TrickBot Trojan Retired as Developers Switch to Stealthier Malware

The TrickBot Trojan has been a major malware threat for the past 6 years but appears to have now been retired. The main developers of the TrickBot Trojan are believed to have joined the Conti ransomware gang to work on stealthier malware such as the BazarBackdoor and Anchor malware families.

The TrickBot Trojan is a modular malware that first emerged in 2016. The malware was initially a banking Trojan but has had several capabilities added over the past few years to allow the theft of cookies and browser passwords, OpenSSH keys, and Active Directory databases. The malware is capable of lateral movement, and infected devices are added to the botnet.

The operators of the malware have worked closely with the Emotet gang, first using their malware to download Emotet, then after the law enforcement takedown of the Emotet botnet, the roles were reversed and Trickbot was used to rebuild the Emotet botnet. The TrickBot operators have also worked closely with ransomware gangs in the past, providing access to compromised networks to the Ryuk ransomware operation, which is widely believed to be the predecessor to Conti ransomware.

The TrickBot gang survived an attempted takedown of its infrastructure in October 2020 by U.S. Cyber Command and two individuals believed to have been involved in the development of the TrickBot Trojan were arrested. The operation has been facing intense scrutiny by law enforcement recently and while the TrickBot gang has been active over the past year, activity has been declining until virtually all activity stopped in December 2021.

According to cybersecurity firm AdvIntel, which has seen internal Conti ransomware gang communications, as of February 24, 2022, TrickBot has been retired. The developers of the malware are believed to have been lured to join the Conti ransomware operation to work on stealthier malware. While the TrickBot operation was successful, the TrickBot Trojan was easily detected by security software, which limited its potential. Meanwhile, the Conti ransomware gang has been prolific in its attacks and has been paid hundreds of millions of dollars in ransoms. The developers of the TrickBot Trojan are believed to now be working on malware used by the Conti ransomware gang and are focusing on breaching networks for ransomware attacks, which are far more profitable.

While it is good news that a malware operation has been shut down, the BazarBackdoor and the Anchor malware families are likely to become much more prevalent, and that already appears to be happening. Emails distributing BazarBackdoor have increased significantly in the past 6 months.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of