Banking trojan / Loader
TrickBot
aka TrickLoader · Trickster · ITG23 (Wizard Spider)
A modular banking trojan that evolved into a dominant malware-as-a-service platform and a primary delivery vehicle for Ryuk and Conti ransomware.
TrickBot emerged in 2016 as a successor to the Dyre banking trojan and grew into a highly modular crimeware platform. Beyond banking fraud, its plugins handled credential theft, network reconnaissance, and — crucially — delivery of ransomware.
The Emotet → TrickBot → Ryuk chain
TrickBot was the middle stage of a notorious infection chain: Emotet delivered TrickBot, which profiled the network and deployed Ryuk and later Conti. This pipeline drove many of the most damaging enterprise ransomware incidents of 2019–2021.
Disruption
Ahead of the 2020 US elections, Microsoft and US Cyber Command disrupted TrickBot's infrastructure; operations wound down as the crew shifted to Conti and BazarLoader. Campaign detail lives on Cyber Breaches, and a module-loader teardown on the Reverse Engineering Hub.
Defense
Block Emotet/TrickBot delivery, monitor for lateral movement, and treat any TrickBot detection as a pre-ransomware emergency.