惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
F
Fortinet All Blogs
H
Heimdal Security Blog
S
Schneier on Security
L
LangChain Blog
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
J
Java Code Geeks
博客园 - 【当耐特】
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
I
InfoQ
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CERT Recently Published Vulnerability Notes
T
Tenable Blog
腾讯CDC
C
Check Point Blog
量子位
M
MIT News - Artificial intelligence
GbyAI
GbyAI
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
小众软件
小众软件
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
V2EX - 技术
V2EX - 技术
T
Threatpost
Engineering at Meta
Engineering at Meta
Attack and Defense Labs
Attack and Defense Labs
T
Tailwind CSS Blog
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
爱范儿
爱范儿

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Recent Trickbot disruption operation likely to have only short-term impact
Intel 471 · 2020-10-14 · via Intel 471 Blog

Key points

  • Recent disruption actions against Trickbot likely will have only a short-term impact on Trickbot operations.
  • Trickbot operators have multiple methods to avoid centralization of their command and control infrastructure which would make the botnet resilient to take down.
  • If bogus data has been inserted into Trickbot as claimed and Trickbot operators are unable to filter out this bogus data, Trickbot-related intrusion activity may decrease in the short term.
  • Trickbot is a sophisticated operation administered by skilled and experienced cybercriminals for many years. It is unlikely to be shut down without successful law enforcement action.
  • Significant disruption of Trickbot likely would require an operation to remove infections en masse in conjunction with action against Trickbot’s servers, operators and infrastructure.
  • Even in the unlikely event all current Trickbot-infected systems are disinfected en masse, the operators behind Trickbot will have little problem rebuilding the botnet with new infections.

Background

On Oct. 10, 2020, the Washington Post reported that “four U.S. officials” claimed U.S. Cyber Command was conducting an operation to disrupt the Trickbot botnet. This action first was identified by Intel 471’s Malware Intelligence systems Sept. 22, 2020. On Oct. 12, 2020, Microsoft announced legal action against Trickbot. An assessment of the outcomes of U.S. Cyber Command operation and Microsoft’s separate legal action against Trickbot up to Oct. 12, 2020, is contained within this report. We do not assess the future likelihood or future potential impact of U.S. Cyber Command or Microsoft carrying out additional action against Trickbot in this report.

Observed activity

The following is a chronology of activity that Intel 471 observed and previously reported:

SPOTREP published Sept. 22, 2020:

On Sept. 22, 2020, Malware Intelligence systems monitoring the Trickbot trojan malware detected a possible attempt to disrupt the Trickbot botnet. The Trickbot malware controllers issued bogus configurations to bots, listing the localhost address instead of real TrickBot controllers. Trickbot bots therefore were unable to "call home" to receive commands. Shortly after the bogus configs were pushed out, all Trickbot controllers stopped responding correctly to bot requests. This possibly means central Trickbot controller infrastructure was disrupted. The close timing of both events suggested an intentional disruption of Trickbot botnet operations. We will continue to monitor Trickbot behavior and report any additional state changes.

SPOTREP published Sept. 23, 2020:

On Sept. 22, 2020, the Trickbot operators showed signs of restoring their disabled botnet operations. The botnet was disrupted in the early morning of Sept. 22, 2020. The first signs of restoration were controllers responding to bot requests, although the controllers still were sending bogus configurations. Later on Sep. 22, 2020, Trickbot controllers began sending proper configs to any bots still checking in. The damage to the Trickbot botnet is unknown, but it is very likely several thousands of bots were lost. However, the controller infrastructure appeared to be stable now and Trickbot operations undoubtedly will resume. We assess this act of sabotage most likely to be the work of a vigilante researcher, although other scenarios also are possible.

SPOTREP published Oct. 1, 2020:

Early on Oct. 1, 2020, Intel 471 Malware Intelligence systems monitoring the Trickbot trojan detected a second possible attempt to disrupt the Trickbot botnet. Much the same way as the first attempt Sept. 22, 2020, Trickbot malware controllers issued false configurations to bots listing the local host address instead of real Trickbot controllers. Several hours elapsed before the botnet operation was restored after the first disruption attempt, which possibly resulted in the loss of many bots from the botnet. We continue to monitor Trickbot behavior and intend to report any additional state changes.

Figure 1 below shows unique Trickbot controllers responding to emulated bots via our Malware Emulation and Tracking System (METS) between Sept. 10, 2020 and Oct. 10, 2020. Disruption activity, illustrated by the significant drop in controller responses, can clearly be seen starting on both Sept. 22, 2020 and Oct. 1, 2020.

Fig.1: Trickbot unique controllers successfully responding to bot requests per day showing disruption activity up to Oct 10, 2020.

Fig.1: Trickbot unique controllers successfully responding to bot requests per day showing disruption activity up to Oct 10, 2020.

Trickbot command and control servers disrupted by Microsoft

On Oct. 12, 2020, Microsoft issued a public statement that they had taken legal action to “combat ransomware ahead of U.S. elections.” The legal action involved Microsoft attempting to disrupt a number of Trickbot command and control server IP addresses that are in the United States. See Appendix 1 - Command and control servers Microsoft is attempting to disrupt for information on the specific IP addresses that Microsoft was attempting to disrupt. Since Aug. 1, 2020, Intel 471 has seen 579 unique IP addresses that were listed by the Trickbot operators as Trickbot command and control servers. Of those 579 IP addresses, Intel 471 was able to validate that 60 IP addresses were active and working Trickbot command and control servers.

Trickbot status as of Oct. 12, 2020

A review of current Trickbot activity revealed that at the time of this report, 50 unique IP addresses currently are being listed by the Trickbot operators as Trickbot command and control servers. On Oct. 12, 2020, and of the 50 IP addresses, Intel 471 confirmed a total of 19 unique Trickbot control servers were active and working. Microsoft’s list of Trickbot IP addresses contained four IP addresses at the time of this report and were being pushed by Trickbot’s operators as Trickbot command and control servers. At the time of this report, Intel 471 has not seen any significant impact on Trickbot’s infrastructure and ability to communicate with Trickbot-infected systems.

Trickbot uses decentralized infrastructure to avoid takedowns

Trickbot’s primary command and control mechanism supports communication over the Onion Router (Tor) and a fall-back method that uses the decentralized domain name system EmerDNS. As a result, it is highly likely a takedown of the Trickbot infrastructure would have little medium- to long-term impact on the operation of Trickbot.

EmerDNS provides the Trickbot operators with a setup that is decentralized, has no single-controlling entity and is resilient to takedown. In the event all Trickbot infrastructure is taken down, the cybercriminals behind Trickbot will need to rebuild their servers and change their EmerDNS domain to point to their new servers. Compromised systems then should be able to connect to the new Trickbot infrastructure.

Trickbot’s EmerDNS fallback domain safetrust.bazar recently resolved to the IP address 195.123.237.156. Not coincidentally, this network neighborhood also hosts Bazar malware control servers. Researchers previously attributed the development of the Bazar malware family to the same group behind Trickbot, due to code similarities with the Anchor malware family and its methods of operation, such as shared infrastructure between Anchor and Bazar. On Oct. 12, 2020, the fallback domain resolved to the IP address 23.92.93.233, which was confirmed by Intel 471 Malware Intelligence systems to be a Trickbot controller URL in May 2019. This suggests the fallback domain still was controlled by the Trickbot operators at the time of this report.

Bogus data reportedly inserted into Trickbot’s servers could reduce Trickbot derived intrusion activity in the short term

On Oct. 2, 2020, Brian Krebs reported on the disruption attempts against Trickbot. While we are unable to verify the information, Alex Holden of Hold Security claimed someone “is flooding the Trickbot system with fake data” and that the records generated include “machine names indicating these are infected systems in a broad range of organizations.” Intel 471 believes the operators and customers of Trickbot are experienced in triaging the large amount of compromised systems to find systems of interest for subsequent and manually driven intrusion activity depending on the target. For example, on Sept. 16, 2020, Intel 471 publicly reported access to infected systems associated with financial institutions occasionally was being provided to North Korean threat actors.

Since we are unable to verify the information, we are unable to assess whether inserted bogus data can be easily filtered out by the Trickbot operators or whether the insertion of bogus data into Trickbot’s servers is continuing. We also are unable to assess how bogus data may have been inserted, i.e., via direct access to the database or via emulating real victims connecting to Trickbot command-and-control servers. If bogus data has been inserted and it is indistinguishable from real data, Trickbot-related intrusion activity should be reduced in the immediate future.

Significant disruption requires removing Trickbot infections en masse in conjunction with action against Trickbot servers, operators and infrastructure

Given that Trickbot’s operators implemented decentralized command-and-control methods, one of the only viable options to impact current Trickbot infections en masse is to push an update to all infected systems that would remove Trickbot itself. Legal and ethical issues withstanding, this would disrupt the operations of Trickbot until they were able to obtain new infections. Simultaneous offensive action against Trickbot servers, operators and infrastructure also could disrupt their operations further. A denial-of-service attack is one example of an offensive disruption approach that could be undertaken but this also has ethical and legal considerations to consider.

Trickbot operators continue to be able to obtain new infections

Trickbot is spread by several different groups that often employ distinct methods with its primary spreading method being via spam emails. Without major action against Trickbot’s core infrastructure the groups leveraging the malware will be able to replenish their numbers in a relatively short period of time.

Trickbot likely will not be stopped without successful and coordinated law enforcement action

Trickbot is a large, well-established and long-running criminal operation which will remain difficult to stop without coordination, cooperation and action with numerous stakeholders including international law enforcement, governments and the security community.

Changing the calculus of cybercriminals requires novel solutions

Western law enforcement has embraced public indictments to remove the anonymity of cybercriminals who consider themselves safe from apprehension. Regardless of that, deterring cybercriminals in overseas jurisdictions that do not cooperate with western law enforcement requires novel solutions. Examples of this could include direct targeting of cybercriminals’ personal computers, releasing their personal information publicly and targeting of their financial assets. It is expected cybercriminals would hold considerable sums of funds within cryptocurrencies which could be impacted through offensive operations and asset seizures.

Appendix 1 - Command and control servers Microsoft is attempting to disrupt

Microsoft submitted a court order to disrupt the below IP addresses:

IP AddressLast ActivityIntel 471 Description
104.161.32.1032020-10-06Bazar and Trickbot controllers
104.161.32.1052020-10-12Trickbot controller
104.161.32.1062020-10-12Trickbot controller
104.161.32.1092020-07-13Trickbot controller
104.161.32.1182020-10-12Trickbot controller
104.193.252.2212020-09-24Emotet download location (used by Trickbot to download Emotet)
107.155.137.192020-04-19Trickbot controller
107.155.137.282020-09-25Trickbot controller
107.155.137.72020-10-06Bazar and Trickbot controllers
162.216.0.1632020-05-28Trickbot download location (used to distribute Trickbot)
23.239.84.1322020-10-06Bazar and Trickbot controllers
107.174.192.1622020-10-12Trickbot controller
107.175.184.2012020-09-29Trickbot controller
139.60.163.452020-09-30Bazar and Trickbot controllers
156.96.46.27N/AUnknown
195.123.241.132020-10-12Trickbot controller
195.123.241.552020-10-12Trickbot controller
162.247.155.1652020-06-24Trickbot controller