S0266: TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]
Analyst context for executives and security teams
TrickBot matters because ATT&CK describes it as Windows Trojan spyware that evolved from banking-focused activity into use across sectors as part of “big game hunting” ransomware campaigns. For leaders, the decision value is not just malware blocking; it is whether the organization can recognize the discovery, credential collection, persistence, command-and-control, lateral movement, and exfiltration behaviors that ATT&CK associates with this software before an intrusion becomes a business interruption event.
Executive priority
Prioritize TrickBot as a resilience and incident-readiness scenario for Windows environments. The ATT&CK relationships show behavior spanning credential access, discovery, persistence through scheduled tasks, stealth through obfuscation and process injection, C2 over web protocols and fallback channels, VNC-based lateral movement, and exfiltration over C2. Executives should ask whether SOC monitoring, identity controls, endpoint hardening, and incident response playbooks can produce evidence across these stages, not only whether a malware signature exists.
Technical view
Validate coverage against the ATT&CK techniques linked to TrickBot: Scheduled Task, Process Injection and Process Hollowing, Credential API Hooking, PowerShell, Windows Command Shell, service/process/user/network/system discovery, remote system discovery, permission group discovery, VNC, web-protocol C2, fallback channels, exfiltration over C2, masquerading, and obfuscated/packed/encrypted files. Because the official detection field is not provided, detection engineering should be behavior-led and environment-specific, focused on Windows endpoint activity, process lineage, task creation, suspicious command execution, network egress patterns, and authentication or remote-control activity that aligns with these relationships.
Likely telemetry
- Windows endpoint process creation and parent-child process lineage
- Scheduled task creation, modification, and execution events
- PowerShell and Windows command shell execution logs
- Endpoint alerts or forensic evidence for process injection, process hollowing, packing, obfuscation, and masquerading
- Windows service, process, user, group, system, and network discovery command evidence
Detection direction
- Do not rely only on known TrickBot indicators; the ATT&CK relationships emphasize behaviors that can vary by environment and by malware version.
- Tune detections around suspicious scheduled tasks, unusual PowerShell or cmd execution, discovery bursts, and abnormal child processes from user-facing or system processes.
- Correlate endpoint behavior with outbound web traffic and fallback communication attempts to reduce false positives from legitimate administrative activity.
- Review whether VNC use is expected, inventoried, and monitored; unexpected VNC activity can be material when paired with discovery or credential-access behavior.
- Account for false positives from administrators, software deployment tools, monitoring agents, and legitimate remote support; require context such as process lineage, timing, host role, and user identity.
Mitigation priorities
- Start with visibility: confirm Windows endpoint, command execution, scheduled task, authentication, remote access, and egress telemetry are retained and available to SOC and IR teams.
- Reduce credential exposure by hardening credential handling and monitoring for abnormal credential access patterns consistent with the ATT&CK-linked Credential API Hooking behavior.
- Restrict and monitor administrative scripting, command shell use, scheduled task creation, and remote-control tools such as VNC according to business need.
- Harden egress controls and monitoring for web-protocol C2 and alternate/fallback channels, with escalation paths for suspicious outbound communication from workstations and servers.
- Prepare IR playbooks that treat TrickBot-like behavior as a multi-stage intrusion risk: isolate affected Windows hosts, preserve endpoint and network evidence, assess credential exposure, and hunt for discovery, lateral movement, persistence, and exfiltration behaviors.
Analyst notes and limits
ATT&CK identifies TrickBot as a C++ Trojan spyware program first emerging in September 2016, initially associated with banking targeting and later used across sectors in ransomware campaign contexts. Relationships supplied here associate TrickBot with TA505 and Wizard Spider and with many enterprise techniques across discovery, execution, persistence, privilege escalation, credential access, collection, command and control, lateral movement, stealth, and exfiltration. The strongest defensive use is to map these relationships to concrete telemetry and response readiness in the local Windows environment.
The official ATT&CK object lists Windows as the platform but provides no official detection text and no object-level tactics. This take is based only on the supplied description, external references, and relationship context. Local validation is required to determine actual exposure, control coverage, false-positive patterns, and whether any observed activity is TrickBot, another tool, or legitimate administration.
TrickBot
TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to Dyre. TrickBot was developed and initially used by Wizard Spider for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.CitationS2 Grupo TrickBot June 2017CitationFidelis TrickBot Oct 2016CitationCyberreason Anchor December 2019CitationEclypsium Trickboot December 2020 |
| Enterprise | T1033 | System Owner/User Discovery | TrickBot can identify the user and groups the user belongs to on a compromised host.CitationCyberreason Anchor December 2019 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | TrickBot used COM to setup scheduled task for persistence.CitationESET Trickbot Oct 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | TrickBot creates a scheduled task on the system that provides persistence.CitationS2 Grupo TrickBot June 2017CitationTrend Micro Totbrick Oct 2016CitationMicrosoft Totbrick Oct 2017 |
| Enterprise | T1542.003 | Bootkit Sub-technique | TrickBot can implant malicious code into a compromised device's firmware.CitationEclypsium Trickboot December 2020 |
| Enterprise | T1185 | Browser Session Hijacking | TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.CitationFidelis TrickBot Oct 2016CitationIBM TrickBot Nov 2016CitationMicrosoft Totbrick Oct 2017CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1106 | Native API | TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.CitationS2 Grupo TrickBot June 2017 TrickBot has also used |
| Enterprise | T1059.001 | PowerShell Sub-technique | TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers. CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.CitationCyberreason Anchor December 2019CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1008 | Fallback Channels | TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.CitationCyberreason Anchor December 2019 |
| Enterprise | T1021.005 | VNC Sub-technique | TrickBot has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network CitationTrickbot VNC module July 2021CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | TrickBot uses non-descriptive names to hide functionality.CitationS2 Grupo TrickBot June 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | TrickBot leverages a custom packer to obfuscate its functionality.CitationS2 Grupo TrickBot June 2017 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.CitationTrend Micro Trickbot Nov 2018CitationCyberreason Anchor December 2019 Additionally, it searches for the ".vnc.lnk" affix to steal VNC credentials.CitationTrendMicro Trickbot Feb 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | TrickBot has attempted to get users to launch malicious documents to deliver its payload. CitationTrendMicro Trickbot Feb 2019CitationCyberreason Anchor December 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1087.001 | Local Account Sub-technique | TrickBot collects the users of the system.CitationS2 Grupo TrickBot June 2017CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1135 | Network Share Discovery | TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API.CitationESET Trickbot Oct 2020CitationBitdefender Trickbot March 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | TrickBot can Base64-encode C2 commands.CitationCyberreason Anchor December 2019 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | TrickBot has been delivered via malicious links in phishing e-mails.CitationCyberreason Anchor December 2019 |
| Enterprise | T1005 | Data from Local System | TrickBot collects local files and information from the victim’s local machine.CitationS2 Grupo TrickBot June 2017 |
| Enterprise | T1069 | Permission Groups Discovery | TrickBot can identify the groups the user on a compromised host belongs to.CitationCyberreason Anchor December 2019 |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | TrickBot has retrieved PuTTY credentials by querying the |
| Enterprise | T1057 | Process Discovery | TrickBot uses module networkDll for process list discovery.CitationESET Trickbot Oct 2020CitationBitdefender Trickbot March 2020 |
| Enterprise | T1087.003 | Email Account Sub-technique | TrickBot collects email addresses from Outlook.CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | TrickBot has used |
| Enterprise | T1219 | Remote Access Tools | TrickBot uses vncDll module to remote control the victim machine.CitationESET Trickbot Oct 2020CitationBitdefender Trickbot March 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine.CitationTrendMicro Trickbot Feb 2019 |
| Enterprise | T1685 | Disable or Modify Tools | TrickBot can disable Windows Defender.CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1036 | Masquerading | The TrickBot downloader has used an icon to appear as a Microsoft Word document.CitationCyberreason Anchor December 2019 |
| Enterprise | T1495 | Firmware Corruption | TrickBot module "Trickboot" can write or erase the UEFI/BIOS firmware of a compromised device.CitationEclypsium Trickboot December 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | TrickBot decodes the configuration data and modules.CitationFidelis TrickBot Oct 2016CitationCyberreason Anchor December 2019CitationJoe Sec Trickbot |
| Enterprise | T1018 | Remote System Discovery | TrickBot can enumerate computers and network devices.CitationCyberreason Anchor December 2019 |
| Enterprise | T1571 | Non-Standard Port | Some TrickBot samples have used HTTP over ports 447 and 8082 for C2.CitationS2 Grupo TrickBot June 2017CitationFidelis TrickBot Oct 2016CitationTrend Micro Totbrick Oct 2016 Newer versions of TrickBot have been known to use a custom communication protocol which sends the data unencrypted over port 443. CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1555.005 | Password Managers Sub-technique | TrickBot can steal passwords from the KeePass open source password manager.CitationCyberreason Anchor December 2019 |
| Enterprise | T1112 | Modify Registry | TrickBot can modify registry entries.CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1553.002 | Code Signing Sub-technique | TrickBot has come with a signed downloader component.CitationCyberreason Anchor December 2019 |
| Enterprise | T1110.004 | Credential Stuffing Sub-technique | TrickBot uses brute-force attack against RDP with rdpscanDll module.CitationESET Trickbot Oct 2020CitationBitdefender Trickbot March 2020 |
| Enterprise | T1083 | File and Directory Discovery | TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.CitationS2 Grupo TrickBot June 2017CitationTrend Micro Trickbot Nov 2018 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | TrickBot has the ability to capture RDP credentials by capturing the |
| Enterprise | T1007 | System Service Discovery | TrickBot collects a list of install programs and services on the system’s machine.CitationS2 Grupo TrickBot June 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | TrickBot downloads several additional files and saves them to the victim's machine.CitationTrend Micro Totbrick Oct 2016CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1055 | Process Injection | TrickBot has used |
| Enterprise | T1090.002 | External Proxy Sub-technique | TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. CitationBitdefender Trickbot C2 infra Nov 2020 CitationBitdefender Trickbot VNC module Whitepaper 2021 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | TrickBot injects into the svchost.exe process.CitationS2 Grupo TrickBot June 2017CitationTrend Micro Totbrick Oct 2016CitationMicrosoft Totbrick Oct 2017CitationCyberreason Anchor December 2019 |
| Enterprise | T1210 | Exploitation of Remote Services | TrickBot utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll.CitationESET Trickbot Oct 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | TrickBot has used a hidden VNC (hVNC) window to monitor the victim and collect information stealthily.CitationEmotet Deploys TrickBot |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TrickBot establishes persistence in the Startup folder.CitationESET Trickbot Oct 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.CitationS2 Grupo TrickBot June 2017CitationCyberreason Anchor December 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.CitationS2 Grupo TrickBot June 2017 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1482 | Domain Trust Discovery | |
| Enterprise | T1016 | System Network Configuration Discovery | TrickBot obtains the IP address, location, and other relevant network information from the victim’s machine.CitationS2 Grupo TrickBot June 2017CitationTrend Micro Trickbot Nov 2018CitationCyberreason Anchor December 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malwareCitationTrendMicro Trickbot Feb 2019 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0092: TA505
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 566873889668… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
S2 Grupo TrickBot June 2017
Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
Open source URL -
[2]
Fidelis TrickBot Oct 2016
Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
Open source URL -
[3]
IBM TrickBot Nov 2016
Keshet, L. (2016, November 09). Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations. Retrieved August 2, 2018.
Open source URL -
[4]
CrowdStrike Wizard Spider October 2020
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
Open source URL -
[5]
Microsoft Totbrick Oct 2017
Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.
Open source URL -
[6]
TSPY_TRICKLOAD
(Citation: Trend Micro Totbrick Oct 2016)
-
[7]
Totbrick
(Citation: Trend Micro Totbrick Oct 2016) (Citation: Microsoft Totbrick Oct 2017)
-
[8]
Trend Micro Totbrick Oct 2016
Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
Open source URL -
[9]
TrendMicro Trickbot Feb 2019
Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
Open source URL -
[10]
TrickBot
(Citation: S2 Grupo TrickBot June 2017) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019)
-
[11]
mitre-attack S0266Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.