TA505 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

TA505 (Back to overview)

aka: SectorJ04, SectorJ04 Group, GRACEFUL SPIDER, GOLD TAHOE, Dudear, G0092, ATK103, Hive0065, CHIMBORAZO

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

Associated Families

win.dridex win.flawedammyy win.flawedgrace win.get2 win.locky win.mirrorblast win.rms win.sdbbot win.servhelper win.teleport win.andromut win.tinymet win.trickbot win.clop win.silence

References

2023-09-07 ⋅ Department of Justice ⋅ Office of Public Affairs
Multiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies
Conti Conti TrickBot

2023-08-30 ⋅ Nisos ⋅ Vincas Čižiūnas
Trickbot in Light of Trickleaks Data
TrickBot

2023-07-26 ⋅ Talos ⋅ Nicole Hoffman
Incident Response trends Q2 2023: Data theft extortion rises, while healthcare is still most-targeted vertical
BianLian Clop LockBit Royal Ransom LockBit 8Base BianLian Clop LockBit Money Message Royal Ransom

2023-07-13 ⋅ malware.love ⋅ Robert Giczewski
TrueBot Analysis Part IV - Config Extraction
Silence

2023-07-06 ⋅ CISA ⋅ CISA
Increased Truebot Activity Infects U.S. and Canada Based Networks
Silence

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-06-23 ⋅ Fourcore ⋅ Jones Martin
Clop Ransomware: History, Timeline, And Adversary Simulation
Clop

2023-06-12 ⋅ The DFIR Report ⋅ Maxime Thiebaut
A Truly Graceful Wipe Out
FlawedGrace Silence

2023-06-01 ⋅ vmware ⋅ Fae Carlisle
Carbon Black’s TrueBot Detection
Silence

2023-05-23 ⋅ loginsoft ⋅ Saharsh Agrawal
Taming the Storm: Understanding and Mitigating the Consequences of CVE-2023-27350
Clop LockBit Silence

2023-03-31 ⋅ malware.love ⋅ Robert Giczewski
TrueBot Analysis Part III - Capabilities
Silence

2023-03-30 ⋅ IBM ⋅ John Dwyer, Fred Chidsey, Joseph Lozowski
X-Force Prevents Zero Day from Going Anywhere
Silence

2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
RIG Exploit Kit: In-Depth Analysis
Dridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader Zloader

2023-02-18 ⋅ malware.love ⋅ Robert Giczewski
TrueBot Analysis Part II - Static unpacker
Silence

2023-02-12 ⋅ malware.love ⋅ Robert Giczewski
TrueBot Analysis Part I - A short glimpse into packed TrueBot samples
Silence

2023-02-09 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury
United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang
TrickBot

2023-02-08 ⋅ Huntress Labs ⋅ Joe Slowik, Matt Anderson
Investigating Intrusions From Intriguing Exploits
Silence

2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein
Following the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware
Agent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer (PWS) Maze NetWire RC Remcos REvil TrickBot

2022-12-27 ⋅ Palo Alto Networks Unit 42 ⋅ Esmid Idrizovic, Bob Jung, Daniel Raygoza, Sean Hughes
Navigating the Vast Ocean of Sandbox Evasions
TrickBot Zebrocy

2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira
Breaking the silence - Recent Truebot activity
Clop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport

2022-12-06 ⋅ EuRepoC ⋅ Kerstin Zettl-Schabath, Lena Rottinger, Camille Borrett
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER

2022-11-11 ⋅ Codesec ⋅ Hugo Caron
GraceWire / FlawedGrace malware adventure
FlawedGrace

2022-10-31 ⋅ paloalto Netoworks: Unit42 ⋅ Or Chechik
Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure
Dridex Kronos TrickBot Zeus

2022-10-27 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity
FAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence

2022-10-27 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Microsoft links Raspberry Robin worm to Clop ransomware attacks
Clop Raspberry Robin

2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm

2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot

2022-09-06 ⋅ PRODAFT ⋅ PRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
Clop ServHelper

2022-09-05 ⋅ PRODAFT ⋅ PRODAFT
TA505 Group’s TeslaGun In-Depth Analysis
ServHelper

2022-09-01 ⋅ IBM ⋅ Kevin Henson, Emmy Ebanks
Raspberry Robin and Dridex: Two Birds of a Feather
Dridex Raspberry Robin

2022-08-24 ⋅ Github (rad9800) ⋅ Rad Kawar
Malware Madness: EXCEPTION edition
Dridex

2022-08-18 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen
From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers
BumbleBee Karius Ramnit TrickBot Vawtrak

2022-08-15 ⋅ SentinelOne ⋅ Vikram Navali
Detecting a Rogue Domain Controller – DCShadow Attack
MimiKatz TrickBot

2022-07-26 ⋅ Mandiant ⋅ Thibault van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith Lunden
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers
Clop Industroyer MimiKatz Triton

2022-07-09 ⋅ Artik Blue ⋅ Artik Blue
Malware analysis with IDA/Radare2 - Basic Unpacking (Dridex first stage)
Dridex

2022-06-23 ⋅ Kaspersky ⋅ Nikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok

2022-06-23 ⋅ Kaspersky ⋅ Nikita Nazarov, Vasily Davydov, Natalya Shornikova, Vladislav Burtsev, Danila Nasonov
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker

2022-06-15 ⋅ AttackIQ ⋅ Jackson Wells, AttackIQ Adversary Research Team
Attack Graph Emulating the Conti Ransomware Team’s Behaviors
BazarBackdoor Conti TrickBot

2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker

2022-06-02 ⋅ Eclypsium ⋅ Eclypsium
Conti Targets Critical Firmware
Conti HermeticWiper TrickBot WhisperGate

2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence
To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
FAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix Locker WastedLocker

2022-05-28 ⋅ Bleeping Computer ⋅ Sergiu Gatlan
Clop ransomware gang is back, hits 21 victims in a single month
Clop

2022-05-24 ⋅ Deep instinct ⋅ Bar Block
Blame the Messenger: 4 Types of Dropper Malware in Microsoft Office & How to Detect Them
Dridex Emotet

2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot

2022-05-19 ⋅ Palo Alto Networks Unit 42 ⋅ Saqib Khanzada
Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
Dridex

2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: RansomEXX
LaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot

2022-05-10 ⋅ RiskIQ ⋅ RiskIQ
RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns
Dridex

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-05 ⋅ YouTube (Chris Greer) ⋅ Chris Greer
MALWARE Analysis with Wireshark // TRICKBOT Infection
TrickBot

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-27 ⋅ Medium elis531989 ⋅ Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection
BumbleBee TrickBot

2022-04-27 ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-26 ⋅ Intel 471 ⋅ Intel 471
Conti and Emotet: A constantly destructive duo
Cobalt Strike Conti Emotet IcedID QakBot TrickBot

2022-04-20 ⋅ CISA ⋅ CISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader

2022-04-20 ⋅ CISA ⋅ CISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet

2022-04-18 ⋅ RiskIQ ⋅ Jennifer Grob
RiskIQ: Trickbot Rickroll
TrickBot

2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot

2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Karakurt revealed as data extortion arm of Conti cybercrime syndicate
Anchor BazarBackdoor Conti TrickBot

2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot

2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles
Conti Emotet TrickBot

2022-04-05 ⋅ Intel 471 ⋅ Intel 471
Move fast and commit crimes: Conti’s development teams mirror corporate tech
BazarBackdoor TrickBot

2022-03-31 ⋅ Trellix ⋅ John Fokker, Jambul Tologonov
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
Conti Emotet IcedID TrickBot

2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Threat Intelligence Executive Report Volume 2022, Number 2
Conti Emotet IcedID TrickBot

2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas
Conti Ransomware V. 3, Including Decryptor, Leaked
Cobalt Strike Conti TrickBot

2022-03-18 ⋅ Avast ⋅ Martin Hron
Mēris and TrickBot standing on the shoulders of giants
Glupteba Proxy Glupteba TrickBot

2022-03-16 ⋅ Microsoft ⋅ Microsoft Defender for IoT Research Team, Microsoft Threat Intelligence Center (MSTIC)
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure
TrickBot

2022-03-15 ⋅ RiskIQ ⋅ RiskIQ
RiskIQ: Trickbot Abuse of Compromised MikroTik Routers for Command and Control
TrickBot

2022-03-13 ⋅ Malcat ⋅ malcat team
Cutting corners against a Dridex downloader
Dridex

2022-03-09 ⋅ BreachQuest ⋅ Marco Figueroa, Napoleon Bing, Bernard Silvestrini
The Conti Leaks | Insight into a Ransomware Unicorn
Cobalt Strike MimiKatz TrickBot

2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu
CISA updates Conti ransomware alert with nearly 100 domain names
BazarBackdoor Cobalt Strike Conti TrickBot

2022-03-04 ⋅ Reuters ⋅ Raphael Satter
Details of another big ransomware group 'Trickbot' leak online, experts say
TrickBot

2022-03-04 ⋅ Thales ⋅ Thales
ATK103
TA505

2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot

2022-03-02 ⋅ Threatpost ⋅ Lisa Vaas
Conti Ransomware Decryptor, TrickBot Source Code Leaked
Conti TrickBot

2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs
Conti Group Leaked!
TeamTNT Conti TrickBot

2022-03-01 ⋅ VX-Underground
Leaks: Conti / Trickbot
Conti TrickBot

2022-03 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky
TrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ The Record ⋅ Catalin Cimpanu
TrickBot gang shuts down botnet after months of inactivity
TrickBot

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
BazarBackdoor Emotet TrickBot

2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan
TrickBot Gang Likely Shifting Operations to Switch to New Malware
BazarBackdoor Emotet QakBot TrickBot

2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt
Dridex bots deliver Entropy ransomware in recent attacks
Cobalt Strike Dridex Entropy

2022-02-23 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp
Dridex WastedLocker

2022-02-22 ⋅ Bankinfo Security ⋅ Matthew J. Schwartz
Cybercrime Moves: Conti Ransomware Absorbs TrickBot Malware
Conti TrickBot

2022-02-22 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: Clop
Clop

2022-02-20 ⋅ Security Affairs ⋅ Pierluigi Paganini
The Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor malware.
Conti TrickBot

2022-02-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Conti ransomware gang takes over TrickBot malware operation
Conti TrickBot

2022-02-16 ⋅ Check Point Research ⋅ Aliaksandr Trafimchuk, Raman Ladutska
A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies
TrickBot

2022-02-16 ⋅ Threat Post ⋅ Tara Seals
TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands
TrickBot

2022-02-16 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy
The TrickBot Saga’s Finale Has Aired: Spinoff is Already in the Works
TrickBot

2022-02-08 ⋅ Intel 471 ⋅ Intel 471
PrivateLoader: The first step in many malware schemes
Dridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos SmokeLoader STOP Tofsee TrickBot Vidar

2022-02-02 ⋅ IBM ⋅ Kevin Henson
TrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware
BazarBackdoor TrickBot

2022-02-01 ⋅ Wired ⋅ Matt Burgess
Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot

2022-02 ⋅ Sentinel LABS ⋅ Antonio Pirozzi, Antonis Terefos, Idan Weizman
Sanctions be Damned | From Dridex To Macaw, The Evolution of Evil Corp
Dridex FriedEx Hades Phoenix Locker WastedLocker

2022-02-01 ⋅ Wired ⋅ Matt Burgess
Inside Trickbot, Russia’s Notorious Ransomware Gang
TrickBot

2022-01-24 ⋅ IBM ⋅ Michael Gal, Segev Fogel, Itzik Chimino, Limor Kessem, Charlotte Hammond
TrickBot Bolsters Layered Defenses to Prevent Injection Research
TrickBot

2022-01-24 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
Deep Dive into Trickbot's Web Injection
TrickBot

2022-01-19 ⋅ FBI ⋅ FBI
CU-000161-MW: Indicators of Compromise Associated with Diavol Ransomware
Diavol TrickBot

2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®
2021 Adversary Infrastructure Report
BazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot

2022-01-14 ⋅ RiskIQ ⋅ Jordan Herman
RiskIQ: Unique SSL Certificates and JARM Hash Connected to Emotet and Dridex C2 Servers
Dridex Emotet

2022-01-11 ⋅ muha2xmad ⋅ Muhammad Hasan Ali
Unpacking Dridex malware
Dridex

2022-01-09 ⋅ Atomic Matryoshka ⋅ z3r0day_504
Malware Headliners: Dridex
Dridex

2021-12-23 ⋅ Symantec ⋅ Siddhesh Chandrayan
Log4j Vulnerabilities: Attack Insights
Tsunami Conti Dridex Khonsari Orcus RAT TellYouThePass

2021-12-20 ⋅ InQuest ⋅ Nick Chalard
(Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex

2021-12-08 ⋅ Check Point Research ⋅ Raman Ladutska, Aliaksandr Trafimchuk, David Driker, Yali Magiel
When old friends meet again: why Emotet chose Trickbot for rebirth
Emotet TrickBot

2021-12-03 ⋅ GoSecure ⋅ GoSecure Titan Labs
TrickBot Leverages Zoom Work from Home Interview Malspam, Heaven’s Gate and… Spamhaus?
TrickBot

2021-12-01 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Michael Sandee
Tracking a P2P network related to TA505
FlawedGrace Necurs

2021-11-21 ⋅ Cyber-Anubis ⋅ Nidal Fikri
Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex

2021-11-16 ⋅ Yoroi ⋅ Luigi Martire, Carmelo Ragusa, Luca Mella
Office Documents: May the XLL technique change the threat Landscape in 2022?
Agent Tesla Dridex Formbook

2021-11-16 ⋅ Malwarebytes ⋅ Malwarebytes Threat Intelligence Team
TrickBot helps Emotet come back from the dead
Emotet TrickBot

2021-11-16 ⋅ Trend Micro ⋅ Trend Micro
Global Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels
REvil Clop Gandcrab REvil

2021-11-12 ⋅ Recorded Future ⋅ Insikt Group®
The Business of Fraud: Botnet Malware Dissemination
Mozi Dridex IcedID QakBot TrickBot

2021-11-04 ⋅ Security Service of Ukraine ⋅ Security Service of Ukraine
Gamaredon / Armageddon Group: FSB RF Cyber attacks against Ukraine
EvilGnome Pteranodon RMS

2021-10-29 ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-28 ⋅ Department of Justice ⋅ Department of Justice
Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot

2021-10-28 ⋅ Department of Justice ⋅ Department of Justice
Indictment: Russian National (Vladimir Dunaev) Extradited to United States to Face Charges for Alleged Role in Cybercriminal Organization
TrickBot

2021-10-27 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien
[RE025] TrickBot ... many tricks
TrickBot

2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson
Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Cobalt Strike FlawedGrace TinyMet

2021-10-19 ⋅ Proofpoint ⋅ Zydeca Cass, Axel F, Crista Giering, Matthew Mesa, Georgi Mladenov, Brandon Murphy
Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
FlawedGrace MirrorBlast

2021-10-19 ⋅ Kaspersky ⋅ Oleg Kupreev
Trickbot module descriptions
TrickBot

2021-10-14 ⋅ Morphisec ⋅ Arnold Osipov
Explosive New MirrorBlast Campaign Targets Financial Companies
MirrorBlast

2021-10-13 ⋅ IBM ⋅ Ole Villadsen, Charlotte Hammond
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
BazarBackdoor TrickBot

2021-10-08 ⋅ Zscaler ⋅ Tarun Dewan, Lenart Brave
New Trickbot and BazarLoader campaigns use multiple delivery vectorsi
BazarBackdoor TrickBot

2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team
FIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets
Cobalt Strike Empire Downloader TrickBot

2021-10-05 ⋅ Trend Micro ⋅ Fyodor Yarochkin, Janus Agcaoili, Byron Gelera, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk

2021-10-05 ⋅ FRSecure ⋅ Oscar Minks
The REBOL Yell: A New Novel REBOL Exploit
MirrorBlast

2021-10-04 ⋅ Cisco ⋅ Tiago Pereira
Threat hunting in large datasets by clustering security events
BazarBackdoor TrickBot

2021-10 ⋅ HP ⋅ HP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm

2021-09-24 ⋅ Proofpoint ⋅ Proofpoint
Daily Ruleset Update Summary 2021/09/24
MirrorBlast

2021-09-19 ⋅ HP ⋅ Patrick Schläpfer
MirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures
MirrorBlast

2021-09-15 ⋅ Palo Alto Networks Unit 42 ⋅ Anna Chung, Swetha Balla
Phishing Eager Travelers
Dridex

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-09-06 ⋅ Bleeping Computer ⋅ Lawrence Abrams
TrickBot gang developer arrested when trying to leave Korea
Diavol TrickBot

2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader

2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
BlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware
Cobalt Strike Dridex

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-12 ⋅ Cisco Talos ⋅ Vanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper

2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report
BazarCall to Conti Ransomware via Trickbot and Cobalt Strike
BazarBackdoor Cobalt Strike Conti TrickBot

2021-07-30 ⋅ HP ⋅ Patrick Schläpfer
Detecting TA551 domains
Valak Dridex IcedID ISFB QakBot

2021-07-21 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting Trickbot with Splunk
TrickBot

2021-07-12 ⋅ Bitdefender ⋅ Radu Tudorica, Bogdan Botezatu
A Fresh Look at Trickbot’s Ever-Improving VNC Module
TrickBot

2021-07-06 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TA505 adds GoLang crypter for delivering miners and ServHelper
ServHelper

2021-07-02 ⋅ MalwareBookReports ⋅ muzi
Skip the Middleman: Dridex Document to Cobalt Strike
Cobalt Strike Dridex

2021-07-02 ⋅ The Record ⋅ Catalin Cimpanu
TrickBot: New attacks see the botnet deploy new banking module, new ransomware
TrickBot

2021-07-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
TrickBot and Zeus
TrickBot Zeus

2021-06-30 ⋅ Advanced Intelligence ⋅ Yelisey Boguslavskiy, Brandon Rudisel, AdvIntel Security & Development Team
Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
BlackKingdom Ransomware Clop dearcry Hades REvil

2021-06-25 ⋅ KrCert ⋅ Kayoung Kim, Dongwook Kim, Taewoo Lee, Seulgi Lee
Attack patterns in AD environment
Clop

2021-06-24 ⋅ Binance ⋅ Binance
Binance Helps Take Down Cybercriminal Ring Laundering $500M in Ransomware Attacks
Clop

2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, Kirk Sayre, dao ming si
Tweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs
Cobalt Strike Dridex

2021-06-16 ⋅ Youtube (Національна поліція України) ⋅ Національна поліція України
Кіберполіція викрила хакерське угруповання у розповсюдженні вірусу-шифрувальника (Clop operators)
Clop

2021-06-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Ukrainian Police Nab Six Tied to CLOP Ransomware
Clop

2021-06-16 ⋅ The Record ⋅ Catalin Cimpanu
Ukrainian police arrest Clop ransomware members, seize server infrastructure
Clop

2021-06-16 ⋅ Proofpoint ⋅ Selena Larson, Daniel Blackford, Garrett M. Graff
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker

2021-06-16 ⋅ Національної поліції України ⋅ Національна поліція України
Cyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to foreign companies
Clop Cobalt Strike FlawedAmmyy

2021-06-15 ⋅ Trend Micro ⋅ Janus Agcaoili, Miguel Ang, Earle Earnshaw, Byron Gelera, Nikko Tamana
Ransomware Double Extortion and Beyond: REvil, Clop, and Conti
Clop Conti REvil

2021-06-08 ⋅ Intel 471 ⋅ Intel 471
The blurry boundaries between nation-state actors and the cybercrime underground
Dridex Gameover P2P

2021-06-07 ⋅ Medium walmartglobaltech ⋅ Joshua Platt, Jason Reaves
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot

2021-06-04 ⋅ The Record ⋅ Catalin Cimpanu
US arrests Latvian woman who worked on Trickbot malware source code
TrickBot

2021-06-04 ⋅ Department of Justice ⋅ Office of Public Affairs
Latvian National Charged for Alleged Role in Transnational Cybercrime Organization
TrickBot

2021-06-03 ⋅ YouTube (FIRST) ⋅ Felipe Domingues, Gustavo Palazolo
Breaking Dridex Malware
Dridex

2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-13 ⋅ AWAKE ⋅ Kieran Evans
Catching the White Stork in Flight
Cobalt Strike MimiKatz RMS

2021-05-11 ⋅ Mal-Eats ⋅ mal_eats
Campo, a New Attack Campaign Targeting Japan
AnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader

2021-05-11 ⋅ CrowdStrike ⋅ The Falcon Complete Team
Response When Minutes Matter: Rising Up Against Ransomware
TinyMet

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-10 ⋅ Mal-Eats ⋅ mal_eats
Overview of Campo, a new attack campaign targeting Japan
AnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader

2021-05-05 ⋅ RiskIQ ⋅ Kelsey Clapp
Viruses to Violations - TrickBot's Shift in Tactics During the Pandemic
TrickBot

2021-05-03 ⋅ splunk ⋅ Splunk Threat Research Team
Clop Ransomware Detection: Threat Research Release, April 2021
Clop

2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Brief: Creds and Beacons
Cobalt Strike TrickBot

2021-04-26 ⋅ CoveWare ⋅ CoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-04-21 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Suriya Natarajan, Anand Aijan, Michael Wood, Sivagnanam Gn, Markel Picado, Andrew Brandt
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-15 ⋅ Proofpoint ⋅ Selena Larson
Threat Actors Pair Tax-Themed Lures With COVID-19, Healthcare Themes
Dridex TrickBot

2021-04-15 ⋅ Twitter (@felixw3000) ⋅ Felix
Tweet on Dridex's evasion technique
Dridex

2021-04-14 ⋅ Vice ⋅ Lorenzo Franceschi-Bicchierai
Meet The Ransomware Gang Behind One of the Biggest Supply Chain Hacks Ever
Clop

2021-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos
Threat Assessment: Clop Ransomware
Clop

2021-04-13 ⋅ splunk ⋅ Splunk Threat Research Team
Detecting Clop Ransomware
Clop

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-04-06 ⋅ Intel 471 ⋅ Intel 471
EtterSilent: the underground’s new favorite maldoc builder
BazarBackdoor ISFB QakBot TrickBot

2021-04-06 ⋅ Lexfo ⋅ Lexfo
Dridex Loader Analysis
Dridex

2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
TrickBot Crews New CobaltStrike Loader
Cobalt Strike TrickBot

2021-03-31 ⋅ Kaspersky ⋅ Kaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus

2021-03-31 ⋅ Red Canary ⋅ Red Canary
2021 Threat Detection Report
Shlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot

2021-03-29 ⋅ VMWare Carbon Black ⋅ Jason Zhang, Oleg Boyarchuk, Giovanni Vigna
Dridex Reloaded: Analysis of a New Dridex Campaign
Dridex

2021-03-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware gang urges victims’ customers to demand a ransom payment
Clop

2021-03-21 ⋅ Blackberry ⋅ Blackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot

2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
SilverFish GroupThreat Actor Report
Cobalt Strike Dridex Koadic

2021-03-17 ⋅ HP ⋅ HP Bromium
Threat Insights Report Q4-2020
Agent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader

2021-03-17 ⋅ CISA ⋅ US-CERT
Alert (AA21-076A): TrickBot Malware
TrickBot

2021-03-11 ⋅ Flashpoint ⋅ Flashpoint
CL0P and REvil Escalate Their Ransomware Tactics
Clop REvil

2021-03-11 ⋅ IBM ⋅ Dave McMillen, Limor Kessem
Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
Cutwail Dridex

2021-03-02 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles
An Exhaustively-Analyzed IDB for FlawedGrace
FlawedGrace

2021-03 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader

2021-02-28 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team

2021-02-25 ⋅ ANSSI ⋅ CERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot

2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE
X-Force Threat Intelligence Index 2021
Emotet QakBot Ramnit REvil TrickBot

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-22 ⋅ FireEye ⋅ Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody
Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
DEWMODE Clop

2021-02-15 ⋅ Medium s2wlab ⋅ Sojun Ryu
Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker

2021-02-08 ⋅ ESET Research ⋅ ESET Research
THREAT REPORT Q4 2020
TrickBot

2021-02-07 ⋅ Technical Blog of Ali Aqeel ⋅ Ali Aqeel
Dridex Malware Analysis
Dridex

2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report
Tweet on recent dridex post infection activity
Cobalt Strike Dridex

2021-02-02 ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-01 ⋅ Kryptos Logic ⋅ Kryptos Logic Vantage Team
Trickbot masrv Module
TrickBot

2021-02-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
Dridex Emotet Makop Ransomware SmokeLoader TrickBot

2021-01-28 ⋅ Youtube (Virus Bulletin) ⋅ Benoît Ancel
The Bagsu banker case
Azorult DreamBot Emotet Pony TrickBot ZeusAction

2021-01-26 ⋅ IBM ⋅ Nir Shwarts
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version?
TrickBot

2021-01-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Anchor and Lazarus together again?
Anchor TrickBot

2021-01-19 ⋅ HP ⋅ Patrick Schläpfer
Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs
Dridex

2021-01-19 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Examining Emotet Infection Traffic
Emotet GootKit IcedID QakBot TrickBot

2021-01-19 ⋅ Medium elis531989 ⋅ Eli Salem
Funtastic Packers And Where To Find Them
Get2 IcedID QakBot

2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report
Trickbot Still Alive and Well
Cobalt Strike TrickBot

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2021-01-06 ⋅ DomainTools ⋅ Joe Slowik
Holiday Bazar: Tracking a TrickBot-Related Ransomware Incident
BazarBackdoor TrickBot

2021-01-05 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
[Threat Analysis] CLOP Ransomware that Attacked Korean Distribution Giant
Clop

2021-01-04 ⋅ SentinelOne ⋅ Marco Figueroa
Building a Custom Malware Analysis Lab Environment
TrickBot

2021-01-04 ⋅ Check Point ⋅ Check Point Research
DRIDEX Stopping Serial Killer: Catching the Next Strike
Dridex

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BLACKBURN
Buer Dyre TrickBot WIZARD SPIDER

2021 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD HERON
DoppelPaymer Dridex Empire Downloader DOPPEL SPIDER

2021 ⋅ SecureWorks
Threat Profile: GOLD DRAKE
Cobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp

2020-12-21 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Edsel Valle
TrickBot: A Closer Look
TrickBot

2020-12-18 ⋅ Intel 471 ⋅ Intel 471
TA505’s modified loader means new attack campaign could be coming
Get2

2020-12-15 ⋅ Twitter (@darb0ng) ⋅ Minhee Lee
Tweet on Symrise group hit by Clop Ransomware
Clop

2020-12-14 ⋅ Blueliv ⋅ Alberto Marín, Carlos Rubio, Blueliv Labs Team
Using Qiling Framework to Unpack TA505 packed samples
AndroMut Azorult Silence TinyMet

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot

2020-12-10 ⋅ CyberInt ⋅ CyberInt
Ryuk Crypto-Ransomware
Ryuk TrickBot

2020-12-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware gang says they stole 2 million credit cards from E-Land
Clop

2020-12-03 ⋅ Eclypsium ⋅ Eclypsium
TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit
TrickBot

2020-12-02 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
CLOP Ransomware Report
Clop

2020-11-23 ⋅ S2W LAB Inc. ⋅ TALON
[S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident
Clop

2020-11-23 ⋅ Bitdefender ⋅ Liviu Arsene, Radu Tudorica
TrickBot is Dead. Long Live TrickBot!
TrickBot

2020-11-22 ⋅ malware.love ⋅ Robert Giczewski
Trickbot tricks again [UPDATE]
TrickBot

2020-11-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
LightBot: TrickBot’s new reconnaissance malware for high-value targets
LightBot TrickBot

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-18 ⋅ Sophos ⋅ Sophos
SOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world
Agent Tesla Dridex TrickBot Zloader

2020-11-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez
Tweet on a new fileless TrickBot loading method using code from MemoryModule
TrickBot

2020-11-17 ⋅ malware.love ⋅ Robert Giczewski
Trickbot tricks again
TrickBot

2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse
Easily Identify Malicious Servers on the Internet with JARM
Cobalt Strike TrickBot

2020-11-16 ⋅ Fox-IT ⋅ Antonis Terefos, Anne Postma, Tera0017
TA505: A Brief History Of Their Time
Clop Get2 SDBbot TA505

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-11-12 ⋅ Hurricane Labs ⋅ Dusty Miller
Splunking with Sysmon Part 4: Detecting Trickbot
TrickBot

2020-11-12 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
Biotech research firm Miltenyi Biotec hit by ransomware, data leaked
SDBbot

2020-11-10 ⋅ Intel 471 ⋅ Intel 471
Trickbot down, but is it out?
BazarBackdoor TrickBot

2020-11-05 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT, Vyacheslav Kopeytsev
Attackson industrial enterprises using RMS and TeamViewer: new data
RMS

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot

2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot

2020-10-29 ⋅ CERT-FR ⋅ CERT-FR
LE MALWARE-AS-A-SERVICE EMOTET
Dridex Emotet ISFB QakBot

2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878

2020-10-26 ⋅ Arbor Networks ⋅ Suweera De Souza
Dropping the Anchor
AnchorDNS Anchor TrickBot

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-10-20 ⋅ Microsoft ⋅ Tom Burt
An update on disruption of Trickbot
TrickBot

2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot

2020-10-20 ⋅ Intel 471 ⋅ Intel 471
Global Trickbot disruption operation shows promise
TrickBot

2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot

2020-10-16 ⋅ Duo ⋅ Dennis Fisher
Trickbot Up to Its Old Tricks
TrickBot

2020-10-15 ⋅ Department of Justice ⋅ Department of Justice
Officials Announce International Operation Targeting Transnational Criminal Organization QQAAZZ that Provided Money Laundering Services to High-Level Cybercriminals
Dridex ISFB TrickBot

2020-10-15 ⋅ Intel 471 ⋅ Intel 471
That was quick: Trickbot is back after disruption attempts
TrickBot

2020-10-12 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Trickbot disrupted
TrickBot

2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot

2020-10-12 ⋅ ESET Research ⋅ Jean-Ian Boutin
ESET takes part in global operation to disrupt Trickbot
TrickBot

2020-10-12 ⋅ Lumen ⋅ Black Lotus Labs
A Look Inside The TrickBot Botnet
TrickBot

2020-10-12 ⋅ Tenable ⋅ Satnam Narang
CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities
TA505

2020-10-12 ⋅ Microsoft ⋅ Tom Burt
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot

2020-10-12 ⋅ US District Court for the Eastern District of Virginia
TRICKBOT complaint
TrickBot

2020-10-10 ⋅ The Washington Post ⋅ Ellen Nakashima
Cyber Command has sought to disrupt the world’s largest botnet, hoping to reduce its potential impact on the election
TrickBot

2020-10-08 ⋅ ZDNet ⋅ Catalin Cimpanu
German tech giant Software AG down after ransomware attack
Clop

2020-10-08 ⋅ Bromium ⋅ Alex Holland
Droppers, Downloaders and TrickBot: Detecting a Stealthy COVID-19-themed Campaign using Toolmarks
TrickBot

2020-10-06 ⋅ Telekom ⋅ Thomas Barabosch
Eager Beaver: A Short Overview of the Restless Threat Actor TA505
Clop Get2 SDBbot TA505

2020-10-03 ⋅ Avira ⋅ Avira Protection Labs
TA505 targets the Americas in a new campaign
ServHelper

2020-10-03 ⋅ Wikipedia ⋅ Wikpedia
Wikipedia Page: Maksim Yakubets
Dridex Feodo Evil Corp

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Attacks Aimed at Disrupting the Trickbot Botnet
TrickBot

2020-09-30 ⋅ CERT-XLM ⋅ Paul Jung
Another Threat Actor day...
SDBbot

2020-09-29 ⋅ PWC UK ⋅ Andy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker

2020-09-29 ⋅ Microsoft ⋅ Microsoft
Microsoft Digital Defense Report
Emotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot

2020-09-22 ⋅ OSINT Fans ⋅ Gabor Szathmari
What Service NSW has to do with Russia?
TrickBot

2020-09-18 ⋅ AppGate ⋅ Gustavo Palazolo, Felipe Duarte
Reverse Engineering Dridex and Automating IOC Extraction
Dridex

2020-09-16 ⋅ Intel 471 ⋅ Intel 471
Partners in crime: North Koreans and elite Russian-speaking cybercriminals
TrickBot

2020-09-10 ⋅ SANS ISC InfoSec Forums ⋅ Brad Duncan
Recent Dridex activity
Dridex

2020-09-07 ⋅ Github (pan-unit42) ⋅ Brad Duncan
Collection of recent Dridex IOCs
Cutwail Dridex

2020-08-31 ⋅ cyber.wtf blog ⋅ Luca Ebach
Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
TrickBot

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-21 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Wireshark Tutorial: Decrypting HTTPS Traffic
Dridex

2020-08-20 ⋅ CERT-FR ⋅ CERT-FR
Development of the Activity of the TA505 Cybercriminal Group
AndroMut Bart Clop Dridex FlawedAmmyy FlawedGrace Get2 Locky Marap QuantLoader SDBbot ServHelper tRat TrickBot

2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk

2020-08-09 ⋅ F5 Labs ⋅ Remi Cohen, Debbie Walkowski
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus

2020-08-03 ⋅ The DFIR Report
Dridex – From Word to Domain Dominance
Dridex

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt
Enter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)
ISFB Maze TrickBot Zloader

2020-07-21 ⋅ YouTube ( OPCDE with Matt Suiche) ⋅ Mohamad Mokbel
vOPCDE #9 - A Journey into Malware HTTP Communication Channels Spectacles (Mohamad Mokbel)
Alureon Aytoke Cobra Carbon System CROSSWALK danbot ProtonBot Silence

2020-07-20 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Emotet-TrickBot malware duo is back infecting Windows machines
Emotet TrickBot

2020-07-17 ⋅ CERT-FR ⋅ CERT-FR
The Malware Dridex: Origins and Uses
Andromeda CryptoLocker Cutwail DoppelPaymer Dridex Emotet FriedEx Gameover P2P Gandcrab ISFB Murofet Necurs Predator The Thief Zeus

2020-07-15 ⋅ Intel 471 ⋅ Intel 471
Flowspec – TA505’s bulletproof hoster of choice
Get2

2020-07-15 ⋅ Mandiant ⋅ Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt
Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families
Clop DoppelPaymer LockerGoga Maze MegaCortex Nefilim Snake

2020-07-13 ⋅ JoeSecurity ⋅ Joe Security
TrickBot's new API-Hammering explained
TrickBot

2020-07-11 ⋅ BleepingComputer ⋅ Lawrence Abrams
TrickBot malware mistakenly warns victims that they are infected
TrickBot

2020-07-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez
TrickBot Group Launches Test Module Alerting on Fraud Activity
TrickBot

2020-07-09 ⋅ Gdata ⋅ G DATA Security Lab
ServHelper: Hidden Miners
ServHelper

2020-07-07 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Clop, Clop! It’s a TA505 HTML malspam analysis
Clop Get2

2020-07-06 ⋅ NTT ⋅ Security division of NTT Ltd.
TrickBot variant “Anchor_DNS” communicating over DNS
AnchorDNS TrickBot

2020-06-24 ⋅ Morphisec ⋅ Arnold Osipov
Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex
Dridex ISFB QakBot Zloader

2020-06-22 ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-06-22 ⋅ Sentinel LABS ⋅ Joshua Platt, Jason Reaves
Inside a TrickBot Cobalt Strike Attack Server
Cobalt Strike TrickBot

2020-06-22 ⋅ BleepingComputer ⋅ Lawrence Abrams
Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Clop

2020-06-19 ⋅ Reaqta ⋅ Reaqta
Dridex: the secret in a PostMessage()
Dridex

2020-06-17 ⋅ Youtube (Red Canary) ⋅ Erika Noerenberg, Matt Graeber, Adam Pennington, David Kaplan
ATT&CK® Deep Dive: Process Injection
ISFB Ramnit TrickBot

2020-06-17 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez, malwrhunterteam
Tweet on signed Tinymet payload (V.02) used by TA505
TinyMet

2020-06-17 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence
A tweet thread on TA505 using CAPTCHA to avoid detection and infecting victims with FlawedGrace
FlawedGrace

2020-06-16 ⋅ Telekom ⋅ Thomas Barabosch
TA505 returns with a new bag of tricks
Clop Get2 SDBbot TA505

2020-06-15 ⋅ Fortinet ⋅ Val Saengphaibul, Fred Gutierrez
Global Malicious Spam Campaign Using Black Lives Matter as a Lure
TrickBot

2020-06-12 ⋅ Hornetsecurity ⋅ Security Lab
Trickbot Malspam Leveraging Black Lives Matter as Lure
TrickBot

2020-06-11 ⋅ Cofense ⋅ Jason Meurer
All You Need Is Text: Second Wave
TrickBot

2020-06-05 ⋅ Votiro ⋅ Votiro’s Research Team
Anatomy of a Well-Crafted UPS, FedEx, and DHL Phishing Email During COVID-19
Dridex

2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani
Evolution of Excel 4.0 Macro Weaponization
Agent Tesla DanaBot ISFB TrickBot Zloader

2020-05-31 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
WastedLoader or DridexLoader?
Dridex WastedLocker

2020-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan
Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module
TrickBot

2020-05-27 ⋅ GAIS-CERT ⋅ GAIS-CERT
Dridex Banking Trojan Technical Analysis Report
Dridex

2020-05-25 ⋅ CERT-FR ⋅ CERT-FR
INDICATEURS DE COMPROMISSION DU CERT-FR - Objet: Le code malveillant Dridex
Dridex

2020-05-25 ⋅ CERT-FR ⋅ CERT-FR
Le Code Malveillant Dridex: Origines et Usages
Dridex

2020-05-24 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: network infrastructure. Part 3.
AndroMut Buhtrap SmokeLoader

2020-05-22 ⋅ Positive Technologies ⋅ PT ESC Threat Intelligence
Operation TA505: investigating the ServHelper backdoor with NetSupport RAT. Part 2.
NetSupportManager RAT ServHelper

2020-05-21 ⋅ Intel 471 ⋅ Intel 471
A brief history of TA505
AndroMut Bart Dridex FlawedAmmyy FlawedGrace Gandcrab Get2 GlobeImposter Jaff Kegotip Locky Necurs Philadephia Ransom Pony QuantLoader Rockloader SDBbot ServHelper Shifu Snatch TrickBot

2020-05-20 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence
Operation TA505: how we analyzed new tools from the creators of the Dridex trojan, Locky ransomware, and Neutrino botnet
FlawedAmmyy

2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi
TrickBot BazarLoader In-Depth
Anchor BazarBackdoor TrickBot

2020-05-18 ⋅ Threatpost ⋅ Tara Seals
Ransomware Gang Arrested for Spreading Locky to Hospitals
Locky

2020-05-14 ⋅ SentinelOne ⋅ Jason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant
TrickBot

2020-04-23 ⋅ CERT-FR ⋅ CERT-FR
LE GROUPE CYBERCRIMINEL SILENCE
Silence

2020-04-14 ⋅ Intrinsec ⋅ Jean Bichet
Deobfuscating and hunting for OSTAP, Trickbot’s dropper and best friend
ostap TrickBot

2020-04-14 ⋅ Intel 471 ⋅ Intel 471
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot

2020-04-14 ⋅ SecurityIntelligence ⋅ Melissa Frydrych
TA505 Continues to Infect Networks With SDBbot RAT
SDBbot TinyMet TA505

2020-04-09 ⋅ Zscaler ⋅ Atinderpal Singh, Abhay Yadav
TrickBot Emerges with a Few New Tricks
TrickBot

2020-04-09 ⋅ Github (Tera0017) ⋅ Tera0017
SDBbot Unpacker
SDBbot

2020-04-08 ⋅ SentinelOne ⋅ Jason Reaves
Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations
Anchor TrickBot

2020-04-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
How Cyber Adversaries are Adapting to Exploit the Global Pandemic
GOLD SOUTHFIELD TA2101 TA505 WIZARD SPIDER

2020-04-07 ⋅ SecurityIntelligence ⋅ Ole Villadsen
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
More_eggs Anchor TrickBot

2020-04-01 ⋅ Cisco ⋅ Shyam Sundar Ramaswami, Andrea Kaiser
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot

2020-03-31 ⋅ Cisco Talos ⋅ Chris Neal
Trickbot: A primer
TrickBot

2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878

2020-03-30 ⋅ Intezer ⋅ Michael Kajiloti
Fantastic payloads and where we find them
Dridex Emotet ISFB TrickBot

2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop