TrickBot malware is actively spreading via spear-phishing campaigns and targeting several entities based in North America. According to the recent warnings from several federal agencies, an advanced threat group is using phishing emails to lure victims and infect them with TrickBot.

What is happening?

The CISA and FBI discovered the ongoing attacks leveraging TrickBot that has now evolved into a highly modular multi-stage malware. 
  • The group is using a traffic infringement phishing scheme to download the malware onto the victim’s machine.
  • The attacker sends phishing emails that redirect the recipient to a website hosted on a malicious server, asking victims to click on photo proof of their traffic violation.
  • Security researchers reported that the attackers can use TrickBot to spread other threats as well. Some of them are identified as Ryuk, Conti, and Emotet downloaders.

TrickBot’s recent activities

Since January, the trojan has been active and spreading to target multiple agencies around the world.
  • Since the takedown attempt in October by Microsoft, ESET, Symantec, and several other agencies, TrickBot operators have been continuously upgrading their malware, while using it for new phishing and malware attack campaigns on a regular basis.
  • Recently, TrickBot replaced Emotet to become the new top global threat, according to Global Threat Index by Checkpoint.


Despite the takedown attempt, the trojan came back stronger with new tricks and tactics up its sleeve. Thus, it is important that organizations improve their security posture by going through the mitigation and recommendations in the alert.

Cyware Publisher