Trickbot

Category: trojan · Aliases: TrickBot, Totbrick, TSPY_TRICKLOAD · Sample count (EMBER 2018): 466 · Enrichment: curated_sourced · Updated: 2026-06-09
First seen: 2016Status: largely disrupted

Overview

TrickBot is a trojan/spyware program written in C++ that, per MITRE ATT&CK, first emerged in September 2016 as a possible successor to Dyre. It was developed and initially used by the actor known as Wizard Spider to target banking sites in North America, Australia, and Europe, and has since been used worldwide across all sectors as part of 'big game hunting' ransomware campaigns. TrickBot is highly modular, supporting credential theft, network reconnaissance, and delivery of further payloads. It has frequently been paired with Emotet for initial access and preceded ransomware such as Ryuk and Conti.

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1566.001Spearphishing Attachment
T1055Process Injection
T1053.005Scheduled Task
T1071.001Web Protocols

Indicators of Compromise

Public indicators drawn from CISA advisories and vendor reporting. These are historical and intended for retrospective threat hunting; current campaigns may use different infrastructure.

Delivery vectors

Network indicators

Persistence mechanisms

Detection Guidance

Detection ideas drawn from public reporting. Tune to your environment before deploying.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_TRICKBOT {
    meta:
        description = "Detects Trickbot (trojan)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "trickbot" ascii wide nocase
        $s2 = "trickbot" ascii wide nocase
        $s3 = "totbrick" ascii wide nocase
        $s4 = "tspy_trickload" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Trickbot Activity
id: d073f7352b82c1b8eedda381590adced
status: experimental
description: Detects generic indicators of the trickbot malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*trickbot*"
            - "*trickbot*"
            - "*totbrick*"
            - "*tspy_trickload*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate host immediately — TrickBot signals ransomware readiness
  2. Reset domain credentials used on the host (treat as compromised)
  3. Hunt across the domain for Cobalt Strike beacons
  4. Audit Domain Controllers for AnchorDNS C2

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not delay isolation — average dwell-to-ransomware time is under 48 hours
  2. Do not assume reimage alone is sufficient without credential rotation
  3. Do not skip threat hunt across other endpoints

References & External Analysis

Frequently Asked Questions

What is TrickBot?

A modular trojan/spyware first seen in September 2016, used for credential theft, network reconnaissance, and delivering additional malware.

Who created TrickBot?

MITRE attributes its development and early use to the actor tracked as Wizard Spider, originally for banking fraud.

Is TrickBot just a banking trojan?

It began focused on banking sites but evolved into a multipurpose toolkit used broadly, including as a precursor to ransomware.

How does TrickBot relate to ransomware?

It has been used in 'big game hunting' campaigns, providing the access later leveraged to deploy ransomware such as Ryuk and Conti.

How does TrickBot relate to Emotet?

Emotet has been documented as a downloader that delivers TrickBot, so the two were frequently seen together.

How does TrickBot get onto a machine?

Commonly through phishing emails and as a payload dropped by other malware like Emotet.

What was TrickBot's successor relationship to Dyre?

MITRE describes TrickBot as a possible successor to the earlier Dyre banking trojan.

How can organizations defend against TrickBot?

Block phishing, restrict macros, segment networks to limit lateral movement, monitor for credential theft, and maintain tested offline backups in case it leads to ransomware.

Where is the authoritative reference?

MITRE ATT&CK's TrickBot entry (S0266), linked on this page.

Related Families (Category: trojan)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/trickbot.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.