SYMBOLCOMMON_NAMEaka. SYNONYMS

FIN11  (Back to overview)

aka: DEV-0950, Lace Tempest, TA505, TEMP.Warlock, UNC902

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.


Associated Families
win.mirrorblast win.servhelper win.andromut win.clop win.dridex win.flawedammyy win.flawedgrace win.get2 win.sdbbot win.silence win.teleport win.tinymet win.locky win.trickbot win.rms

References
2024-12-02Kaspersky LabsArtem Ushkov
Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT
NetSupportManager RAT RMS
2024-05-30EuropolEuropol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot
2024-05-01Natto ThoughtsNatto Team
Ransom-War: Russian Extortion Operations as Hybrid Warfare, Part One
Clop Conti Maze TrickBot
2024-02-12Estrellas's BlogOtávio M.
Unveiling custom packers: A comprehensive guide
Dridex Simda
2023-12-30Rewterz Information SecurityRewterz Information Security
Rewterz Threat Alert – Widely Abused MSIX App Installer Disabled by Microsoft – Active IOCs
EugenLoader POWERTRASH BATLOADER DarkGate FlawedGrace NetSupportManager RAT SectopRAT Storm-0506
2023-12-01The RecordDaryna Antoniuk
Russian developer of Trickbot malware pleads guilty, faces 35-year sentence
TrickBot
2023-09-07Department of JusticeOffice of Public Affairs
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies
Conti Conti TrickBot
2023-08-30NisosVincas Čižiūnas
Trickbot in Light of Trickleaks Data
TrickBot
2023-07-26TalosNicole Hoffman
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom
2023-07-13malware.loveRobert Giczewski
TrueBot Analysis Part IV - Config Extraction
Silence
2023-07-06CISACISA
Increased Truebot Activity Infects U.S. and Canada Based Networks
Silence
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-23FourcoreJones Martin
Clop Ransomware: History, Timeline, And Adversary Simulation
Clop
2023-06-12The DFIR ReportMaxime Thiebaut
A Truly Graceful Wipe Out
FlawedGrace Silence
2023-06-01vmwareFae Carlisle
Carbon Black’s TrueBot Detection
Silence
2023-05-23loginsoftSaharsh Agrawal
Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350
Clop LockBit Silence
2023-03-31malware.loveRobert Giczewski
TrueBot Analysis Part III - Capabilities
Silence
2023-03-30IBMFred Chidsey, John Dwyer, Joseph Lozowski
X-Force Prevents Zero Day from Going Anywhere
Silence
2023-02-27PRODAFT Threat IntelligencePRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader
2023-02-18malware.loveRobert Giczewski
TrueBot Analysis Part II - Static unpacker
Silence
2023-02-12malware.loveRobert Giczewski
TrueBot Analysis Part I - A short glimpse into packed TrueBot samples
Silence
2023-02-09U.S. Department of the TreasuryU.S. Department of the Treasury
United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang
TrickBot
2023-02-08Huntress LabsJoe Slowik, Matt Anderson
Investigating Intrusions From Intriguing Exploits
Silence
2023-01-30CheckpointArie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot
2022-12-27Palo Alto Networks Unit 42Bob Jung, Daniel Raygoza, Esmid Idrizovic, Sean Hughes
Navigating the Vast Ocean of Sandbox Evasions
TrickBot Zebrocy
2022-12-08Cisco TalosTiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-11-11CodesecHugo Caron
GraceWire / FlawedGrace malware adventure
FlawedGrace
2022-10-31paloalto Netoworks: Unit42Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus
2022-10-27MicrosoftMicrosoft Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest
2022-10-27Bleeping ComputerSergiu Gatlan
Microsoft links Raspberry Robin worm to Clop ransomware attacks
Clop Raspberry Robin
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-13AdvIntelAdvanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-09-06PRODAFTPRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
Clop ServHelper
2022-09-05PRODAFTPRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
ServHelper
2022-09-01IBMEmmy Ebanks, Kevin Henson
Raspberry Robin and Dridex: Two Birds of a Feather
Dridex Raspberry Robin
2022-08-24Github (rad9800)Rad Kawar
Malware Madness: EXCEPTION edition
Dridex
2022-08-18IBMCharlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak
2022-08-15SentinelOneVikram Navali
Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot
2022-07-26MandiantDaniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton
2022-07-09Artik BlueArtik Blue
Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)
Dridex
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-15AttackIQAttackIQ Adversary Research Team, Jackson Wells
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-06-02EclypsiumEclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate
2022-06-02MandiantMandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker
2022-05-28Bleeping ComputerSergiu Gatlan
Clop ransomware gang is back, hits 21 victims in a single month
Clop
2022-05-24Deep instinctBar Block
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet
2022-05-24The Hacker NewsFlorian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-19Palo Alto Networks Unit 42Saqib Khanzada
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
Dridex
2022-05-17Trend MicroTrend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot
2022-05-10RiskIQRiskIQ
RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns
Dridex
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-05YouTube (Chris Greer)Chris Greer
MALWARE Analysis with Wireshark // TRICKBOT Infection
TrickBot
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-27Medium elis531989Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot
2022-04-26Intel 471Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-04-18RiskIQJennifer Grob
RiskIQ: Trickbot Rickroll
TrickBot
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Arctic WolfArctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot
2022-04-15Bleeping ComputerIonut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot
2022-04-08ReversingLabsPaul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot
2022-04-05Intel 471Intel 471
Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot
2022-03-23SecureworksCounter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot
2022-03-21Threat PostLisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot
2022-03-18AvastMartin Hron
Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot
2022-03-16MicrosoftMicrosoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC)
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
TrickBot
2022-03-15RiskIQRiskIQ
RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control
TrickBot
2022-03-13Malcatmalcat team
Cutting corners against a Dridex downloader
Dridex
2022-03-09Bleeping ComputerIonut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot
2022-03-09BreachQuestBernard Silvestrini, Marco Figueroa, Napoleon Bing
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot
2022-03-04ReutersRaphael Satter
Details of another big ransomware group 'Trickbot' leak online, experts say
TrickBot
2022-03-02KrebsOnSecurityBrian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-03-02CyberArkCyberArk Labs
Conti Group Leaked!
TeamTNT Conti TrickBot
2022-03-02ThreatpostLisa Vaas
Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot
2022-03-01VX-Underground
Leaks: Conti / Trickbot
Conti TrickBot
2022-03-01VirusTotalVirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-25CyberScoopJoe Warminsky
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot
2022-02-24The RecordCatalin Cimpanu
TrickBot gang shuts down botnet after months of inactivity
TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot
2022-02-24The Hacker NewsRavie Lakshmanan
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot
2022-02-23Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker
2022-02-23SophosLabs UncutAndrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy
2022-02-22Trend MicroTrend Micro Research
Ransomware Spotlight: Clop
Clop
2022-02-22Bankinfo SecurityMatthew J. Schwartz
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot
2022-02-20Security AffairsPierluigi Paganini
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot
2022-02-18Bleeping ComputerIonut Ilascu
Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot
2022-02-16Threat PostTara Seals
TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands
TrickBot
2022-02-16Advanced IntelligenceYelisey Boguslavskiy
The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works
TrickBot
2022-02-16Check Point ResearchAliaksandr Trafimchuk, Raman Ladutska
A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies
TrickBot
2022-02-08Intel 471Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar
2022-02-02IBMKevin Henson
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot
2022-02-01WiredMatt Burgess
Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot
2022-02-01Sentinel LABSAntonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker
2022-02-01WiredMatt Burgess
Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot
2022-01-24IBMCharlotte Hammond, Itzik Chimino, Limor Kessem, Michael Gal, Segev Fogel
TrickBot Bolsters Layered Defenses to Prevent Injection Research
TrickBot
2022-01-24Kryptos LogicKryptos Logic Vantage Team
Deep Dive into Trickbot's Web Injection
TrickBot
2022-01-19FBIFBI
CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware
Diavol TrickBot
2022-01-18Recorded FutureInsikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot
2022-01-14RiskIQJordan Herman
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet
2022-01-11muha2xmadMuhammad Hasan Ali
Unpacking Dridex malware
Dridex
2022-01-09Atomic Matryoshkaz3r0day_504
Malware Headliners: Dridex
Dridex
2021-12-23SymantecSiddhesh Chandrayan
Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass
2021-12-20InQuestNick Chalard
(Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex
2021-12-08Check Point ResearchAliaksandr Trafimchuk, David Driker, Raman Ladutska, Yali Magiel
When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot
2021-12-03GoSecureGoSecure Titan Labs
TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?
TrickBot
2021-12-01NCC GroupMichael Sandee, Nikolaos Pantazopoulos
Tracking a P2P network related to TA505
FlawedGrace Necurs
2021-11-21Cyber-AnubisNidal Fikri
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex
2021-11-16YoroiCarmelo Ragusa, Luca Mella, Luigi Martire
Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook
2021-11-16Trend MicroTrend Micro
Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels
REvil Clop Gandcrab REvil
2021-11-16MalwarebytesMalwarebytes Threat Intelligence Team
TrickBot helps Emotet come back from the dead
Emotet TrickBot
2021-11-12Recorded FutureInsikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot
2021-11-04Security Service of UkraineSecurity Service of Ukraine
Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine
EvilGnome Pteranodon RMS
2021-10-29EuropolEuropol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-29Національна поліція УкраїниНаціональна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-28Department of JusticeDepartment of Justice
Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot
2021-10-28Department of JusticeDepartment of Justice
Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot
2021-10-27VinCSSm4n0w4r, Tran Trung Kien
[RE025] TrickBot ... many tricks
TrickBot
2021-10-21CrowdStrikeAlex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet
2021-10-19ProofpointAxel F, Brandon Murphy, Crista Giering, Georgi Mladenov, Matthew Mesa, Zydeca Cass
Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
FlawedGrace MirrorBlast
2021-10-19KasperskyOleg Kupreev
Trickbot module descriptions
TrickBot
2021-10-14MorphisecArnold Osipov
Explosive New MirrorBlast Campaign Targets Financial Companies
MirrorBlast
2021-10-13IBMCharlotte Hammond, Ole Villadsen
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot
2021-10-08ZscalerLenart Brave, Tarun Dewan
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot
2021-10-07MandiantMandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot
2021-10-05FRSecureOscar Minks
The REBOL Yell: A New Novel REBOL Exploit
MirrorBlast
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-10-04CiscoTiago Pereira
Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot
2021-10-01HPHP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-24ProofpointProofpoint
Daily Ruleset Update Summary 2021/09/24
MirrorBlast
2021-09-19HPPatrick Schläpfer
MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures
MirrorBlast
2021-09-15Palo Alto Networks Unit 42Anna Chung, Swetha Balla
Phishing Eager Travelers
Dridex
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-06Bleeping ComputerLawrence Abrams
TrickBot gang developer arrested when trying to leave Korea
Diavol TrickBot
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-19BlackberryBlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex TA575
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-12Cisco TalosVanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper
2021-08-01The DFIR ReportThe DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot
2021-07-30HPPatrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot
2021-07-21splunkSplunk Threat Research Team
Detecting Trickbot with Splunk
TrickBot
2021-07-12BitdefenderBogdan Botezatu, Radu Tudorica
A Fresh Look at Trickbot’s Ever-Improving VNC Module
TrickBot
2021-07-06Medium walmartglobaltechJason Reaves, Joshua Platt
TA505 adds GoLang crypter for delivering miners and ServHelper
ServHelper
2021-07-02MalwareBookReportsmuzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex
2021-07-02The RecordCatalin Cimpanu
TrickBot: New attacks see the botnet deploy new banking module, new ransomware
TrickBot
2021-07-01Kryptos LogicKryptos Logic Vantage Team
TrickBot and Zeus
TrickBot Zeus
2021-06-30Advanced IntelligenceAdvIntel Security & Development Team, Brandon Rudisel, Yelisey Boguslavskiy
Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil
2021-06-25KrCertDongwook Kim, Kayoung Kim, Seulgi Lee, Taewoo Lee
Attack patterns in AD environment
Clop
2021-06-24BinanceBinance
Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks
Clop
2021-06-22Twitter (@Cryptolaemus1)Cryptolaemus, dao ming si, Kirk Sayre
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex
2021-06-16The RecordCatalin Cimpanu
Ukrainian police arrest Clop ransomware members, seize server infrastructure
Clop
2021-06-16Youtube (Національна поліція України)Національна поліція України
Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)
Clop
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-06-16KrebsOnSecurityBrian Krebs
Ukrainian Police Nab Six Tied to CLOP Ransomware
Clop
2021-06-16Національної поліції УкраїниНаціональна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy
2021-06-15Trend MicroByron Gelera, Earle Earnshaw, Janus Agcaoili, Miguel Ang, Nikko Tamana
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil
2021-06-15vmwareTakahiro Haruyama
Detecting UEFI Bootkits in the Wild (Part 1)
LoJax MosaicRegressor TrickBot
2021-06-08Intel 471Intel 471
The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P
2021-06-07Medium walmartglobaltechJason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-06-04The RecordCatalin Cimpanu
US arrests Latvian woman who worked on Trickbot malware source code
TrickBot
2021-06-04Department of JusticeOffice of Public Affairs
Latvian National Charged for Alleged Role in Transnational Cybercrime Organization
TrickBot
2021-06-03YouTube (FIRST)Felipe Domingues, Gustavo Palazolo
Breaking Dridex Malware
Dridex
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-13AWAKEKieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS
2021-05-11Mal-Eatsmal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader
2021-05-11CrowdStrikeThe Falcon Complete Team
Response When Minutes Matter: Rising Up Against Ransomware
TinyMet
2021-05-10Mal-Eatsmal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-05RiskIQKelsey Clapp
Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic
TrickBot
2021-05-03splunkSplunk Threat Research Team
Clop Ransomware Detection: Threat Research Release, April 2021
Clop
2021-05-02The DFIR ReportThe DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-15Twitter (@felixw3000)Felix
Tweet on Dridex's evasion technique
Dridex
2021-04-15ProofpointSelena Larson
Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot
2021-04-14ViceLorenzo Franceschi-Bicchierai
Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
Clop
2021-04-13Palo Alto Networks Unit 42Doel Santos
Threat Assessment: Clop Ransomware
Clop
2021-04-13splunkSplunk Threat Research Team
Detecting Clop Ransomware
Clop
2021-04-12PTSecurityPTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader
2021-04-06LexfoLexfo
Dridex Loader Analysis
Dridex
2021-04-06Intel 471Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot
2021-04-05Medium walmartglobaltechJason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot
2021-03-31KasperskyKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2021-03-31Red CanaryRed Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot
2021-03-29VMWare Carbon BlackGiovanni Vigna, Jason Zhang, Oleg Boyarchuk
Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex
2021-03-26Bleeping ComputerLawrence Abrams
Ransomware gang urges victims’ customers to demand a ransom payment
Clop
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-18PRODAFT Threat IntelligencePRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic
2021-03-17HPHP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader
2021-03-17CISAUS-CERT
Alert (AA21-076A): TrickBot Malware
TrickBot
2021-03-11IBMDave McMillen, Limor Kessem
Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex
2021-03-11FlashpointFlashpoint
CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil
2021-03-02Möbius Strip Reverse EngineeringRolf Rolles
An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-25ANSSICERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-24IBMIBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22FireEyeAndrew Moore, Genevieve Stark, Isif Ibrahima, Kimberly Goody, Van Ta
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop
2021-02-15Medium s2wlabSojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2021-02-08ESET ResearchESET Research
THREAT REPORT Q4 2020
TrickBot
2021-02-07Technical Blog of Ali AqeelAli Aqeel
Dridex Malware Analysis
Dridex
2021-02-02Twitter (@TheDFIRReport)The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01MicrosoftMicrosoft 365 Defender Threat Intelligence Team
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot
2021-02-01Kryptos LogicKryptos Logic Vantage Team
Trickbot masrv Module
TrickBot
2021-01-28Youtube (Virus Bulletin)Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction
2021-01-26IBMNir Shwarts
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?
TrickBot
2021-01-20Medium walmartglobaltechJason Reaves, Joshua Platt
Anchor and Lazarus together again?
Anchor TrickBot
2021-01-19Medium elis531989Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot
2021-01-19HPPatrick Schläpfer
Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs
Dridex
2021-01-19Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot
2021-01-11The DFIR ReportThe DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot
2021-01-09Marco Ramilli's BlogMarco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot
2021-01-06DomainToolsJoe Slowik
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot
2021-01-05AhnLabAhnLab ASEC Analysis Team
[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant
Clop
2021-01-04Check PointCheck Point Research
DRIDEX Stopping Serial Killer: Catching the Next Strike
Dridex
2021-01-04SentinelOneMarco Figueroa
Building a Custom Malware Analysis Lab Environment
TrickBot
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER
2021-01-01SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp
2020-12-21KEYSIGHT TECHNOLOGIESEdsel Valle
TrickBot: A Closer Look
TrickBot
2020-12-18Intel 471Intel 471
TA505’s modified loader means new attack campaign could be coming
Get2
2020-12-15Twitter (@darb0ng)Minhee Lee
Tweet on Symrise group hit by Clop Ransomware
Clop
2020-12-14BluelivAlberto Marín, Blueliv Labs Team, Carlos Rubio
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet
2020-12-10CybereasonJoakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-10CyberIntCyberInt
Ryuk Crypto-Ransomware
Ryuk TrickBot
2020-12-03Bleeping ComputerLawrence Abrams
Ransomware gang says they stole 2 million credit cards from E-Land
Clop
2020-12-03EclypsiumEclypsium
TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit
TrickBot
2020-12-02AhnLabAhnLab ASEC Analysis Team
CLOP Ransomware Report
Clop
2020-11-23S2W LAB Inc.TALON
[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop
2020-11-23BitdefenderLiviu Arsene, Radu Tudorica
TrickBot is Dead. Long Live TrickBot!
TrickBot
2020-11-22malware.loveRobert Giczewski
Trickbot tricks again [UPDATE]
TrickBot
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-20Bleeping ComputerLawrence Abrams
LightBot: TrickBot’s new reconnaissance malware for high-value targets
LightBot TrickBot
2020-11-18SophosSophos
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader
2020-11-17Salesforce EngineeringJohn Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot
2020-11-17malware.loveRobert Giczewski
Trickbot tricks again
TrickBot
2020-11-17Twitter (@VK_intel)Vitali Kremez
Tweet on a new fileless TrickBot loading method using code from MemoryModule
TrickBot
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-16Fox-ITAnne Postma, Antonis Terefos, Tera0017
TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505
2020-11-12Hurricane LabsDusty Miller
Splunking with Sysmon Part 4: Detecting Trickbot
TrickBot
2020-11-12Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
SDBbot
2020-11-10Intel 471Intel 471
Trickbot down, but is it out?
BazarBackdoor TrickBot
2020-11-05Kaspersky LabsKaspersky Lab ICS CERT, Vyacheslav Kopeytsev
Attackson industrial enterprises using RMS and TeamViewer: new data
RMS
2020-11-04VMRayGiovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-29Red CanaryThe Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Twitter (@anthomsec)Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29MandiantAndrew Moore, Genevieve Stark
FIN11: A Widespread Ransomware and Extortion Operation (Webinar)
FIN11
2020-10-29CERT-FRCERT-FR
LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot
2020-10-29Palo Alto Networks Unit 42Brad Duncan, Brittany Barbehenn, Doel Santos
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-26Arbor NetworksSuweera De Souza
Dropping the Anchor
AnchorDNS Anchor TrickBot
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-20MicrosoftTom Burt
An update on disruption of Trickbot
TrickBot
2020-10-20Intel 471Intel 471
Global Trickbot disruption operation shows promise
TrickBot
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-16DuoDennis Fisher
Trickbot Up to Its Old Tricks
TrickBot
2020-10-15Intel 471Intel 471
That was quick: Trickbot is back after disruption attempts
TrickBot
2020-10-15Department of JusticeDepartment of Justice
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot
2020-10-14FireEyeAndrew Moore, Genevieve Stark, Jacqueline O’Leary, Kimberly Goody, Nalani Fraser, Vincent Cannon
FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
FIN11
2020-10-12MicrosoftTom Burt
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-12SymantecThreat Hunter Team
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12LumenBlack Lotus Labs
A Look Inside The TrickBot Botnet
TrickBot
2020-10-12ESET ResearchJean-Ian Boutin
ESET takes part in global operation to disrupt Trickbot
TrickBot
2020-10-12MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Trickbot disrupted
TrickBot
2020-10-12US District Court for the Eastern District of Virginia
TRICKBOT complaint
TrickBot
2020-10-10The Washington PostEllen Nakashima
Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot
2020-10-08ZDNetCatalin Cimpanu
German tech giant Software AG down after ransomware attack
Clop
2020-10-08BromiumAlex Holland
Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
TrickBot
2020-10-06TelekomThomas Barabosch
Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505
2020-10-03WikipediaWikpedia
Wikipedia Page: Maksim Yakubets
Dridex Feodo Evil Corp
2020-10-03AviraAvira Protection Labs
TA505 targets the Americas in a new campaign
ServHelper
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-02KrebsOnSecurityBrian Krebs
Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot
2020-09-30CERT-XLMPaul Jung
Another Threat Actor day...
SDBbot
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-29MicrosoftMicrosoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot
2020-09-22OSINT FansGabor Szathmari
What Service NSW has to do with Russia?
TrickBot
2020-09-18AppGateFelipe Duarte, Gustavo Palazolo
Reverse Engineering Dridex and Automating IOC Extraction
Dridex
2020-09-16Intel 471Intel 471
Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot
2020-09-10SANS ISC InfoSec ForumsBrad Duncan
Recent Dridex activity
Dridex
2020-09-07Github (pan-unit42)Brad Duncan
Collection of recent Dridex IOCs
Cutwail Dridex
2020-08-31cyber.wtf blogLuca Ebach
Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-21Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex
2020-08-20sensecycyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-20CERT-FRCERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot
2020-08-09F5 LabsDebbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-08-03The DFIR Report
Dridex – From Word to Domain Dominance
Dridex
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-22SentinelOneJason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader
2020-07-21YouTube ( OPCDE with Matt Suiche)Mohamad Mokbel
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence
2020-07-20Bleeping ComputerLawrence Abrams
Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot
2020-07-17CERT-FRCERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus
2020-07-15Intel 471Intel 471
Flowspec – TA505’s bulletproof hoster of choice
Get2
2020-07-15MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Nathan Brubaker
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake
2020-07-13JoeSecurityJoe Security
TrickBot's new API-Hammering explained
TrickBot
2020-07-11Advanced IntelligenceVitali Kremez
TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot
2020-07-11BleepingComputerLawrence Abrams
TrickBot malware mistakenly warns victims that they are infected
TrickBot
2020-07-09GdataG DATA Security Lab
ServHelper: Hidden Miners
ServHelper
2020-07-07HornetsecurityHornetsecurity Security Lab
Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2
2020-07-06NTTSecurity division of NTT Ltd.
TrickBot variant “Anchor_DNS” communicating over DNS
AnchorDNS TrickBot
2020-06-24MorphisecArnold Osipov
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader
2020-06-22Sentinel LABSJason Reaves, Joshua Platt
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot
2020-06-22BleepingComputerLawrence Abrams
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop
2020-06-22CERT-FRCERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot
2020-06-19ReaqtaReaqta
Dridex: the secret in a PostMessage()
Dridex
2020-06-17Youtube (Red Canary)Adam Pennington, David Kaplan, Erika Noerenberg, Matt Graeber
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot
2020-06-17Twitter (@MsftSecIntel)Microsoft Security Intelligence
A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace
2020-06-17Twitter (@VK_intel)malwrhunterteam, Vitali Kremez
Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet
2020-06-16TelekomThomas Barabosch
TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505
2020-06-15FortinetFred Gutierrez, Val Saengphaibul
Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot
2020-06-12HornetsecuritySecurity Lab
Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot
2020-06-11CofenseJason Meurer
All You Need Is Text: Second Wave
TrickBot
2020-06-05VotiroVotiro’s Research Team
Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex
2020-06-02Lastline LabsJames Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader
2020-05-31Medium walmartglobaltechJason Reaves, Joshua Platt
WastedLoader or DridexLoader?
Dridex WastedLocker
2020-05-28Palo Alto Networks Unit 42Brad Duncan
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot
2020-05-27GAIS-CERTGAIS-CERT
Dridex Banking Trojan Technical Analysis Report
Dridex
2020-05-25CERT-FRCERT-FR
INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex
2020-05-25CERT-FRCERT-FR
Le Code Malveillant Dridex: Origines et Usages
Dridex
2020-05-24Positive TechnologiesPT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader
2020-05-22Positive TechnologiesPT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper
2020-05-21Intel 471Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot
2020-05-20PTSecurityPT ESC Threat Intelligence
Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy
2020-05-19AlienLabsOfer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot
2020-05-18ThreatpostTara Seals
Ransomware Gang Arrested for Spreading Locky to Hospitals
Locky
2020-05-14SentinelOneJason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot
2020-04-23CERT-FRCERT-FR
LE GROUPE CYBERCRIMINEL SILENCE
Silence
2020-04-14SecurityIntelligenceMelissa Frydrych
TA505 Continues to Infect Networks With SDBbot RAT
SDBbot TinyMet TA505
2020-04-14Intel 471Intel 471
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-04-14IntrinsecJean Bichet
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot
2020-04-09ZscalerAbhay Yadav, Atinderpal Singh
TrickBot Emerges with a Few New Tricks
TrickBot
2020-04-09Github (Tera0017)Tera0017
SDBbot Unpacker
SDBbot
2020-04-08SentinelOneJason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot
2020-04-07SecurityIntelligenceOle Villadsen
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-31FireEyeAaron Stephens, Van Ta
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878
2020-03-31Cisco TalosChris Neal
Trickbot: A primer
TrickBot
2020-03-30IntezerMichael Kajiloti
Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot
2020-03-26TelekomThomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505
2020-03-25Wilbur SecurityJW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-24Bleeping ComputerLawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil
2020-03-18BitdefenderAlexandru Maximciuc, Cristina Vatamanu, Liviu Arsene, Radu Tudorica
New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot
2020-03-18ProofpointAxel F, Sam Scholten
Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos
2020-03-09FortinetXiaopeng Zhang
New Variant of TrickBot Being Spread by Word Document
TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04Bleeping ComputerLawrence Abrams
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-04SentinelOneJason Reaves
Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBRIDGE
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-02-28MorphisecMichael Gorelik
Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot
2020-02-28Financial Security InstituteFinancial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet
2020-02-26SentinelOneJason Reaves
Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot
2020-02-20ZDNetCatalin Cimpanu
Croatia's largest petrol station chain impacted by cyber-attack
Clop
2020-02-19FireEyeFireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-18Sophos LabsLuca Nagy
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10viXraJason Reaves
A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach
Locky
2020-02-10MalwarebytesAdam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter Arntz, Thomas Reed, Wendy Zamora
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-07Bleeping ComputerSergiu Gatlan
TA505 Hackers Behind Maastricht University Ransomware Attack
Clop
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2020-01-30Bleeping ComputerLawrence Abrams
TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot
2020-01-30MorphisecArnold Osipov
Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot
2020-01-29ANSSIANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29Bleeping ComputerLawrence Abrams
Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot
2020-01-27T-SystemsT-Systems
Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot
2020-01-23Bleeping ComputerLawrence Abrams
TrickBot Now Steals Windows Active Directory Credentials
TrickBot
2020-01-17Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone
2020-01-16Bleeping ComputerLawrence Abrams
TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot
2020-01-14TelekomThomas Barabosch
Inside of CL0P’s ransomware operation
Clop Get2 SDBbot
2020-01-13Github (Tera0017)Tera0017
TAFOF Unpacker
Clop Get2 Silence
2020-01-10CSISCSIS
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot
2020-01-09SonicWallSonicWall
ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access
ServHelper
2020-01-09SentinelOneJason Reaves, Joshua Platt, Vitali Kremez
Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER
2020-01-07Github (albertzsigovits)Albert Zsigovits
Clop ransomware Notes
Clop
2020-01-07Github (albertzsigovits)Albert Zsigovits
Clop ransomware Notes
Clop
2020-01-01SecureworksSecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz
2020-01-01SecureworksSecureWorks
GOLD BLACKBURN
Dyre TrickBot
2020-01-01SecureworksSecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2020-01-01SecureworksSecureWorks
GOLD HERON
DoppelPaymer Dridex Empire Downloader
2020-01-01SecureworksSecureWorks
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020-01-01SecureworksSecureWorks
GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505
2019-12-20Binary DefenseJames Quinn
An Updated ServHelper Tunnel Variant
ServHelper
2019-12-19KrebsOnSecurityBrian Krebs
Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp
2019-12-17BluelivAdrián Ruiz, Blueliv Labs Team, Jose Miguel Esparza
TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-09Palo Alto Networks Unit 42Brittany Ash, Bryan Lee, Mike Harbison
TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot
2019-12-05U.S. Department of the TreasuryU.S. Department of the Treasury
Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
Dridex
2019-11-24Jacob Pimental
TA505 Get2 Analysis
Get2
2019-11-22CERT-FRCERT-FR
RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop
2019-11-22Palo Alto Networks Unit 42Brad Duncan
Trickbot Updates Password Grabber Module
TrickBot
2019-11-19ACTURédaction Normandie
Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop
2019-11-13CrowdStrikeJason Rivera, Jen Ayers
Through the Eyes of the Adversary
TrickBot CLOCKWORK SPIDER
2019-11-08Palo Alto Networks Unit 42Brad Duncan
Wireshark Tutorial: Examining Trickbot Infections
TrickBot
2019-11-06Heise SecurityThomas Hungenberg
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-10-29SneakyMonkey BlogSneakyMonkey
TRICKBOT - Analysis Part II
TrickBot
2019-10-24Sentinel LABSVitali Kremez
How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot
2019-10-21FireEyeEvan Reese, Nick Carr, Steve Miller
Shikata Ga Nai Encoder Still Going Strong
FIN11
2019-10-16ProofpointAxel F, Dennis Schwarz, Kafeine, Matthew Mesa, Proofpoint Threat Insight Team
TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader
Get2 SDBbot TA505
2019-10-10Github (StrangerealIntel)StrangerealIntel
Analysis of the new TA505 campaign
Get2
2019-10-10AhnLabASEC Analysis Team
ASEC Report Vol. 96: Analysis Report on Operation Red Salt, Analysis on the Malicious SDB File Found in Ammyy Hacking Tool
SDBbot
2019-09-25GovCERT.chGovCERT.ch
Trickbot - An analysis of data collected from the botnet
TrickBot
2019-09-09McAfeeChintan Shah, Marc Rivero López, Thomas Roccia
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda
2019-08-29ThreatReconThreatRecon Team
SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505
2019-08-27Trend MicroHara Hiroaki, Jaromír Hořejší, Loseway Lu
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper
2019-08-27SecureworksCTU Research Team
TrickBot Modifications Target U.S. Mobile Users
TrickBot WIZARD SPIDER
2019-08-26InQuestJosiah Smith
Memory Analysis of TrickBot
TrickBot
2019-08-20Github (SherifEldeeb)Sherif Eldeeb
Source code: TinyMet
TinyMet
2019-08-13AdalogicsDavid Korczynski
The state of advanced code injections
Dridex Emotet Tinba
2019-08-05Trend MicroMichael Jhon Ofiaza, Noel Anthony Llimos
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot
2019-08-01Group-IBGroup-IB
Silence 2.0 - Going Global
Silence
2019-08-01Group-IBGroup-IB
Attacks by Silence
Silence DDoS Kikothac Silence
2019-08-01McAfeeAlexandre Mundo, Marc Rivero López
Clop Ransomware
Clop
2019-07-30Dissecting MalwareMarius Genheimer
Picking Locky
Locky
2019-07-12DeepInstinctShaul Vilkomir-Preisman
TrickBooster – TrickBot’s Email-Based Infection Module
TrickBot
2019-07-12CrowdStrikeBex Hartley, Brett Stone-Gross, Sergei Frankoff
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelDridex DoppelPaymer Dridex FriedEx
2019-07-11NTT SecurityNTT Security
Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-07-04Trend MicroTrend Micro
Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut
2019-07-02ProofpointDennis Schwarz, Matthew Mesa, Proofpoint Threat Insight Team
TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy
2019-06-12GdataKarsten Hahn
Ransomware identification for the judicious analyst
Cerber Cryptowall CryptoFortress Locky PadCrypt Spora VirLock
2019-06-04SlideShareVitali Kremez
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot
2019-05-31Youtube (0verfl0w_)0verfl0w_
Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit
2019-05-29YoroiAntonio Farina, Davide Testa, Luca Mella
TA505 is Expanding its Operations
RMS
2019-05-28MITREMITRE
FlawedAmmyy
FlawedAmmyy
2019-05-22sneakymonk3y (Mark)
TRICKBOT - Analysis
TrickBot
2019-05-14GovCERT.chGovCERT.ch
The Rise of Dridex and the Role of ESPs
Dridex
2019-05-09GovCERT.chGovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-05-02CERT.PLMichał Praszmo
Detricking TrickBot Loader
TrickBot
2019-04-25CybereasonCybereason Nocturnus
Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505
2019-04-22SANSMike Downey
Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy
2019-04-05Medium vishal_thakurVishal Thakur
Trickbot — a concise treatise
TrickBot
2019-04-02CybereasonLior Rochberger, Matan Zatz, Noa Pinkas
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-04-02DeepInstinctShaul Vilkomir-Preisman
New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper
2019-03-28Carbon BlackCB TAU Threat Intelligence
CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
Clop
2019-03-20FlashpointJason Reaves, Joshua Platt
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet
2019-03-05Bleeping ComputerLawrence Abrams
CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop
2019-03-05PepperMalware BlogPepper Potts
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot
2019-02-15CrowdStrikeBex Hartley, Brendon Feeley
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER
2019-02-12Trend MicroTrend Micro
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot
2019-02-11One Night in NorfolkKevin Perlow
How the Silence Downloader Has Evolved Over Time
Silence
2019-02-06One Night in NorfolkKevin Perlow
Some Notes on the Silence Proxy
Silence
2019-02-02Medium SebdravenSébastien Larinier
Unpacking Clop
Clop
2019-01-24ReaqtaReaqta
Silence group targeting Russian Banks via Malicious CHM
Silence Silence group
2019-01-24奇安信威胁情报中心事件追踪
Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper
2019-01-14Möbius Strip Reverse EngineeringRolf Rolles
A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace
2019-01-11FireEyeChristopher Glyer, Jaideep Natu, Jeremy Kennelly, Kimberly Goody
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-09ProofpointDennis Schwarz, Proofpoint Staff
ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper
2019-01-01CyberIntCyberInt
Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505
2018-12-18Trend MicroTrendmicro
URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB
2018-12-12SecureDataWicus Ross
The TrickBot and MikroTik connection
TrickBot
2018-12-05VIPREVIPRE Labs
Trickbot’s Tricks
TrickBot
2018-11-12Malwarebyteshasherezade
What’s new in TrickBot? Deobfuscating elements
TrickBot
2018-11-08FortinetXiaopeng Zhang
Deep Analysis of TrickBot New Module pwgrab
TrickBot
2018-11-01Trend MicroCarl Maverick Pascual, Noel Anthony Llimos
Trickbot Shows Off New Trick: Password Grabber Module
TrickBot
2018-10-01Macnica NetworksMacnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm
2018-08-14CyberbitHod Gavriel
Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot
2018-07-26IEEE Symposium on Security and Privacy (SP)Alex C. Snoeren, Damon McCoy, Danny Yuxing Huang, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Kylie McRoberts, Luca Invernizzi, Maxwell Matthaios Aliapoulios, Vector Guo Li
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor
2018-07-19ProofpointProofpoint Staff
TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy
2018-07-03Talos IntelligenceBen Baker, Holger Unterbrink
Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot
2018-06-28Secrary BlogLasha Khasaia
A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy
2018-06-20OALabs
Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot
2018-06-13Github (JR0driguezB)Jorge Rodriguez
TrickBot config files
TrickBot
2018-04-16Random REsysopfb
TrickBot & UACME
TrickBot
2018-04-03Vitali Kremez BlogVitali Kremez
Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot
2018-03-31Youtube (hasherezade)hasherezade
Deobfuscating TrickBot's strings with libPeConv
TrickBot
2018-03-27Trend MicroTrendmicro
Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot
2018-03-21WebrootJason Davison
TrickBot Banking Trojan Adapts with New Module
TrickBot
2018-03-20StormshieldMehdi Talbi
De-obfuscating Jump Chains with Binary Ninja
Locky
2018-03-07ProofpointProofpoint Staff
Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader
2018-02-15SecurityIntelligenceLimor Kessem, Magal Baz, Ophir Harpaz
TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot
2018-02-01Malware Traffic AnalysisBrad Duncan
Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot
2018-01-26ESET ResearchMichal Poslušný
FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx
2018-01-12ProofpointProofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER
2017-12-30Youtube (hasherezade)hasherezade
Unpacking TrickBot with PE-sieve
TrickBot
2017-12-19Vitali Kremez BlogVitali Kremez
Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot
2017-11-22FlashpointVitali Kremez
Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot
2017-11-21Vitali Kremez
Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot
2017-11-07ThreatVectorCylance Threat Research Team
Locky Ransomware
Locky
2017-11-01IntezerJay Rosenberg
Silence of the Moles
Silence
2017-11-01Kaspersky LabsGReAT
Silence – a new Trojan attacking financial organizations
Silence Silence group
2017-10-06BluelivBlueliv
TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot
2017-09-21MalwarebytesJérôme Segura
Fake IRS notice delivers customized spying tool
RMS
2017-08-20MyOnlineSecurityMyOnlineSecurity
return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload
Cold$eal Locky
2017-08-16Bleeping ComputerLawrence Abrams
Locky Ransomware switches to the Lukitus extension for Encrypted Files
Locky
2017-08-10botfrei BlogTom Berchem
Weltweite Spamwelle verbreitet teuflische Variante des Locky
Locky
2017-08-01MalwarebytesMalwarebytes Labs
TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot
2017-08-01Panda SecurityPanda Security
Malware Report: Dridex Version 4
Dridex
2017-07-27FlashpointFlashpoint
New Version of “Trickbot” Adds Worm Propagation Module
TrickBot
2017-07-25Github (viql)Johannes Bader
Dridex Loot
Dridex
2017-07-18ElasticAshkan Hosseini
Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky
2017-07-01Ring Zero LabsRing Zero Labs
TrickBot Banking Trojan - DOC00039217.doc
TrickBot
2017-06-22Bleeping ComputerCatalin Cimpanu
Locky Ransomware Returns, but Targets Only Windows XP & Vista
Locky
2017-06-21CiscoAlex Chiu, Jaeson Schultz, Matthew Molyett, Sean Baird, Warren Mercer
Player 1 Limps Back Into the Ring - Hello again, Locky!
Locky
2017-06-15F5Doron Voolf, Jesse Smith, Sara Boddy
Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot
2017-06-12Security Art WorkJoséMiguel Holguín, Marc Salinas
Evolución de Trickbot
TrickBot
2017-05-26PWCBart Parys
TrickBot’s bag of tricks
TrickBot
2017-05-25Kaspersky LabsNikita Slepogin
Dridex: A History of Evolution
Dridex Feodo
2017-05-15SecureworksCounter Threat Unit ResearchTeam
Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN
2017-03-01FraudWatch InternationalFraudWatch International
How Does the Trickbot Malware Work?
TrickBot
2017-02-28Security IntelligenceMagal Baz, Or Safran
Dridex’s Cold War: Enter AtomBombing
Dridex
2017-02-27Palo Alto Networks Unit 42Anthony Kasza, Dominik Reichel
The Gamaredon Group Toolset Evolution
Pteranodon RMS Gamaredon Group
2017-01-31MalwarebytesMalwarebytes Labs
Locky Bart ransomware and backend server analysis
Locky
2017-01-26FlashpointFlashpoint
Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex
2016-12-07BotconfJoshua Adams
The TrickBot Evolution
TrickBot
2016-12-06FortinetXiaopeng Zhang
Deep Analysis of the Online Banking Botnet TrickBot
TrickBot
2016-11-09Lior Keshet
Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot
2016-11-07F5 LabsAnna Dorfman, Julia Karpin, Shaul Vilkomir-Preisman
Little Trickbot Growing Up: New Campaign
TrickBot
2016-10-25NetScoutASERT Team
TrickBot Banker Insights
Godzilla Loader TrickBot
2016-10-24MalwarebytesMalwarebytes Labs
Introducing TrickBot, Dyreza’s successor
TrickBot
2016-10-15Fidelis CybersecurityThreat Research Team
TrickBot: We Missed you, Dyre
TrickBot
2016-10-11SymantecSymantec Security Response
Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7
2016-07-07Pierluigi Paganini
New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.
Locky
2016-03-01Malwarebyteshasherezade
Look Into Locky Ransomware
Locky
2016-02-16SymantecDick O'Brien
Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex
2015-11-10CERT.PLCERT.PL
Talking to Dridex (part 0) – inside the dropper
Dridex
2015-10-26BluelivBlueliv
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre
2015-10-15BitSightAnubisLabs
Dridex: Chasing a botnet from the inside
Dridex
2015-10-13SecureworksBrett Stone-Gross
Dridex (Bugat v5) Botnet Takeover Operation
Dridex Evil Corp

Credits: MISP Project