Jun 1, 2026
C2 Hosts: 92
TrickBot
Also known as: TheTrick, TrickLoader, Trickster
A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.
- Q4 2016 - Detected in wild
Oct 2016 - 1st Report
2017 - Trickbot primarily uses Necurs as vehicle for installs.
Jan 2018 - Use XMRIG (Monero) miner
Feb 2018 - Theft Bitcoin
Mar 2018 - Unfinished ransomware module
Q3/4 2018 - Trickbot starts being spread through Emotet.
Infection Vector
1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot
2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot
3. Phish > Attached MS Office > Macro enabled > Trickbot installed
Linked Threat Actors
TA505UNC1878WIZARD SPIDER
C2 Infrastructure
ISP/Residential 70%
Hosting/VPS 26%
Business 2%
Education 1%
Unknown 1%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 1, 2026 | 92 |
Further Reading
blog.fortinet.com opens in a new tab
blog.fortinet.com
malware-traffic-analysis.net opens in a new tab
malware-traffic-analysis.net
peppermalware.com opens in a new tab
peppermalware.com
pwc.co.uk opens in a new tab
pwc.co.uk
secureworks.com opens in a new tab
secureworks.com
vkremez.com opens in a new tab
vkremez.com
vkremez.com opens in a new tab
vkremez.com
vkremez.com opens in a new tab
vkremez.com
arcticwolf.com opens in a new tab
arcticwolf.com
attackiq.com opens in a new tab
attackiq.com
blog.bushidotoken.net opens in a new tab
blog.bushidotoken.net
blog.cyberint.com opens in a new tab
blog.cyberint.com
blog.fraudwatchinternational.com opens in a new tab
blog.fraudwatchinternational.com
blog.intel471.com opens in a new tab
blog.intel471.com
blog.intel471.com opens in a new tab
blog.intel471.com
blog.lumen.com opens in a new tab
blog.lumen.com
blog.malwarebytes.com opens in a new tab
blog.malwarebytes.com
blog.malwarebytes.com opens in a new tab
blog.malwarebytes.com
blog.malwarebytes.com opens in a new tab
blog.malwarebytes.com
blog.malwarebytes.com opens in a new tab
blog.malwarebytes.com
blog.morphisec.com opens in a new tab
blog.morphisec.com
blog.morphisec.com opens in a new tab
blog.morphisec.com
blog.reversinglabs.com opens in a new tab
blog.reversinglabs.com
blog.talosintelligence.com opens in a new tab
blog.talosintelligence.com
blog.talosintelligence.com opens in a new tab
blog.talosintelligence.com
blog.talosintelligence.com opens in a new tab
blog.talosintelligence.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
blog.vincss.net opens in a new tab
blog.vincss.net
blog.vincss.net opens in a new tab
blog.vincss.net
blogs.keysight.com opens in a new tab
blogs.keysight.com
blogs.microsoft.com opens in a new tab
blogs.microsoft.com
blogs.microsoft.com opens in a new tab
blogs.microsoft.com
blogs.vmware.com opens in a new tab
blogs.vmware.com
blogs.vmware.com opens in a new tab
blogs.vmware.com
cisoclub.ru opens in a new tab
cisoclub.ru
cofenselabs.com opens in a new tab
cofenselabs.com
community.riskiq.com opens in a new tab
community.riskiq.com
community.riskiq.com opens in a new tab
community.riskiq.com
community.riskiq.com opens in a new tab
community.riskiq.com
content.fireeye.com opens in a new tab
content.fireeye.com
content.secureworks.com opens in a new tab
content.secureworks.com
cyber.wtf opens in a new tab
cyber.wtf
cybersecurity.att.com opens in a new tab
cybersecurity.att.com
decoded.avast.io opens in a new tab
decoded.avast.io
download.microsoft.com opens in a new tab
download.microsoft.com
duo.com opens in a new tab
duo.com
eclypsium.com opens in a new tab
eclypsium.com
eclypsium.com opens in a new tab
eclypsium.com
elis531989.medium.com opens in a new tab
elis531989.medium.com
engineering.salesforce.com opens in a new tab
engineering.salesforce.com
escinsecurity.blogspot.de opens in a new tab
escinsecurity.blogspot.de
f5.com opens in a new tab
f5.com
f5.com opens in a new tab
f5.com
gallery.mailchimp.com opens in a new tab
gallery.mailchimp.com
github.com opens in a new tab
github.com
go.crowdstrike.com opens in a new tab
go.crowdstrike.com
go.crowdstrike.com opens in a new tab
go.crowdstrike.com
go.recordedfuture.com opens in a new tab
go.recordedfuture.com
go.recordedfuture.com opens in a new tab
go.recordedfuture.com
hello.global.ntt opens in a new tab
hello.global.ntt
home.treasury.gov opens in a new tab
home.treasury.gov
hurricanelabs.com opens in a new tab
hurricanelabs.com
ibm.ent.box.com opens in a new tab
ibm.ent.box.com
inquest.net opens in a new tab
inquest.net
intel471.com opens in a new tab
intel471.com
intel471.com opens in a new tab
intel471.com
intel471.com opens in a new tab
intel471.com
intel471.com opens in a new tab
intel471.com
intel471.com opens in a new tab
intel471.com
intezer.com opens in a new tab
intezer.com
jsac.jpcert.or.jp opens in a new tab
jsac.jpcert.or.jp
krebsonsecurity.com opens in a new tab
krebsonsecurity.com
krebsonsecurity.com opens in a new tab
krebsonsecurity.com
labs.bitdefender.com opens in a new tab
labs.bitdefender.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.sentinelone.com opens in a new tab
labs.sentinelone.com
labs.vipre.com opens in a new tab
labs.vipre.com
mal-eats.net opens in a new tab
mal-eats.net
mal-eats.net opens in a new tab
mal-eats.net
malware.love opens in a new tab
malware.love
malware.love opens in a new tab
malware.love
marcoramilli.com opens in a new tab
marcoramilli.com
medium.com opens in a new tab
medium.com
medium.com opens in a new tab
medium.com
medium.com opens in a new tab
medium.com
medium.com opens in a new tab
medium.com
na.eventscloud.com opens in a new tab
na.eventscloud.com
nattothoughts.substack.com opens in a new tab
nattothoughts.substack.com
news.sophos.com opens in a new tab
news.sophos.com
noticeofpleadings.com opens in a new tab
noticeofpleadings.com
osint.fans opens in a new tab
osint.fans
public.intel471.com opens in a new tab
public.intel471.com
public.intel471.com opens in a new tab
public.intel471.com
public.intel471.com opens in a new tab
public.intel471.com
public.intel471.com opens in a new tab
public.intel471.com
qmemcpy.io opens in a new tab
qmemcpy.io
redcanary.com opens in a new tab
redcanary.com
redcanary.com opens in a new tab
redcanary.com
research.checkpoint.com opens in a new tab
research.checkpoint.com
research.checkpoint.com opens in a new tab
research.checkpoint.com
research.checkpoint.com opens in a new tab
research.checkpoint.com
resource.redcanary.com opens in a new tab
resource.redcanary.com
resources.malwarebytes.com opens in a new tab
resources.malwarebytes.com
securelist.com opens in a new tab
securelist.com
securelist.com opens in a new tab
securelist.com
securityaffairs.co opens in a new tab
securityaffairs.co
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
securityintelligence.com opens in a new tab
securityintelligence.com
share.vx-underground.org opens in a new tab
share.vx-underground.org
strapi.eurepoc.eu opens in a new tab
strapi.eurepoc.eu
symantec-enterprise-blogs.security.com opens in a new tab
symantec-enterprise-blogs.security.com
symantec-enterprise-blogs.security.com opens in a new tab
symantec-enterprise-blogs.security.com
symantec.broadcom.com opens in a new tab
symantec.broadcom.com
sysopfb.github.io opens in a new tab
sysopfb.github.io
technical.nttsecurity.com opens in a new tab
technical.nttsecurity.com
thedfirreport.com opens in a new tab
thedfirreport.com
thedfirreport.com opens in a new tab
thedfirreport.com
thedfirreport.com opens in a new tab
thedfirreport.com
thehackernews.com opens in a new tab
thehackernews.com
thehackernews.com opens in a new tab
thehackernews.com
thehackernews.com opens in a new tab
thehackernews.com
therecord.media opens in a new tab
therecord.media
therecord.media opens in a new tab
therecord.media
therecord.media opens in a new tab
therecord.media
therecord.media opens in a new tab
therecord.media
threatpost.com opens in a new tab
threatpost.com
threatpost.com opens in a new tab
threatpost.com
threatpost.com opens in a new tab
threatpost.com
threatresearch.ext.hp.com opens in a new tab
threatresearch.ext.hp.com
threatresearch.ext.hp.com opens in a new tab
threatresearch.ext.hp.com
ti.qianxin.com opens in a new tab
ti.qianxin.com
twitter.com opens in a new tab
twitter.com
twitter.com opens in a new tab
twitter.com
umbrella.cisco.com opens in a new tab
umbrella.cisco.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
unit42.paloaltonetworks.com opens in a new tab
unit42.paloaltonetworks.com
us-cert.cisa.gov opens in a new tab
us-cert.cisa.gov
web.archive.org opens in a new tab
web.archive.org
advanced-intel.com opens in a new tab
advanced-intel.com
advintel.io opens in a new tab
advintel.io
advintel.io opens in a new tab
advintel.io
arbornetworks.com opens in a new tab
arbornetworks.com
bankinfosecurity.com opens in a new tab
bankinfosecurity.com
berlin.de opens in a new tab
berlin.de
bitdefender.com opens in a new tab
bitdefender.com
bitdefender.com opens in a new tab
bitdefender.com
blackberry.com opens in a new tab
blackberry.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
blueliv.com opens in a new tab
blueliv.com
botconf.eu opens in a new tab
botconf.eu
breachquest.com opens in a new tab
breachquest.com
bsi.bund.de opens in a new tab
bsi.bund.de
cert.pl opens in a new tab
cert.pl
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cisa.gov opens in a new tab
cisa.gov
cisa.gov opens in a new tab
cisa.gov
cronup.com opens in a new tab
cronup.com
crowdstrike.com opens in a new tab
crowdstrike.com
crowdstrike.com opens in a new tab
crowdstrike.com
cyberark.com opens in a new tab
cyberark.com
cyberbit.com opens in a new tab
cyberbit.com
cyberbit.com opens in a new tab
cyberbit.com
cybereason.com opens in a new tab
cybereason.com
cybereason.com opens in a new tab
cybereason.com
cyberscoop.com opens in a new tab
cyberscoop.com
darkreading.com opens in a new tab
darkreading.com
deepinstinct.com opens in a new tab
deepinstinct.com
domaintools.com opens in a new tab
domaintools.com
europol.europa.eu opens in a new tab
europol.europa.eu
europol.europa.eu opens in a new tab
europol.europa.eu
f5.com opens in a new tab
f5.com
fidelissecurity.com opens in a new tab
fidelissecurity.com
fireeye.com opens in a new tab
fireeye.com
fireeye.com opens in a new tab
fireeye.com
flashpoint-intel.com opens in a new tab
flashpoint-intel.com
flashpoint-intel.com opens in a new tab
flashpoint-intel.com
fortinet.com opens in a new tab
fortinet.com
fortinet.com opens in a new tab
fortinet.com
fortinet.com opens in a new tab
fortinet.com
gosecure.net opens in a new tab
gosecure.net
govcert.admin.ch opens in a new tab
govcert.admin.ch
govcert.ch opens in a new tab
govcert.ch
heise.de opens in a new tab
heise.de
hhs.gov opens in a new tab
hhs.gov
hornetsecurity.com opens in a new tab
hornetsecurity.com
ic3.gov opens in a new tab
ic3.gov
infosecurity-magazine.com opens in a new tab
infosecurity-magazine.com
intel471.com opens in a new tab
intel471.com
intrinsec.com opens in a new tab
intrinsec.com
joesecurity.org opens in a new tab
joesecurity.org
justice.gov opens in a new tab
justice.gov
justice.gov opens in a new tab
justice.gov
justice.gov opens in a new tab
justice.gov
justice.gov opens in a new tab
justice.gov
justice.gov opens in a new tab
justice.gov
kryptoslogic.com opens in a new tab
kryptoslogic.com
kryptoslogic.com opens in a new tab
kryptoslogic.com
kryptoslogic.com opens in a new tab
kryptoslogic.com
lastline.com opens in a new tab
lastline.com
mandiant.com opens in a new tab
mandiant.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
netscout.com opens in a new tab
netscout.com
nisos.com opens in a new tab
nisos.com
npu.gov.ua opens in a new tab
npu.gov.ua
prodaft.com opens in a new tab
prodaft.com
proofpoint.com opens in a new tab
proofpoint.com
proofpoint.com opens in a new tab
proofpoint.com
pwc.co.uk opens in a new tab
pwc.co.uk
pwc.co.uk opens in a new tab
pwc.co.uk
pwc.co.uk opens in a new tab
pwc.co.uk
reuters.com opens in a new tab
reuters.com
ringzerolabs.com opens in a new tab
ringzerolabs.com
secdata.com opens in a new tab
secdata.com
secureworks.com opens in a new tab
secureworks.com
secureworks.com opens in a new tab
secureworks.com
secureworks.com opens in a new tab
secureworks.com
secureworks.com opens in a new tab
secureworks.com
secureworks.com opens in a new tab
secureworks.com
secureworks.com opens in a new tab
secureworks.com
securityartwork.es opens in a new tab
securityartwork.es
sentinelone.com opens in a new tab
sentinelone.com
slideshare.net opens in a new tab
slideshare.net
slideshare.net opens in a new tab
slideshare.net
sneakymonkey.net opens in a new tab
sneakymonkey.net
sneakymonkey.net opens in a new tab
sneakymonkey.net
sophos.com opens in a new tab
sophos.com
splunk.com opens in a new tab
splunk.com
trellix.com opens in a new tab
trellix.com
trendmicro.com opens in a new tab
trendmicro.com
trendmicro.com opens in a new tab
trendmicro.com
trendmicro.com opens in a new tab
trendmicro.com
vkremez.com opens in a new tab
vkremez.com
washingtonpost.com opens in a new tab
washingtonpost.com
webroot.com opens in a new tab
webroot.com
welivesecurity.com opens in a new tab
welivesecurity.com
welivesecurity.com opens in a new tab
welivesecurity.com
welivesecurity.com opens in a new tab
welivesecurity.com
wilbursecurity.com opens in a new tab
wilbursecurity.com
wired.co.uk opens in a new tab
wired.co.uk
wired.com opens in a new tab
wired.com
youtube.com opens in a new tab
youtube.com
youtube.com opens in a new tab
youtube.com
youtube.com opens in a new tab
youtube.com
youtube.com opens in a new tab
youtube.com
youtube.com opens in a new tab
youtube.com
zdnet.com opens in a new tab
zdnet.com
zscaler.com opens in a new tab
zscaler.com
zscaler.com opens in a new tab
zscaler.com