychedelic drugs such as “magic mushrooms,” MDMA, ketamine and LSD was gutted by the California Legislature on Thursday, though the...


Updated August 12, 2022 at 7:20 p.m. EDT|Published August 11, 2022 at 6:00 a.m. EDT Cash effective tax rates of most-profitable companies since 2019...


Norfolk Southern sent a statement to The Times: “Norfolk Southern and its contractors worked quickly to clean-up the spilled product following last month’s derailment,...

Online Business Success

A vegetable vendor speaks on his mobile phone at a retail market area in Kolkata, India, March 22, 2022. — Reuters Annual food inflation...


GamesBeat’s Rachel Kaser considers her allegiances in the new Splatoon title, and also joins the roast of Forspoken.Read More


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...