惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
S
Secure Thoughts
月光博客
月光博客
美团技术团队
雷峰网
雷峰网
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Forbes - Security
Forbes - Security
W
WeLiveSecurity
P
Proofpoint News Feed
阮一峰的网络日志
阮一峰的网络日志
爱范儿
爱范儿
G
GRAHAM CLULEY
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
AI
AI
Last Week in AI
Last Week in AI
Google Online Security Blog
Google Online Security Blog
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Recent Announcements
Recent Announcements
Webroot Blog
Webroot Blog
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
N
News and Events Feed by Topic
罗磊的独立博客
The Register - Security
The Register - Security
Blog — PlanetScale
Blog — PlanetScale
T
Threat Research - Cisco Blogs
博客园 - 【当耐特】
Apple Machine Learning Research
Apple Machine Learning Research
人人都是产品经理
人人都是产品经理
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
B
Blog
腾讯CDC
Microsoft Azure Blog
Microsoft Azure Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hacker News: Front Page
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Engineering at Meta
Engineering at Meta
Latest news
Latest news
IT之家
IT之家
D
DataBreaches.Net
博客园 - 司徒正美
N
Netflix TechBlog - Medium
V
V2EX
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知

Intel 471 Blog

TeamPCP Supply Chain Attacks Turning Geopolitical Tension into Actionable Intelligence CVE-2025-68613: Zerobot botnet exploits critical vulnerability impacting n8n AI orchestration platform Introducing Cyber Threat Exposure Bundle: A Unified Approach to External Risk CVE-2026-20127: Critical Cisco SD-WAN vulnerability exploited in wild Handala Threat Group OpenClaw: A viral AI assistant and a magnet for infostealer malware and ClickFix trickery Israeli, US strikes against Iran triggers a surge in hacktivist activity CVE-2026-1731: Finding a critical RCE in an age of AI-driven vulnerability research Born to bypass MFA: Taking down Tycoon 2FA The UK Cyber Security Resilience Bill How AI and the human advantage beat tomorrow’s threats Winter Olympics 2026: Hacktivism Surges Ahead of Protests and Suspected Sabotage How Threat Hunting and “Good” Metrics Help The Business Likely fake ransomware operator 0APT causes panic — Our analysis Hunting APTs: from state policy to TTPs CrazyHunter Ransomware DevMan Ransomware Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detections Battling check fraud in the U.S. Gootloader Malware Update Shai-Hulud Worm 2.0 New FvncBot Android banking trojan targets Poland White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Season Threat hunting case study: Detecting IAB activity Using deception to extract cyber threat intelligence Lynx Ransomware Qilin Ransomware Group ClickFix: Tricking users into installing infostealers Cybercrime Takedowns: Trust, Partnerships and Focus How card fraud is powered by underground card checkers Tracking down The Com Turning Chaos into Clarity: The Next Phase of Intel 471’s Geopolitical Intelligence Solution The FBI’s Group 78: Covertly fighting ransomware? How threat actors bypass multifactor authentication Crimson Collective In a digital age, US paper check fraud flourishes How you can defend against AI-driven fraud and phishing Detecting cybercriminal activity on Telegram NPM - Shai-Hulud Worm Threat hunting case study: ToolShell AMOS Stealer How AI can (and can’t) help in threat hunting The Phrack leak: Examining an APT’s workstation How initial access offers power intrusions and ransomware Drawing value from cyber threat intelligence “Pig-Butchering” Scams: The Dark Side of Social Engineering and Why Terminology Matters After disruption, XSS cybercrime forum faces loss of trust Update: Salt Typhoon Bridging the CTI Gap: New Exposure Modules on Verity471 Deliver Market-Disrupting Views of Threats Introducing Verity471: Cyber Threat Intelligence Ready to Operationalize FileFix Social Engineering Technique Guided Threat Hunts Takes Your Behavioral Threat Hunting to the Next Level Defending against doxing CVE-2025-53770 - Microsoft Sharepoint Mass Exploitation (ToolShell) Threat hunting case study: Lumma infostealer Pro-Russian hacktivism: Shifting alliances, new groups and risks mommy Access Broker NATO summit commences in tandem with tense cyber, kinetic conflict A look at ‘Tinker,’ Black Basta’s phishing fixer, negotiator Threat hunting case study: DragonForce Two critical challenges facing CTI teams and how to overcome them: Intel 471’s additional insights into the SANS 2025 CTI Survey Android malware trends: Stealthier, easier-to-use Fingerprinting threat actors by their anonymity techniques DanaBot malware disrupted, threat actors named Intel 471 brings HUNTER behavioral threat hunts to Google Security Operations SANS 2025 CTI Survey: It’s Business Time for Cyber Risk How an alleged Russian hacker slipped away Threat hunting case study: Medusa ransomware CVE-2025-31324 - SAP NetWeaver Vulnerability DragonForce Ransomware Managing a cyber crisis LabHost: A defunct but potent phishing service Understanding and threat hunting for RMM software misuse Threat-hunting case study: Windows Management Instrumentation abuse VanHelsing Ransomware An in-depth look at Black Basta's TTPs Six Key Takeaways From the SANS 2025 Threat Hunting Survey Update: Medusa Ransomware Writing high-quality IDS detection rules Threat hunting case study: RMM software Update: LockBit Ransomware Zservers: Bulletproof hosting for online crime Update: Black Basta Ransomware and Threat Group Black Basta exposed: A look at a cybercrime data leak BadPilot Campaign The evolution of Russian cybercrime Android trojan TgToxic updates its capabilities Threat hunting case study: SocGholish DeepSeek AI poses cybersecurity risks Law enforcement hammered cybercrime in 2024. Is it working? Remote Monitoring and Management (RMM) Abuse How threat actors are using artificial intelligence Threat hunting case study: PsExec How ransomware may trend in 2025 What 2025 May Hold for Cybersecurity Bring Your Own Hunts to HUNTER ‘Tis the Season to Be Alert for Cyber Threats: 5 Unjoyful Holiday Tactics Collecting Useful CTI from Underground Markets Expanding source coverage: adding Signal chats to threat intelligence
Understanding the relationship between Emotet, Ryuk and TrickBot
Intel 471 · 2020-04-15 · via Intel 471 Blog

By the Intel 471 Malware Intelligence team. One of the more notable relationships in the world of cybercrime is that between Emotet, Ryuk and TrickBot. This loader-ransomware-banker trifecta has wreaked havoc in the business world over the past two years, causing millions of dollars in damages and ransoms paid. Our Malware Intelligence team receives a lot of great questions from our clients on this subject, so we thought it would be good to do a Q/A style blog covering some of the more general questions.

Most perspectives on Ryuk come from a threat-hunting or incident-response point of view. In contrast, Intel 471's perspective is based on detailed knowledge of the malware itself and how it's being used. Our Malware Intelligence offering provides our clients with near real-time visibility into malware activity at the controller level. This activity includes infrastructure updates, new module/plugin downloads, targets being added to injects or configs, and many other data points.

Q: Are TrickBot campaigns operated by a single group?

A: TrickBot likely is operated by a single group as a malware-as-a-service (MaaS) platform that caters to a relatively small number of top-tier cybercriminals. Available information leads us to believe that individual TrickBot campaigns can be attributed to these different customers using the Group Tag (Gtag) parameter, and each customer may bring their own tactics, techniques and procedures (TTPs) and engage in highly targeted attacks.

Q: If multiple actors or groups are leveraging TrickBot, how is it possible to track the respective campaigns?

A: One technique is to focus on the Gtag parameter and map it to associated delivery methods. The Gtag value is hardcoded into each TrickBot sample and is thought to be a campaign identifier. For example, a Gtag could be “fred372,” where “fred” is the group ID and the numerical value is thought to be a specific campaign or wave that can be linked to a method of delivery.

Q: How many different Gtag values are out there and why are they significant?

A: It’s difficult to say exactly how many unique Gtag values there are, but we can offer some observations based on about 18 months of technical tracking and 37,000 unique TrickBot samples. We’ve seen about 1,000 unique Gtag values, but if we focus on just the group ID , there are only 59 unique values. The majority of samples in our data set — more than 92% — can be attributed to just a handful of group IDs — jim, lib, ono, sat and tot.

Furthermore, we can link the individual group IDs to specific spreading methods as previously mentioned. For example, It’s suspected that jimXX, libXX and totXX are primarily delivered by malspam. We know that every morXX-related sample we observed was delivered via Emotet. All samples attributed to sinXX, tinXX and winXX were delivered via Bokbot aka IcedID. Samples attributed to wmdXX seem to utilize several different loaders, such as Amadey, FastLoader and an unnamed loader. Lastly, satXX, summ1 and trg1 all utilized the Ostap JavaScript loader for delivery.

Aside from the tracking perspective, Gtags also are significant from an incident response point of view. For example, if TrickBot samples are found in workstations and analysis shows them to be from morXX campaigns, getting rid of the TrickBot infection will not ensure the cleaning of the network, as there likely also will be Emotet binaries there.

Q: Are the Ryuk outbreaks connected with any specific Gtag?

A: Given the targeted and manual nature of Ryuk delivery, it’s difficult to gain sufficient visibility into the samples to link them to specific Trickbot Gtags and Ryuk ransomware. However, from privately shared information, it appears that some Gtags are linked to the post-exploitation and deployment of Ryuk ransomware. The Gtag most often associated with Ryuk is said to be morXX. However, while the "mor" Group ID only surfaced in September 2019, the Trickbot to Ryuk connection has been observed since at least January 2019, and reportedly has been seen via other Gtags since then. One of those Gtags is onoXX which reportedly was linked to Ryuk attacks by several organizations in public information reports.

Q: Is there other specific behavior spotted with the morXX Gtag which has not been observed for other Gtag values?

A: Emotet malware typically is used as a loader for TrickBot campaigns, however, our monitoring registered 3 controller events — Feb. 7, 2020, April 1, 2020 and April 11 — where the roles were reversed and TrickBot Gtag morXX was used to download Emotet. Since August 2018 and across millions of controller events, we’ve not observed this behavior outside of these two examples. It suggests the actors behind morXX may have direct access to or some relationship with Emotet, however, the level and extent is unknown.

Q: It seems that in most of the Ryuk outbreaks, Emotet and TrickBot also were in the network. How does the chain work?

A: While it is true that many of the Ryuk incidents we’ve been privy to have involved both Emotet and TrickBot, it’s important to specify where in the chain Ryuk enters. Emotet often is the precursor to TrickBot being loaded onto the system. TrickBot then uses several modules to carry out various activities on the victim system, allow for lateral movement and allow utilities such as BloodHound, Cobalt Strike and/or Empire to be loaded manually by the operators. The deployment of Cobalt Strike does not appear to be automated, but instead is initiated on specific bots that match a profile. Once post-exploitation tools are loaded, the domain controller (DC) is attacked. When privileged access to the DC is acquired, Ryuk can be deployed across the network at the botnet operator’s will.

Q: What is the best way to protect from Ryuk?

A: The first order of business for any organization is to have good security hygiene, including but not limited to ongoing security monitoring, a detection strategy, and response and recovery. There are at least two opportunities to stop both Emotet and TrickBot before a Ryuk outbreak occurs. The first is to stop Emotet from downloading TrickBot. The second is to stop TrickBot from spreading across the network, or at least stop it from communicating back to its command and control servers.

Once TrickBot has identified a domain controller on the network, the network defender is racing against the clock. If the infected machine is on a small-to-medium-sized business network, there is a very good chance threat actors will attack the domain controller and deploy Ryuk. Unfortunately, defensive measures such as anti-virus agents are unlikely to stop Ryuk, since the attacker can easily disable them (i.e., via a group policy object (GPO)).

Q: So, based on the capabilities of TrickBot mentioned above, is it still accurate to call it a banking trojan?

While TrickBot essentially is a banking trojan, the ability to extend its features by adding additional modules distinctly enhanced opportunities for groups running malware operations. Over the years we’ve seen TrickBot evolve from being a banker to an “all of the above” malware using case-specific modules.

Before the widespread use of ransomware, the actors behind Trickbot were engaged in fraudulent money transfer operations. The objective was to mass-infect as many computers as possible and look for high-value targets — individuals with high-balance bank accounts or small businesses. Using the banking trojan and web-injects, the botnet operators could make money transfers to money-mule accounts and then proceed to cash out. There are two problems with this operation:

  1. Banks are getting better at detecting fraudulent transactions and eliminating money mule accounts.
  2. These operations are high maintenance and very costly to operate because of the need to manage money mules, update web-injects, and maintain both the botnet infrastructure and the constant supply of new bots from new campaigns. While many of these things can be outsourced, each “partner” comes with added cost and risk.

With ransomware, the goals of the adversary remain the same, but the path to clean, laundered money is much shorter. Instead of dealing with money mules and bypassing access restrictions on banking accounts, the adversary convinces the victim to pay them directly in bitcoins. Attackers no longer need to understand the intricacies of financial systems, since there now is a single blueprint that fits many targets: Find the domain controller and you have the keys to a network.

Q. What is the outlook for ransomware?

We’ve seen a number of things transpire in the world of cybercrime over the past three years as ransomware has taken the top spot for most lucrative malicious endeavors.

  • The 2016 U.S. presidential election showed the world the power of exposing sensitive data and there's no doubt ransomware operators and developers were watching. It's now commonplace to see ransomware groups use blackmail tactics to compel victims to pay the ransom, while maintaining blogs to expose non-paying victims. In late 2019, the Maze ransomware team was the first to release data from non-paying ransomware victims, but the tactic subsequently was replicated by several ransomware-as-a-service (RaaS) operators. Intel 471 observed this tactic implemented by others, such as DoppelPaymer, MegaCortex, Nemty and REvil aka Sodinokibi. We'll continue to see this trend, giving companies yet another thing to worry about as they navigate the ransomware threat both to them directly, and the risk it brings them via their third-party vendors and suppliers.
  • Emotet, Ryuk and Trickbot are by no means the only tools that team up to deliver ransomware. We’ve also observed connections between some Dridex and DanaBot actors, likely for ransomware delivery. MaaS operations cannot be written off as merely “commodity” malware, since their client pool includes very skilled groups that can and will cause serious damage if allowed to do so.
  • Ransomware has helped revamp and boost a submarket where criminals can crowdsource the identification of potential targets. The sale of compromised accesses is nothing new in the underground marketplace, however, over the past 18 months there’s been an explosion of such sales by actors ranging in sophistication from inexperienced to highly knowledgeable. Ransoms over the past three years have skyrocketed and now are in the millions in some cases, making ransomware operations a very lucrative activity. Purchasing a simple remote desktop protocol (RDP) access for thousands of dollars will provide a return on investment (ROI) for both sides of the sale. As malware-based vectors are considered, so too must the accesses being obtained through simple account takeovers or other means.