{"id":3353,"date":"2021-10-18T12:52:03","date_gmt":"2021-10-18T12:52:03","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3353"},"modified":"2026-06-08T22:46:38","modified_gmt":"2026-06-08T22:46:38","slug":"trickbot-latest-activity","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/trickbot-latest-activity\/","title":{"rendered":"Latest TrickBot cyber-gang activity"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In recent days, we have observed multiple new <strong><em>Conti Ransomware<\/em><\/strong> attacks associated with the presence of the <strong><em>TrickBot<\/em><\/strong> malware. The increase in attacks and ransomware distribution appears linked to new affiliate agreements established between threat groups <strong><em>Hive0106<\/em><\/strong> and <strong><em>Hive0107<\/em><\/strong> with the <strong><em>TrickBot<\/em><\/strong> gang, also known for the malware families <strong><em>BazarLoader<\/em><\/strong> and <strong><em>TrickBot<\/em><\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-il-malware\">The Malware<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong><em>TrickBot banking Trojan<\/em><\/strong> was first identified in 2016. Over time, the gang that developed it and from which the malware takes its name, <strong><em>TrickBot<\/em><\/strong> (also known as <strong><em>Wizard Spider<\/em><\/strong>), has expanded and improved the capabilities of its tool, transforming it into a multi-purpose malware capable of implanting backdoors, delivering additional payloads, and executing lateral movement and data exfiltration activities with extreme speed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Recently, we tracked malware deployment through <strong><em>malspam<\/em><\/strong> emails that prompt victims to contact a call center. During the call, the victim is redirected to an operator tasked with guiding the user to download and execute the <strong><em>BazarLoader<\/em><\/strong> malware. This distribution technique is identified as <strong><em>BazarCall<\/em><\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-i-nuovi-affiliati\">The New Affiliates<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The new affiliates to the TrickBot gang have been observed in past campaigns for their use of <strong><em>IceID<\/em><\/strong> (Hive0107). Both groups target various Western countries, including the United States and Canada, as well as several European nations. Typically, malware deployment occurs through a password-protected <em>zip<\/em> file (attached to an email) containing <strong><em>HTA<\/em><\/strong> files or various scripts (such as <strong><em>WScript<\/em><\/strong> and <strong><em>JScript<\/em><\/strong>) whose execution leads to <strong><em>BazarLoader<\/em><\/strong> loader deployment. From there, a series of <strong>PowerShell<\/strong> commands and scripts, associated with <strong><em>Cobalt Strike<\/em><\/strong> beacons and code exploiting the <strong><em>PrintNightmare<\/em><\/strong> vulnerability to obtain administrative privileges, are executed. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations have tracked these TTPs across multiple intrusion sets, confirming the operational consistency of this attack chain.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hive0106\">Hive0106<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <strong><em>Hive0106<\/em><\/strong> group is known for its spam campaigns and use of <em><strong>Email Hijacking<\/strong><\/em> techniques. This technique involves inserting malicious content into private conversations, masquerading as legitimate communications. Campaigns executed by this group have been observed across multiple sectors and geographic regions, utilizing various domains and sites to distribute malicious software.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-hive0107\">Hive0107<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <em><strong>Hive0107<\/strong><\/em> group, conversely, is known for its previous affiliation with <em><strong>IceID<\/strong><\/em>, which ended in the first half of 2021. Initial activity related to <em><strong>TrickBot<\/em><\/strong> and <strong>BazarLoader<\/strong> deployment dates to <em><strong>May 2021<\/strong><\/em>. Hive0107 attacks are characterized by the distribution of malicious links to users, typically messages containing information about legal actions against the target. Malicious software is distributed via cloud platforms and downloaded by the loader at the time of infection.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-consigli\">Recommendations<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To counter this class of cyberattacks, organizations should implement <strong>Security Monitoring<\/strong> activities typically delivered through <strong>MDR<\/strong> (<strong>Managed Detection &amp; Response<\/strong>) and <strong>Security Operation Center<\/strong> services. <strong>Two-factor authentication<\/strong> for access to sensitive data is increasingly necessary and urgent, though not sufficient in isolation. Employee awareness regarding risks associated with suspicious emails, links, and documents remains a foundational practice for reducing exposure to these threat vectors.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-riferimenti-e-approfondimenti\">References and Further Reading<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-security-intelligence wp-block-embed-security-intelligence\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/securityintelligence.com\/posts\/trickbot-gang-doubles-down-enterprise-infection\/\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>TrickBot operations update: infrastructure rebuilds, module evolution, partnership with ransomware affiliates and detection signals across recent campaigns.<\/p>\n","protected":false},"author":1,"featured_media":3897,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3151,1595,1597,1599,1515,1439,1601,1603,3207,1443,3208,1605,1607,1609,1611],"class_list":["post-3353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-banking-trojan","tag-conti-it","tag-hive0106-it","tag-hive0107-it","tag-malspam-it","tag-malware-it","tag-managed-detection-it","tag-mdr-it","tag-modular-malware","tag-ransomware-it","tag-ransomware-loader","tag-response-it","tag-stealer-it","tag-trickbot-it","tag-virus-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3353"}],"version-history":[{"count":4,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3353\/revisions"}],"predecessor-version":[{"id":9870,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3353\/revisions\/9870"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/3897"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}