TrickBot
What is TrickBot?
TrickBotA modular banking trojan and post-exploitation framework operated by the WIZARD SPIDER crew that paved the way for Ryuk, Conti and Diavol ransomware.
TrickBot emerged in 2016 as a successor to Dyre and rapidly evolved from a banking trojan into a versatile post-exploitation framework. Operated by the criminal cluster WIZARD SPIDER, it delivered modules for credential theft, browser injection, Active Directory reconnaissance, lateral movement via SMB and SOCKS proxies. TrickBot was a primary loader for Ryuk, Conti and later Diavol ransomware, and was strongly associated with Emotet infections during 2018-2020. Microsoft's Defender team and US Cyber Command disrupted its infrastructure in October 2020, and Conti's leaks in 2022 revealed deep ties between TrickBot developers and the Conti ransomware operation. The codebase later branched into Bumblebee.
● Examples
- 01
TrickBot harvests domain admin credentials from an infected accountant's laptop and ships them to operators who deploy Conti.
- 02
An incident response team finds TrickBot's pwgrab64 module in memory next to Ryuk components on a domain controller.
● Frequently asked questions
What is TrickBot?
A modular banking trojan and post-exploitation framework operated by the WIZARD SPIDER crew that paved the way for Ryuk, Conti and Diavol ransomware. It belongs to the Malware category of cybersecurity.
What does TrickBot mean?
A modular banking trojan and post-exploitation framework operated by the WIZARD SPIDER crew that paved the way for Ryuk, Conti and Diavol ransomware.
How does TrickBot work?
TrickBot emerged in 2016 as a successor to Dyre and rapidly evolved from a banking trojan into a versatile post-exploitation framework. Operated by the criminal cluster WIZARD SPIDER, it delivered modules for credential theft, browser injection, Active Directory reconnaissance, lateral movement via SMB and SOCKS proxies. TrickBot was a primary loader for Ryuk, Conti and later Diavol ransomware, and was strongly associated with Emotet infections during 2018-2020. Microsoft's Defender team and US Cyber Command disrupted its infrastructure in October 2020, and Conti's leaks in 2022 revealed deep ties between TrickBot developers and the Conti ransomware operation. The codebase later branched into Bumblebee.
How do you defend against TrickBot?
Defences for TrickBot typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TrickBot?
Common alternative names include: WIZARD SPIDER, TrickLoader.
● Related terms
- malware№ 084
Banking Trojan
Malware designed to steal online-banking credentials and authorize fraudulent transactions, typically through web injects, form grabbing, or overlays.
- malware№ 954
Ryuk Ransomware
A targeted ransomware family operated by WIZARD SPIDER from 2018 onward that extracted large ransoms from enterprises, hospitals and local governments via TrickBot intrusions.
- malware№ 377
Emotet
A modular banking trojan turned malware-as-a-service loader that delivered ransomware affiliates and was taken down by international law enforcement in January 2021.
- malware№ 621
Loader
Malware that prepares the environment and loads further payloads — often directly into memory — for a subsequent stage of an attack.