ITG23

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample being a strong indication of ITG23 involvement or partnership. In addition to this, ITG23 has adapted to the evolving ransomware economy through the creation of Conti ransomware-as-a-service (RaaS) and the deployment of BazarLoader and Trickbot payloads to establish a foothold for ransomware attacks. The group has also collaborated with other notable affiliates such as Hive0107 to distribute Trickbot and BazarLoader. Since late February 2023, former members of ITG23 have been observed using Dave Loader with Domino Backdoor during their campaigns. This suggests a level of collaboration between ITG23 and other groups, possibly including current or former ITG14 developers. These campaigns may be delivered by threat actors using the handles ‘Netwalker’ and ‘Cherry,’ who are believed to be working within the ITG23 organization. However, it remains unclear whether ITG23 itself controls the delivery of these malicious emails or if they are independently distributed by other affiliates like Hive0106 and Hive0107. Significantly, ITG23 has formed partnerships with spam powerhouse Hive0106, also known as TA551, and consistently effective payload distributor Hive0105. During the summer, ITG23 partnered with Hive0107 to distribute Trickbot and BazarLoader. Furthermore, ITG23 operatives are reportedly collaborating with the threat actor Zeus on matters related to these campaigns, which might explain the derivation of 'zev,' 'zem,' and 'zvs' gtag names. Notably, some IBM researchers have identified files delivering malware unrelated to ITG23, such as the Zeppelin ransomware, indicating a complex and evolving threat landscape.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Wizard Spider	2	Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
TA551	2	TA551, also known as Hive0106, Shathak, and UNC2420, is a financially motivated threat group that has been active in the cybercrime landscape. This threat actor has been linked to various malware distribution activities, including those involving QakBot, IcedID, Emotet, Bumblebee, Gozi, and other ma
Gold Ulrick	1	GOLD ULRICK, also known as ITG23, is a threat actor identified for its aggressive and unrestricted operations in the cybersecurity landscape. The group has shown no hesitation in targeting healthcare organizations with Conti ransomware, a malicious software designed to block access to a computer sys
Trickbot Group	1	The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were m
Netwalker	1	NetWalker is a highly profitable ransomware kit, known for its ability to disable antivirus software on Windows 10 systems and encrypt files, adding a random extension to the encrypted ones. Once executed, it disrupts operations and can even hold data hostage for ransom. It has been observed that Ne
Trickbot/conti Syndicate	1	The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-
Cherry	1	Cherry is a malicious software, or malware, that has recently impacted Cherry Health, a Michigan-based healthcare provider. The malware infiltrated the system through unknown means, disrupting operations and causing a significant ransomware attack. This incident underscores the security challenges f

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

RaaS

Loader

Trojan

Payload

Ransomware

Fraud

Bitcoin

Crypting

Crypter

Spam

Cybercrime

Rust

Backdoor

Infostealer

Extortion

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
TrickBot	Unspecified	2	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Bazarloader	Unspecified	2	BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Conti	Unspecified	2	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Cobaltstrike	Unspecified	1	CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
Vidar	Unspecified	1	Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Domino Backdoor	Unspecified	1	The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Domino	Unspecified	1	The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Blackbasta	Unspecified	1	BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
Minodo	Unspecified	1	Minodo is a type of malware, a harmful program designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
Cryptone	Unspecified	1	CryptOne is a Delphi-based crypter malware, dating back to 2015, that has been frequently used by various malicious software families such as Gozi, Dridex, NetWalker, and WastedLocker. This crypter is reportedly offered as a Crypter-As-A-Service and it's capable of detecting and disabling a list of
Forest	Unspecified	1	Forest is a potent malware that leverages the Golden Ticket, an authentication ticket (TGT), to gain domain-wide access. It exploits the TGT to acquire service tickets (TGS) used for accessing resources across the entire domain and the Active Directory (AD) forest by leveraging SID History. The malw
Anchor	Unspecified	1	Anchor is a type of malware, short for malicious software, that infiltrates systems to exploit and cause damage. It can access systems through various methods such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can disrupt operations, steal personal info
Diavol	Unspecified	1	Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope
Ryuk	Unspecified	1	Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Qbot	Unspecified	1	Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
Nemesis	Unspecified	1	Nemesis is a type of malware, specifically known as an infostealer, which infiltrates systems to exploit and cause damage. It often enters systems undetected through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. A deeper lo
Project Nemesis	Unspecified	1	Project Nemesis is a malicious software, or malware, that was first advertised on the dark web in December 2021. It is designed to exploit and damage computer systems by infiltrating them through suspicious downloads, emails, or websites. Once inside, Project Nemesis can steal personal information,
Dave Loader	Unspecified	1	Dave Loader, also known as Domino Backdoor, is a potent malware that has been utilized in various cybercrime operations. This malicious software is designed to infiltrate computer systems and compromise user data, often without the victim's knowledge. It can be delivered through dubious downloads, e
Cargobay	Unspecified	1	CargoBay is a type of malware that has been associated with various ransomware attacks, including Quantum, Zeon, and Royal. It was used to crypt SVCReady, a loader observed in the Quantum ransomware attacks. CargoBay's usage extends beyond this, as it has also been linked to numerous other malicious
Karakurt	Unspecified	1	Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggeri
Anubis	Unspecified	1	Anubis, also known as IcedID or Bokbot, is a sophisticated piece of malware primarily functioning as a banking trojan. It was first discovered by X-Force in September 2017 and has since evolved to target a wide range of financial applications. Notably, Anubis has consistently ranked among the top fi
Netsupport	Unspecified	1	NetSupport is a malicious software (malware) that has been used in various cyberattacks, including the Royal Ransomware attack and assaults by former ITG23 members. It can infiltrate systems through suspicious downloads, emails, or websites and then steal personal information, disrupt operations, or
Bokbot	Unspecified	1	BokBot, also known as IcedID or Anubis, is a type of malware first discovered by X-Force in September 2017. It's a banking trojan that has been widely used in cybercrime operations to steal sensitive information such as banking credentials from infected computers. The malware infects systems through
SVCReady	Unspecified	1	SVCReady is a relatively new malware family first observed in malicious spam campaigns at the end of April 2022. This harmful software, designed to exploit and damage computers or devices, was initially unknown but has since been identified through IDS rules published by Proofpoint. The malware infe
Bazarbackdoor	Unspecified	1	BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
IcedID	Unspecified	1	IcedID is a malicious software (malware) designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom
Gozi	Unspecified	1	Gozi is a notorious malware that has been linked to numerous cyber attacks. It's typically delivered through sophisticated malvertising techniques, often used in conjunction with other initial access malware such as Pikabot botnet agent and IcedID information stealer. When an individual accesses a c
QakBot	Unspecified	1	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
Bumblebee	Unspecified	1	Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The sam
Emotet	Unspecified	1	Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Hive0106	Unspecified	2	Hive0106, also known as TA551, is a notable threat actor recognized for its association with ITG23, another prominent entity in the cybercrime landscape. This partnership has been observed since mid-2021 by X-Force, a cybersecurity firm. Hive0106's primary role is as a distribution affiliate, delive
ITG14	Unspecified	1	ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Zeon	is related to	1	Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Zvs	Unspecified	1	None
Zev	Unspecified	1	Zev is a threat actor that has been reportedly active since 2016. Initially, this group was known for distributing payloads such as Valak, IcedID, and QakBot. However, in late June 2021, the group started distributing Trickbot with the 'zev' gtag. By mid-to-late July 2021, they had switched to Bazar
Zem	Unspecified	1	None
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Hive0106 Ta551	Unspecified	1	None

Source Document References

Information about the ITG23 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	7 months ago	Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
SecurityIntelligence.com	a year ago	RansomExx Upgrades to Rust
SecurityIntelligence.com	8 months ago	ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
CERT-EU	a year ago	BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising
SecurityIntelligence.com	a year ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
SecurityIntelligence.com	a year ago	The Trickbot/Conti Crypters: Where Are They Now?