TrickBot is a trojan/spyware program written in C++ that, per MITRE ATT&CK, first emerged in September 2016 as a possible successor to Dyre. It was developed and initially used by the actor known as Wizard Spider to target banking sites in North America, Australia, and Europe, and has since been used worldwide across all sectors as part of 'big game hunting' ransomware campaigns. TrickBot is highly modular, supporting credential theft, network reconnaissance, and delivery of further payloads. It has frequently been paired with Emotet for initial access and preceded ransomware such as Ryuk and Conti.
Threat reports may refer to this family under multiple names:
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.
Malspam with Excel macrosEmotet-delivered secondary payloadBazarLoader follow-onHTTPS to C2 on ports 443, 447, 449Self-signed certs with randomized CNScheduled task in \Microsoft\Windows path with legitimate-looking nameService entry with random 8-char nameDetection ideas drawn from public reporting. Tune to your environment before deploying.
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_TRICKBOT {
meta:
description = "Detects Trickbot (trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "trickbot" ascii wide nocase
$s2 = "trickbot" ascii wide nocase
$s3 = "totbrick" ascii wide nocase
$s4 = "tspy_trickload" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Trickbot Activity
id: d073f7352b82c1b8eedda381590adced
status: experimental
description: Detects generic indicators of the trickbot malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*trickbot*"
- "*trickbot*"
- "*totbrick*"
- "*tspy_trickload*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
A modular trojan/spyware first seen in September 2016, used for credential theft, network reconnaissance, and delivering additional malware.
MITRE attributes its development and early use to the actor tracked as Wizard Spider, originally for banking fraud.
It began focused on banking sites but evolved into a multipurpose toolkit used broadly, including as a precursor to ransomware.
It has been used in 'big game hunting' campaigns, providing the access later leveraged to deploy ransomware such as Ryuk and Conti.
Emotet has been documented as a downloader that delivers TrickBot, so the two were frequently seen together.
Commonly through phishing emails and as a payload dropped by other malware like Emotet.
MITRE describes TrickBot as a possible successor to the earlier Dyre banking trojan.
Block phishing, restrict macros, segment networks to limit lateral movement, monitor for credential theft, and maintain tested offline backups in case it leads to ransomware.
MITRE ATT&CK's TrickBot entry (S0266), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/trickbot.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.