TA505 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

TA505 (Back to overview)

aka: SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

Associated Families

win.rms win.andromut win.flawedammyy win.tinymet win.flawedgrace win.locky win.get2 win.sdbbot win.clop win.dridex win.servhelper win.trickbot

References

2021-07-21 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting Trickbot with Splunk
TrickBot

2021-07-12 ⋅ Bitdefender ⋅ Radu Tudorica, Bogdan Botezatu
A Fresh Look at Trickbot’s Ever-Improving VNC Module
TrickBot

2021-07-06 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TA505 adds GoLang crypter for delivering miners and ServHelper
ServHelper

2021-07-02 ⋅ MalwareBookReports ⋅ muzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex

2021-07-02 ⋅ The Record ⋅ Catalin Cimpanu
TrickBot: New attacks see the botnet deploy new banking module, new ransomware
TrickBot

2021-07-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
TrickBot and Zeus
TrickBot Zeus

2021-06-30 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team
Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil

2021-06-25 ⋅ KrCert ⋅ Kayoung Kim, Dongwook Kim, Taewoo Lee, Seulgi Lee
Attack patterns in AD environment
Clop

2021-06-24 ⋅ Binance ⋅ Binance
Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks
Clop

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex

2021-06-16 ⋅ Youtube (Національна поліція України) ⋅ Національна поліція України
Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)
Clop

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-06-16 ⋅ The Record ⋅ Catalin Cimpanu
Ukrainian police arrest Clop ransomware members, seize server infrastructure
Clop

2021-06-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ukrainian Police Nab Six Tied to CLOP Ransomware
Clop

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Trend Micro ⋅ Janus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil

2021-06-08 ⋅ Intel 471 ⋅ Intel 471
The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P

2021-06-07 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot

2021-06-04 ⋅ The Record ⋅ Catalin Cimpanu
US arrests Latvian woman who worked on Trickbot malware source code
TrickBot

2021-06-04 ⋅ Department of Justice ⋅ Office of Public Affairs
Latvian National Charged for Alleged Role in Transnational Cybercrime Organization
TrickBot

2021-06-03 ⋅ YouTube (FIRST) ⋅ Felipe Domingues, Gustavo Palazolo
Breaking Dridex Malware
Dridex

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
Anchor_DNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-11 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Response When Minutes Matter: Rising Up Against Ransomware
TinyMet

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
Anchor_DNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-05 ⋅ RiskIQ ⋅ Kelsey Clapp
Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic
TrickBot

2021-05-03 ⋅ splunk ⋅ Splunk Threat Research Team
Clop Ransomware Detection: Threat Research Release, April 2021
Clop

2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot

2021-05 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-15 ⋅ Twitter (@felixw3000) ⋅ Felix
Tweet on Dridex's evasion technique
Dridex

2021-04-14 ⋅ Vice ⋅ Lorenzo Franceschi-Bicchierai
Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
Clop

2021-04-13 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting Clop Ransomware
Clop

2021-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos
Threat Assessment: Clop Ransomware
Clop

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zeppelin Ransomware Zloader

2021-04-06 ⋅ Intel 471 ⋅ Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot

2021-04-06 ⋅ Lexfo ⋅ Lexfo
Dridex Loader Analysis
Dridex

2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot

2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-29 ⋅ VMWare Carbon Black ⋅ Jason Zhang, Oleg Boyarchuk, Giovanni Vigna
Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex

2021-03-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware gang urges victims’ customers to demand a ransom payment
Clop

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic

2021-03-17 ⋅ HP ⋅ HP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader

2021-03-17 ⋅ CISA ⋅ US-CERT
Alert (AA21-076A): TrickBot Malware
TrickBot

2021-03-11 ⋅ Flashpoint ⋅ Flashpoint
CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil

2021-03-11 ⋅ IBM ⋅ Dave McMillen, Limor Kessem
Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex

2021-03-02 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare

2021-02-25 ⋅ ANSSI ⋅ CERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot

2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-22 ⋅ FireEye ⋅ Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop

2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelPaymer PwndLocker

2021-02-08 ⋅ ESET Research ⋅ ESET Research
THREAT REPORT Q4 2020
TrickBot

2021-02-07 ⋅ Technical Blog of Ali Aqeel ⋅ Ali Aqeel
Dridex Malware Analysis
Dridex

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex

2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot

2021-02-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
Trickbot masrv Module
TrickBot

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction

2021-01-26 ⋅ IBM ⋅ Nir Shwarts
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?
TrickBot

2021-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Anchor and Lazarus together again?
Anchor TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-19 ⋅ HP ⋅ Patrick Schläpfer
Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs
Dridex

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-06 ⋅ DomainTools ⋅ Joe Slowik
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot

2021-01-05 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant
Clop

2021-01-04 ⋅ SentinelOne ⋅ Marco Figueroa
Building a Custom Malware Analysis Lab Environment
TrickBot

2021-01-04 ⋅ Check Point ⋅ Check Point Research
DRIDEX Stopping Serial Killer: Catching the Next Strike
Dridex

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER

2020-12-21 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Edsel Valle
TrickBot: A Closer Look
TrickBot

2020-12-18 ⋅ Intel 471 ⋅ Intel 471
TA505’s modified loader means new attack campaign could be coming
Get2

2020-12-15 ⋅ Twitter (@darb0ng) ⋅ Minhee Lee
Tweet on Symrise group hit by Clop Ransomware
Clop

2020-12-14 ⋅ Blueliv ⋅ Alberto Marín, Carlos Rubio, Blueliv Labs Team
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet

2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-10 ⋅ CyberInt ⋅ CyberInt
Ryuk Crypto-Ransomware
Ryuk TrickBot

2020-12-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware gang says they stole 2 million credit cards from E-Land
Clop

2020-12-03 ⋅ Eclypsium ⋅ Eclypsium
TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit
TrickBot

2020-12-02 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
CLOP Ransomware Report
Clop

2020-11-23 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica
TrickBot is Dead. Long Live TrickBot!
TrickBot

2020-11-23 ⋅ S2W LAB Inc. ⋅ TALON
[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop

2020-11-22 ⋅ malware.love ⋅ Robert Giczewski
Trickbot tricks again [UPDATE]
TrickBot

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
LightBot: TrickBot’s new reconnaissance malware for high-value targets
LightBot TrickBot

2020-11-18 ⋅ Sophos ⋅ Sophos
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader

2020-11-17 ⋅ malware.love ⋅ Robert Giczewski
Trickbot tricks again
TrickBot

2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot

2020-11-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
Tweet on a new fileless TrickBot loading method using code from MemoryModule
TrickBot

2020-11-16 ⋅ Fox-IT ⋅ Antonis Terefos, Anne Postma, Tera0017
TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-12 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
SDBbot

2020-11-12 ⋅ Hurricane Labs ⋅ Dusty Miller
Splunking with Sysmon Part 4: Detecting Trickbot
TrickBot

2020-11-10 ⋅ Intel 471 ⋅ Intel 471
Trickbot down, but is it out?
BazarBackdoor TrickBot

2020-11-05 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT, Vyacheslav Kopeytsev
Attackson industrial enterprises using RMS and TeamViewer: new data
RMS

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ CERT-FR ⋅ CERT-FR
LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot

2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878

2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza
Dropping the Anchor
Anchor_DNS Anchor TrickBot

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-20 ⋅ Intel 471 ⋅ Intel 471
Global Trickbot disruption operation shows promise
TrickBot

2020-10-20 ⋅ Microsoft ⋅ Tom Burt
An update on disruption of Trickbot
TrickBot

2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot

2020-10-16 ⋅ Duo ⋅ Dennis Fisher
Trickbot Up to Its Old Tricks
TrickBot

2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot

2020-10-15 ⋅ Intel 471 ⋅ Intel 471
That was quick: Trickbot is back after disruption attempts
TrickBot

2020-10-15 ⋅ Department of Justice ⋅ Department of Justice
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot

2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot

2020-10-12 ⋅ Lumen ⋅ Black Lotus Labs
A Look Inside The TrickBot Botnet
TrickBot

2020-10-12 ⋅ US District Court for the Eastern District of Virginia
TRICKBOT complaint
TrickBot

2020-10-12 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Trickbot disrupted
TrickBot

2020-10-12 ⋅ ESET Research ⋅ Jean-Ian Boutin
ESET takes part in global operation to disrupt Trickbot
TrickBot

2020-10-12 ⋅ Microsoft ⋅ Tom Burt
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot

2020-10-10 ⋅ The Washington Post ⋅ Ellen Nakashima
Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot

2020-10-08 ⋅ ZDNet ⋅ Catalin Cimpanu
German tech giant Software AG down after ransomware attack
Clop

2020-10-08 ⋅ Bromium ⋅ Alex Holland
Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
TrickBot

2020-10-06 ⋅ Telekom ⋅ Thomas Barabosch
Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505

2020-10-03 ⋅ Wikipedia ⋅ Wikpedia
Wikipedia Page: Maksim Yakubets
Dridex Feodo Evil Corp

2020-10-03 ⋅ Avira ⋅ Avira Protection Labs
TA505 targets the Americas in a new campaign
ServHelper

2020-10-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-09-30 ⋅ CERT-XLM ⋅ Paul Jung
Another Threat Actor day...
SDBbot

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-22 ⋅ OSINT Fans ⋅ Gabor Szathmari
What Service NSW has to do with Russia?
TrickBot

2020-09-18 ⋅ AppGate ⋅ Gustavo Palazolo, Felipe Duarte
Reverse Engineering Dridex and Automating IOC Extraction
Dridex

2020-09-16 ⋅ Intel 471 ⋅ Intel 471
Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot

2020-09-10 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
Recent Dridex activity
Dridex

2020-09-07 ⋅ Github (pan-unit42) ⋅ Brad Duncan
Collection of recent Dridex IOCs
Cutwail Dridex

2020-08-31 ⋅ cyber.wtf blog ⋅ Luca Ebach
Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-21 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex

2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk

2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot

2020-08-09 ⋅ F5 Labs ⋅ Remi Cohen, Debbie Walkowski
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2020-08-03 ⋅ The DFIR Report
Dridex – From Word to Domain Dominance
Dridex

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader

2020-07-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot

2020-07-17 ⋅ CERT-FR ⋅ CERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus

2020-07-15 ⋅ Intel 471 ⋅ Intel 471
Flowspec – TA505’s bulletproof hoster of choice
Get2

2020-07-13 ⋅ JoeSecurity ⋅ Joe Security
TrickBot's new API-Hammering explained
TrickBot

2020-07-11 ⋅ BleepingComputer ⋅ Lawrence Abrams
TrickBot malware mistakenly warns victims that they are infected
TrickBot

2020-07-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot

2020-07-09 ⋅ Gdata ⋅ G DATA Security Lab
ServHelper: Hidden Miners
ServHelper

2020-07-07 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2

2020-07-06 ⋅ NTT ⋅ Security division of NTT Ltd.
TrickBot variant “Anchor_DNS” communicating over DNS
Anchor_DNS TrickBot

2020-06-24 ⋅ Morphisec ⋅ Arnold Osipov
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader

2020-06-22 ⋅ BleepingComputer ⋅ Lawrence Abrams
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop

2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot

2020-06-22 ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-06-19 ⋅ Reaqta ⋅ Reaqta
Dridex: the secret in a PostMessage()
Dridex

2020-06-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez, malwrhunterteam
Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet

2020-06-17 ⋅ Youtube (Red Canary) ⋅ Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot

2020-06-17 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace

2020-06-16 ⋅ Telekom ⋅ Thomas Barabosch
TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505

2020-06-15 ⋅ Fortinet ⋅ Val Saengphaibul, Fred Gutierrez
Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot

2020-06-12 ⋅ Hornetsecurity ⋅ Security Lab
Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot

2020-06-11 ⋅ Cofense ⋅ Jason Meurer
All You Need Is Text: Second Wave
TrickBot

2020-06-05 ⋅ Votiro ⋅ Votiro’s Research Team
Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex

2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader

2020-05-31 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
WastedLoader or DridexLoader?
Dridex WastedLocker

2020-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot

2020-05-27 ⋅ GAIS-CERT ⋅ GAIS-CERT
Dridex Banking Trojan Technical Analysis Report
Dridex

2020-05-25 ⋅ CERT-FR ⋅ CERT-FR
Le Code Malveillant Dridex: Origines et Usages
Dridex

2020-05-25 ⋅ CERT-FR ⋅ CERT-FR
INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex

2020-05-24 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader

2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-05-20 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy

2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot

2020-05-18 ⋅ Threatpost ⋅ Tara Seals
Ransomware Gang Arrested for Spreading Locky to Hospitals
Locky

2020-05-14 ⋅ SentinelOne ⋅ Jason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot

2020-04-14 ⋅ Intrinsec ⋅ Jean Bichet
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot

2020-04-14 ⋅ Intel 471 ⋅ Intel 471
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot

2020-04-09 ⋅ Github (Tera0017) ⋅ Tera0017
SDBbot Unpacker
SDBbot

2020-04-09 ⋅ Zscaler ⋅ Atinderpal Singh, Abhay Yadav
TrickBot Emerges with a Few New Tricks
TrickBot

2020-04-08 ⋅ SentinelOne ⋅ Jason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot

2020-04-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
How Cyber Adversaries are Adapting to Exploit the Global Pandemic
GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER

2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot

2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot

2020-03-31 ⋅ Cisco Talos ⋅ Chris Neal
Trickbot: A primer
TrickBot

2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878

2020-03-30 ⋅ Intezer ⋅ Michael Kajiloti
Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot

2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505

2020-03-25 ⋅ Wilbur Security ⋅ JW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot

2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Three More Ransomware Families Create Sites to Leak Stolen Data
Clop DoppelPaymer Maze Nefilim Nemty REvil

2020-03-18 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica, Alexandru Maximciuc, Cristina Vatamanu
New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
TrickBot

2020-03-18 ⋅ Proofpoint ⋅ Axel F, Sam Scholten
Coronavirus Threat Landscape Update
Agent Tesla Get2 ISFB Remcos

2020-03-09 ⋅ Fortinet ⋅ Xiaopeng Zhang
New Variant of TrickBot Being Spread by Word Document
TrickBot

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot

2020-03-04 ⋅ SentinelOne ⋅ Jason Reaves
Breaking TA505’s Crypter with an SMT Solver
Clop CryptoMix MINEBRIDGE

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-02-28 ⋅ Morphisec ⋅ Michael Gorelik
Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10
TrickBot

2020-02-28 ⋅ Financial Security Institute ⋅ Financial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet

2020-02-26 ⋅ SentinelOne ⋅ Jason Reaves
Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
TrickBot

2020-02-20 ⋅ ZDNet ⋅ Catalin Cimpanu
Croatia's largest petrol station chain impacted by cyber-attack
Clop

2020-02-19 ⋅ FireEye ⋅ FireEye
M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot

2020-02-18 ⋅ Sophos Labs ⋅ Luca Nagy
Nearly a quarter of malware now communicates using TLS
Dridex IcedID TrickBot

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-02-10 ⋅ viXra ⋅ Jason Reaves
A Case Study into solving Crypters/Packers in Malware Obfuscation using an SMT approach
Locky

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-02-07 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
TA505 Hackers Behind Maastricht University Ransomware Attack
Clop

2020-01-31 ⋅ Virus Bulletin ⋅ Michal Poslušný, Peter Kálnai
Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot

2020-01-30 ⋅ Morphisec ⋅ Arnold Osipov
Trickbot Trojan Leveraging a New Windows 10 UAC Bypass
TrickBot

2020-01-30 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TrickBot Uses a New Windows 10 UAC Bypass to Launch Quietly
TrickBot

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Malware Tries to Trump Security Software With POTUS Impeachment
TrickBot

2020-01-27 ⋅ T-Systems ⋅ T-Systems
Vorläufiger forensischer Abschlussbericht zur Untersuchung des Incidents beim Berliner Kammergericht
Emotet TrickBot

2020-01-23 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TrickBot Now Steals Windows Active Directory Credentials
TrickBot

2020-01-17 ⋅ Ken Sajo, Yasuhiro Takeda, Yusuke Niwa
Battle Against Ursnif Malspam Campaign targeting Japan
Cutwail ISFB TrickBot UrlZone

2020-01-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
TrickBot

2020-01-14 ⋅ Telekom ⋅ Thomas Barabosch
Inside of CL0P’s ransomware operation
Clop Get2 SDBbot

2020-01-13 ⋅ Github (Tera0017) ⋅ Tera0017
TAFOF Unpacker
Clop Get2 Silence

2020-01-10 ⋅ CSIS ⋅ CSIS
Threat Matrix H1 2019
Gustuff magecart Emotet Gandcrab Ramnit TrickBot

2020-01-09 ⋅ SentinelOne ⋅ Vitali Kremez, Joshua Platt, Jason Reaves
Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
TrickBot WIZARD SPIDER

2020-01-09 ⋅ SonicWall ⋅ SonicWall
ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access
ServHelper

2020-01-07 ⋅ Github (albertzsigovits) ⋅ Albert Zsigovits
Clop ransomware Notes
Clop

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD BLACKBURN
Dyre TrickBot

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD DRAKE
Dridex Empire Downloader FriedEx Koadic MimiKatz

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD HERON
DoppelPaymer Dridex Empire Downloader

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD TAHOE
Clop FlawedAmmyy FlawedGrace Get2 SDBbot ServHelper TA505

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER

2019-12-20 ⋅ Binary Defense ⋅ James Quinn
An Updated ServHelper Tunnel Variant
ServHelper

2019-12-19 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Inside ‘Evil Corp,’ a $100M Cybercrime Menace
Dridex Gameover P2P Zeus Evil Corp

2019-12-17 ⋅ Blueliv ⋅ Adrián Ruiz, Jose Miguel Esparza, Blueliv Labs Team
TA505 evolves ServHelper, uses Predator The Thief and Team Viewer Hijacking
ServHelper TA505

2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech

2019-12-09 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Brittany Ash, Mike Harbison
TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
TrickBot

2019-12-05 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury
Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware
Dridex

2019-11-24 ⋅ Jacob Pimental
TA505 Get2 Analysis
Get2

2019-11-22 ⋅ CERT-FR ⋅ CERT-FR
RAPPORT MENACES ET INCIDENTS DU CERT-FR
Clop

2019-11-22 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Trickbot Updates Password Grabber Module
TrickBot

2019-11-19 ⋅ ACTU ⋅ Rédaction Normandie
Une rançon après la cyberattaque au CHU de Rouen ? Ce que réclament les pirates
Clop

2019-11-13 ⋅ CrowdStrike ⋅ Jen Ayers, Jason Rivera
Through the Eyes of the Adversary
TrickBot CLOCKWORD SPIDER

2019-11-08 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Trickbot Infections
TrickBot

2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot

2019-10-29 ⋅ SneakyMonkey Blog ⋅ SneakyMonkey
TRICKBOT - Analysis Part II
TrickBot

2019-10-24 ⋅ Sentinel LABS ⋅ Vitali Kremez
How TrickBot Malware Hooking Engine Targets Windows 10 Browsers
TrickBot

2019-10-16 ⋅ Proofpoint ⋅ Dennis Schwarz, Kafeine, Matthew Mesa, Axel F, Proofpoint Threat Insight Team
TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader
Get2 SDBbot TA505

2019-10-16 ⋅ Proofpoint ⋅ Proofpoint
TA505 Timeline
TA505

2019-10-10 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel
Analysis of the new TA505 campaign
Get2

2019-10-10 ⋅ AhnLab ⋅ ASEC
ASEC Report Vol. 96
SDBbot

2019-09-25 ⋅ GovCERT.ch ⋅ GovCERT.ch
Trickbot - An analysis of data collected from the botnet
TrickBot

2019-09-09 ⋅ McAfee ⋅ Thomas Roccia, Marc Rivero López, Chintan Shah
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study
Cutwail Dridex Dyre Kovter Locky Phorpiex Simda

2019-08-29 ⋅ ThreatRecon ⋅ ThreatRecon Team
SectorJ04 Group’s Increased Activity in 2019
FlawedAmmyy ServHelper TA505

2019-08-27 ⋅ Secureworks ⋅ CTU Research Team
TrickBot Modifications Target U.S. Mobile Users
TrickBot WIZARD SPIDER

2019-08-27 ⋅ Trend Micro ⋅ Hara Hiroaki, Jaromír Hořejší, Loseway Lu
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
FlawedAmmyy ServHelper

2019-08-26 ⋅ InQuest ⋅ Josiah Smith
Memory Analysis of TrickBot
TrickBot

2019-08-20 ⋅ Github (SherifEldeeb) ⋅ Sherif Eldeeb
Source code: TinyMet
TinyMet

2019-08-13 ⋅ Adalogics ⋅ David Korczynski
The state of advanced code injections
Dridex Emotet Tinba

2019-08-05 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Michael Jhon Ofiaza
Latest Trickbot Campaign Delivered via Highly Obfuscated JS File
ostap TrickBot

2019-08-01 ⋅ McAfee ⋅ Alexandre Mundo, Marc Rivero López
Clop Ransomware
Clop

2019-07-30 ⋅ Dissecting Malware ⋅ Marius Genheimer
Picking Locky
Locky

2019-07-12 ⋅ DeepInstinct ⋅ Shaul Vilkomir-Preisman
TrickBooster – TrickBot’s Email-Based Infection Module
TrickBot

2019-07-12 ⋅ CrowdStrike ⋅ Brett Stone-Gross, Sergei Frankoff, Bex Hartley
BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0
DoppelPaymer Dridex FriedEx

2019-07-11 ⋅ NTT Security ⋅ NTT Security
Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot

2019-07-04 ⋅ Trend Micro ⋅ Trend Micro
Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
AndroMut

2019-07-02 ⋅ Proofpoint ⋅ Matthew Mesa, Dennis Schwarz, Proofpoint Threat Insight Team
TA505 begins summer campaigns with a new pet malware downloader, AndroMut, in the UAE, South Korea, Singapore, and the United States
AndroMut FlawedAmmyy

2019-06-04 ⋅ SlideShare ⋅ Vitali Kremez
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vitali Kremez
TrickBot

2019-05-31 ⋅ Youtube (0verfl0w_) ⋅ 0verfl0w_
Defeating Commercial and Custom Packers like a Pro - VMProtect, ASPack, PECompact, and more
FlawedAmmyy Ramnit

2019-05-29 ⋅ Yoroi ⋅ Davide Testa, Antonio Farina, Luca Mella
TA505 is Expanding its Operations
RMS

2019-05-28 ⋅ MITRE ⋅ MITRE
FlawedAmmyy
FlawedAmmyy

2019-05-22 ⋅ sneakymonk3y (Mark)
TRICKBOT - Analysis
TrickBot

2019-05-16 ⋅ Yoroi ⋅ Luigi Martire, Davide Testa, Antonio Pirozzi, Luca Mella
The Stealthy Email Stealer in the TA505 Arsenal
TA505

2019-05-14 ⋅ GovCERT.ch ⋅ GovCERT.ch
The Rise of Dridex and the Role of ESPs
Dridex

2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot

2019-05-02 ⋅ CERT.PL ⋅ Michał Praszmo
Detricking TrickBot Loader
TrickBot

2019-04-25 ⋅ Cybereason ⋅ Cybereason Nocturnus
Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware
ServHelper TA505

2019-04-22 ⋅ SANS ⋅ Mike Downey
Unpacking & Decrypting FlawedAmmyy
FlawedAmmyy

2019-04-05 ⋅ Medium vishal_thakur ⋅ Vishal Thakur
Trickbot — a concise treatise
TrickBot

2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot

2019-04-02 ⋅ DeepInstinct ⋅ Shaul Vilkomir-Preisman
New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload
ServHelper

2019-03-28 ⋅ Carbon Black ⋅ CB TAU Threat Intelligence
CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
Clop

2019-03-20 ⋅ Flashpoint ⋅ Joshua Platt, Jason Reaves
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
DNSRat TinyMet

2019-03-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams
CryptoMix Clop Ransomware Says It's Targeting Networks, Not Computers
Clop

2019-03-05 ⋅ PepperMalware Blog ⋅ Pepper Potts
Quick Analysis of a Trickbot Sample with NSA's Ghidra SRE Framework
TrickBot

2019-02-15 ⋅ CrowdStrike ⋅ Brendon Feeley, Bex Hartley
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web
Dyre IcedID TrickBot Vawtrak LUNAR SPIDER WIZARD SPIDER

2019-02-12 ⋅ Trend Micro ⋅ Trend Micro
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
TrickBot

2019-02-02 ⋅ Medium Sebdraven ⋅ Sébastien Larinier
Unpacking Clop
Clop

2019-01-24 ⋅ 奇安信威胁情报中心 ⋅ 事件追踪
Excel 4.0 Macro Utilized by TA505 to Target Financial Institutions Recently
ServHelper

2019-01-14 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
A Quick Solution to an Ugly Reverse Engineering Problem
FlawedGrace

2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER

2019-01-11 ⋅ Threatpost ⋅ Tara Seals
TA505 Crime Gang Debuts Brand-New ServHelper Backdoor
TA505

2019-01-10 ⋅ Bleeping Computer ⋅ Ionut Ilascu
TA505 Group Adopts New ServHelper Backdoor and FlawedGrace RAT
TA505

2019-01-09 ⋅ Proofpoint ⋅ Dennis Schwarz, Proofpoint Staff
ServHelper and FlawedGrace - New malware introduced by TA505
FlawedGrace ServHelper

2019 ⋅ CyberInt ⋅ CyberInt
Legit Remote Admin Tools Turn into Threat Actors' Tools
RMS ServHelper TA505

2018-12-18 ⋅ Trend Micro ⋅ Trendmicro
URSNIF, EMOTET, DRIDEX and BitPaymer Gangs Linked by a Similar Loader
Dridex Emotet FriedEx ISFB

2018-12-12 ⋅ SecureData ⋅ Wicus Ross
The TrickBot and MikroTik connection
TrickBot

2018-12-05 ⋅ VIPRE ⋅ VIPRE Labs
Trickbot’s Tricks
TrickBot

2018-11-12 ⋅ Malwarebytes ⋅ hasherezade
What’s new in TrickBot? Deobfuscating elements
TrickBot

2018-11-08 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis of TrickBot New Module pwgrab
TrickBot

2018-11-01 ⋅ Trend Micro ⋅ Noel Anthony Llimos, Carl Maverick Pascual
Trickbot Shows Off New Trick: Password Grabber Module
TrickBot

2018-10-01 ⋅ Macnica Networks ⋅ Macnica Networks
Trends in cyber espionage (targeted attacks) targeting Japan | First half of 2018
Anel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm

2018-08-14 ⋅ Cyberbit ⋅ Hod Gavriel
Latest Trickbot Variant has New Tricks Up Its Sleeve
TrickBot

2018-07-26 ⋅ IEEE Symposium on Security and Privacy (SP) ⋅ Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy
Tracking Ransomware End-to-end
Cerber Locky WannaCryptor

2018-07-19 ⋅ Proofpoint ⋅ Proofpoint Staff
TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT
FlawedAmmyy

2018-07-03 ⋅ Talos Intelligence ⋅ Ben Baker, Holger Unterbrink
Smoking Guns - Smoke Loader learned new tricks
SmokeLoader TrickBot

2018-06-28 ⋅ Secrary Blog ⋅ Lasha Khasaia
A Brief Overview of the AMMYY RAT Downloader
FlawedAmmyy

2018-06-20 ⋅ OALabs
Unpacking and Extracting TrickBot Malware Configuration With x64dbg and Python
TrickBot

2018-06-13 ⋅ Github (JR0driguezB) ⋅ Jorge Rodriguez
TrickBot config files
TrickBot

2018-04-16 ⋅ Random RE ⋅ sysopfb
TrickBot & UACME
TrickBot

2018-04-03 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
Let's Learn: Trickbot Implements Network Collector Module Leveraging CMD, WMI & LDAP
TrickBot

2018-03-31 ⋅ Youtube (hasherezade) ⋅ hasherezade
Deobfuscating TrickBot's strings with libPeConv
TrickBot

2018-03-27 ⋅ Trend Micro ⋅ Trendmicro
Evolving Trickbot Adds Detection Evasion and Screen-Locking Features
TrickBot

2018-03-21 ⋅ Webroot ⋅ Jason Davison
TrickBot Banking Trojan Adapts with New Module
TrickBot

2018-03-20 ⋅ Stormshield ⋅ Mehdi Talbi
De-obfuscating Jump Chains with Binary Ninja
Locky

2018-03-07 ⋅ Proofpoint ⋅ Proofpoint Staff
Leaked Ammyy Admin Source Code Turned into Malware
FlawedAmmyy QuantLoader

2018-02-15 ⋅ SecurityIntelligence ⋅ Ophir Harpaz, Magal Baz, Limor Kessem
TrickBot’s Cryptocurrency Hunger: Tricking the Bitcoin Out of Wallets
TrickBot

2018-02-01 ⋅ Malware Traffic Analysis ⋅ Brad Duncan
Quick Test Drive of Trickbot (It now has a Monero Module)
TrickBot

2018-01-26 ⋅ ESET Research ⋅ Michal Poslušný
FriedEx: BitPaymer ransomware the work of Dridex authors
Dridex FriedEx

2018-01-12 ⋅ Proofpoint ⋅ Proofpoint Staff
Holiday lull? Not so much
Dridex Emotet GlobeImposter ISFB Necurs PandaBanker UrlZone NARWHAL SPIDER

2017-12-30 ⋅ Youtube (hasherezade) ⋅ hasherezade
Unpacking TrickBot with PE-sieve
TrickBot

2017-12-19 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
Let's Learn: Introducing New Trickbot LDAP "DomainGrabber" Module
TrickBot

2017-11-22 ⋅ Flashpoint ⋅ Vitali Kremez
Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model
TrickBot

2017-11-21 ⋅ Vitali Kremez
Let's Learn: Trickbot Socks5 Backconnect Module In Detail
TrickBot

2017-11-07 ⋅ ThreatVector ⋅ Cylance Threat Research Team
Locky Ransomware
Locky

2017-10-06 ⋅ Blueliv ⋅ Blueliv
TrickBot banking trojan using EFLAGS as an anti-hook technique
TrickBot

2017-09-27 ⋅ Proofpoint ⋅ Proofpoint Staff
Threat Actor Profile: TA505, From Dridex to GlobeImposter
TA505

2017-09-21 ⋅ Malwarebytes ⋅ Jérôme Segura
Fake IRS notice delivers customized spying tool
RMS

2017-08-20 ⋅ MyOnlineSecurity ⋅ MyOnlineSecurity
return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload
Cold$eal Locky

2017-08-16 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Locky Ransomware switches to the Lukitus extension for Encrypted Files
Locky

2017-08-10 ⋅ botfrei Blog ⋅ Tom Berchem
Weltweite Spamwelle verbreitet teuflische Variante des Locky
Locky

2017-08-01 ⋅ Malwarebytes ⋅ Malwarebytes Labs
TrickBot comes up with new tricks: attacking Outlook and browsing data
TrickBot

2017-08-01 ⋅ Panda Security ⋅ Panda Security
Malware Report: Dridex Version 4
Dridex

2017-07-27 ⋅ Flashpoint ⋅ Flashpoint
New Version of “Trickbot” Adds Worm Propagation Module
TrickBot

2017-07-25 ⋅ Github (viql) ⋅ Johannes Bader
Dridex Loot
Dridex

2017-07-18 ⋅ Elastic ⋅ Ashkan Hosseini
Ten process injection techniques: A technical survey of common and trending process injection techniques
Cryakl CyberGate Dridex FinFisher RAT Locky

2017-07 ⋅ Ring Zero Labs ⋅ Ring Zero Labs
TrickBot Banking Trojan - DOC00039217.doc
TrickBot

2017-06-22 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
Locky Ransomware Returns, but Targets Only Windows XP & Vista
Locky

2017-06-21 ⋅ Cisco ⋅ Alex Chiu, Warren Mercer, Jaeson Schultz, Sean Baird, Matthew Molyett
Player 1 Limps Back Into the Ring - Hello again, Locky!
Locky

2017-06-15 ⋅ F5 ⋅ Sara Boddy, Jesse Smith, Doron Voolf
Trickbot Expands Global Targets Beyond Banks and Payment Processors to CRMs
TrickBot

2017-06-12 ⋅ Security Art Work ⋅ Marc Salinas, JoséMiguel Holguín
Evolución de Trickbot
TrickBot

2017-05-26 ⋅ PWC ⋅ Bart Parys
TrickBot’s bag of tricks
TrickBot

2017-05-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Evolution of the GOLD EVERGREEN Threat Group
CryptoLocker Dridex Dyre Gameover P2P Murofet TrickBot Zeus GOLD EVERGREEN

2017-03-01 ⋅ FraudWatch International ⋅ FraudWatch International
How Does the Trickbot Malware Work?
TrickBot

2017-02-28 ⋅ Security Intelligence ⋅ Magal Baz, Or Safran
Dridex’s Cold War: Enter AtomBombing
Dridex

2017-01-31 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Locky Bart ransomware and backend server analysis
Locky

2017-01-26 ⋅ Flashpoint ⋅ Flashpoint
Dridex Banking Trojan Returns, Leverages New UAC Bypass Method
Dridex

2016-12-07 ⋅ Botconf ⋅ Joshua Adams
The TrickBot Evolution
TrickBot

2016-12-06 ⋅ Fortinet ⋅ Xiaopeng Zhang
Deep Analysis of the Online Banking Botnet TrickBot
TrickBot

2016-11-09 ⋅ Lior Keshet
Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations
TrickBot

2016-11-07 ⋅ F5 Labs ⋅ Julia Karpin, Shaul Vilkomir-Preisman, Anna Dorfman
Little Trickbot Growing Up: New Campaign
TrickBot

2016-10-25 ⋅ NetScout ⋅ ASERT Team
TrickBot Banker Insights
TrickBot

2016-10-24 ⋅ Malwarebytes ⋅ Malwarebytes Labs
Introducing TrickBot, Dyreza’s successor
TrickBot

2016-10-15 ⋅ Fidelis Cybersecurity ⋅ Threat Research Team
TrickBot: We Missed you, Dyre
TrickBot

2016-10-11 ⋅ Symantec ⋅ Symantec Security Response
Odinaff: New Trojan used in high level financial attacks
Batel FlawedAmmyy Odinaff RMS FIN7

2016-07-07 ⋅ Pierluigi Paganini
New threat dubbed Zepto Ransomware is spreading out with a new email spam campaign. It is a variant of the recent Locky Ransomware.
Locky

2016-03-01 ⋅ Malwarebytes ⋅ hasherezade
Look Into Locky Ransomware
Locky

2016-02-16 ⋅ Symantec ⋅ Dick O'Brien
Dridex: Tidal waves of spam pushing dangerous financial Trojan
Dridex

2015-11-10 ⋅ CERT.PL ⋅ CERT.PL
Talking to Dridex (part 0) – inside the dropper
Dridex

2015-10-26 ⋅ Blueliv ⋅ Blueliv
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers
Dridex Dyre

2015-10-15 ⋅ BitSight ⋅ AnubisLabs
Dridex: Chasing a botnet from the inside
Dridex

2015-10-13 ⋅ Secureworks ⋅ Brett Stone-Gross
Dridex (Bugat v5) Botnet Takeover Operation
Dridex Evil Corp

Credits: MISP Project