Trickbot Group

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were made to disrupt Trickbot's operations, prompting Emotet to assist in ITG23’s recovery by downloading Trickbot malware to infected machines. Notably, each individual Trickbot sample beacons to its Command & Control (C2) infrastructure with a statically defined “gtag”, which is believed to act as an identifier for distinct Trickbot customers. Key members of the Trickbot group include Sergey Loguntsov, Artem Kurov, Vadym Valiakhmetov, and Maksim Rudenskiy, who served in roles ranging from developers to coders. Vladimir Dunaev, a Russian national from Amur Oblast, was also identified as an integral member of the criminal Trickbot group, which became infamous for its sophisticated information-stealing Trojan that defrauded innocent internet users for years. The group notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection. In response to their activities, the U.S. Department of the Treasury sanctioned several individuals involved in management and procurement for the Trickbot group, citing their ties to Russian intelligence services. The group primarily targeted non-Russian entities, including financial institutions and hospitals, with ransomware campaigns. According to the U.S. Treasury Department, the group’s aims are aligned with those of the Russian government. The sanctioned individuals included administrators, managers, developers, and coders who have materially supported the operations of the Trickbot group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Wizard Spider
2
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
ITG23
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Russia
Fraud
Trojan
Government
Cybercrime
Treasury
Bitcoin
Uk
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
10
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
DyreUnspecified
2
Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i
EmotetUnspecified
1
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Trickbot Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
10 months ago
UK and US sanctioned 11 members of Russia-based TrickBot gang
CERT-EU
10 months ago
US, UK sanction members of Russian cybercrime ring | #cybercrime | #infosec | National Cyber Security Consulting
CERT-EU
8 months ago
Russian hacker pleads guilty to Trickbot malware conspiracy
CERT-EU
8 months ago
TrickBot developer pleads guilty, faces up to 35 years in prison
CERT-EU
8 months ago
TrickBot malware dev pleads guilty, faces 35 years in prison
CERT-EU
8 months ago
Russian pleads guilty in US to role in Trickbot malware scheme
SecurityIntelligence.com
8 months ago
ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
CERT-EU
a year ago
US, UK Sanction Russians Tied to TrickBot Hacking Gang | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security
CERT-EU
10 months ago
Russian hackers who backed Ukraine war and targeted UK hospitals during COVID pandemic are hit with sanctions | UK News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
10 months ago
US, UK Penalise Russian Trickbot Cyber Gang Members
CERT-EU
10 months ago
UK and US sanction 11 Russians connected to notorious Trickbot group
Trend Micro
10 months ago
TrickBot & Conti Sanctions for CISOs & Board Members
CERT-EU
a year ago
Cyber security week in review: February, 10
DARKReading
10 months ago
Trickbot, Conti Sanctions Affect Top Cybercrime Brass
CERT-EU
a year ago
US, UK sanction 7 alleged members of infamous Russian Trickbot hacking gang • TechCrunch | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
10 months ago
Turns out even the NFL is worried about deepfakes
CERT-EU
10 months ago
US Indicts Nine Russians Behind 'Trickbot' Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
11 alleged Conti criminals hit with UK and US sanctions | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
10 months ago
Russian ransomware group hit with new sanctions | #ransomware | #cybercrime | National Cyber Security Consulting
Malwarebytes
a year ago
TrickBot gang members sanctioned after pandemic ransomware attacks