After the end of Emotet's reign, which saw its infrastructure taken down by Europol in late January 2021, Trickbot has arrived, which has come to give a lot of headaches, especially to the legal and insurance industries. Like Emotet, Trickbot is not a "final" malware, it acts as a channel for cybercriminals to deliver the final malicious payload, which can be any other virus.

Since February 2021, Trickbot has been used as a replacement for Emotet. The main form of dissemination was through spam campaigns, which contained a compressed (.zip) file with malicious JavaScript. Upon opening the file, Trickbot attempts to download another malicious payload from a remote server.

Trickbot is popular due to its versatility, flexibility, customization, and its successful track record in previous attacks. In 2020, it was the fourth most prevalent malware globally, affecting 8% of organizations.

In 2020, Trickbot played a key role in one of the most costly and high-profile cyberattacks: The Universal Health Services (UHS) case, a leading healthcare provider in the US. UHS was hit by the Ryuk ransomware and the institution claimed that the attack cost it $67 million in lost revenue and costs. Trickbot was used by the attackers to detect and harvest data from UHS systems and deliver the ransomware payload.


  • Credential theft;
  • Spy on targets to gain access to the system and network information;
  • Install backdoors into systems, which allow access to the system remotely as part of a botnet.
  • Be downloaded by other malware.
  • Modify itself to avoid detection.


The main defence tactic is to make users aware of how they should verify the veracity of a linked email. If a user can correctly identify a malicious or suspicious email and the attachment to follow, the malware will not have a chance to be opened.

IT departments in organizations must make employees aware of how to identify potentially malicious emails.
The use of antivirus software can also help in detecting potential attacks on a system. If the attack is successful, the software can also help remove it.

Enabling multi-factor authentication (MFA) can help prevent TrickBot malware from obtaining all users credentials. Even if an attack is successful, attackers will not have all the pieces needed to be fully authenticated by a system.
In short, even when one major threat is eliminated, others emerge that continue to pose a high risk on networks worldwide.

Como podemos ajudar?
Fale Connosco