Trickbot

TrickBot is a Russia-based cybercrime group and malware syndicate centered on the TrickBot malware family. The content links TrickBot to a broader criminal network behind TrickBot, Conti, and Ryuk, and associates it with additional malware and tooling including BazarLoader, SystemBC, IcedID, Diavol, and Latrodectus. German authorities named Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot gang in June 2025; he is also described as a senior TrickBot figure known as “Bentley” and “Ben.” The group is also referred to as Wizard Spider/WIZARD SPIDER in the provided content. The group has been tied closely to the Conti ransomware operation. The content states that Conti was developed by members of the TrickBot gang, emerged from the Ryuk group, and remained interlinked with TrickBot personnel and infrastructure. Multiple TrickBot or Conti-linked members were added to most-wanted lists and sanctioned by the United States and United Kingdom. Authorities assessed that current or key TrickBot members maintain links to Russian intelligence services, and some reporting in the content describes alleged ties between TrickBot-linked figures and the FSB. The group is described as having systematically attacked Ukraine, and some targeting was assessed as aligning with Russian state objectives. Operationally, TrickBot began as a modular banking trojan and evolved into a malware delivery and access platform used in multi-stage intrusions. The content states it has been used to deploy Ryuk and Conti ransomware and to support lateral movement, data theft, and enterprise-wide compromise. TrickBot operators also used an Android malware application, TrickMo, to bypass banking two-factor authentication by intercepting OTP, mTAN, and pushTAN codes, abusing Android accessibility services, deleting forwarded SMS messages, resisting uninstallation, and persisting across reboot. The content also directly associates TrickBot with reconnaissance tradecraft including System Network Configuration Discovery and Domain Trust Discovery. Examples cited include use of ipconfig /all, net config workstation, net view /all /domain, and nltest /domain_trusts. Microsoft obtained an emergency court order in 2020 to disable TrickBot command-and-control IP addresses. The group has collaborated with or been linked to other criminal actors and services. The content states TA551 partnered with TrickBot/Wizard Spider in phishing campaigns that deployed Conti ransomware. BazarCall campaigns initially delivered BazarLoader and later also distributed TrickBot. WithSecure found connections between GREYVIBE tooling and the TrickBot gang, and also noted possible access to an ISO builder with suspected ties to TrickBot and UAC-0098. The content further notes that Blender.io was cited by the U.S. Treasury as being used by ransomware gangs including Conti and TrickBot.