Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 3 actors

The Trick

The Trick, also known as Trickbot, is a banking Trojan used as first-stage malware and an initial access enabler in broader cybercrime operations. The provided content states that TA505 began distributing The Trick in June 2017 via malicious spam using multiple delivery vectors, including zipped scripts, Office documents, HTML attachments, password-protected Word documents, links to malicious JavaScript, VBScript in 7-Zip archives, DDE-abusing Word documents, and embedded .lnk files in Word documents. TA505 also ran a geo-targeted campaign on October 10, 2017 that delivered either Locky or The Trick depending on victim location; in that campaign, HTML attachments with embedded JavaScript downloaded The Trick with gtag "mac1" for victims in the UK, Australia, Luxembourg, Ireland, or Belgium. TA505 continued distributing The Trick in later 2017 campaigns alongside payloads such as Dridex, GlobeImposter, and DreamSmasher.

The malware is also described as part of the criminal ecosystem that enables ransomware intrusions. Proofpoint identifies The Trick as one of several first-stage malware families used by initial access facilitators, with compromised access later sold to ransomware operators for data theft and encryption operations. The content specifically associates The Trick with ransomware enablement and notes third-party reporting linking first-stage loaders including The Trick with Conti ransomware activity. TA800 is described as an affiliate distributor of The Trick and BazaLoader that targeted a wide range of industries in North America with banking Trojans and loaders; Proofpoint also states TA800 is related to reporting on BazaLoader implants used to distribute Ryuk ransomware. In addition, Emotet is reported to have delivered The Trick as a third-party payload.

High-confidence behaviors and context directly mentioned in the content characterize Trickbot/The Trick as a banking Trojan distributed through large-scale email campaigns, used by financially motivated actors including TA505 and TA800, and leveraged as an initial access malware family in multi-stage intrusions that can culminate in ransomware deployment. Targeting observed in the content includes North America broadly via TA800 campaigns and country-specific delivery in the UK, Australia, Luxembourg, Ireland, and Belgium in TA505 geo-targeted operations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
TA547

These criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.

via proofpointproofpoint.com
TA800

These criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or Buer Loader and will then sell their access to ransomware operators to deploy data theft and encryption operations.

via proofpointproofpoint.com
TA505

The Trick, also known as Trickbot, is another banking Trojan that TA505 first began distributing in June of 2017.

via proofpoint threat insight blogproofpoint.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566PhishingEvidence1

These access facilitators distribute their backdoors via malicious links and attachments sent via email.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
proofpointNews
Jun 14, 2021
How Initial Access Brokers Lead to Ransomware | Proofpoint US

A banking trojan used as a first-stage payload and initial access facilitator; access obtained through it is sold or used to enable follow-on ransomware deployment.

Read more
proofpoint threat insight blogNews
Feb 16, 2021
Security Brief: Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes

A modular banking trojan and malware loader, Trickbot is used for credential theft, lateral movement, and as a delivery mechanism for other malware, including ransomware.

Read more
proofpoint threat insight blogNews
May 15, 2019
Threat Actor Profile: TA542, From Banker to Malware Distribution Service

Third-party banking malware delivered by Emotet.

Read more
proofpoint threat insight blogNews
Jun 8, 2018
TA505 shifts with the times | Proofpoint US

Banking trojan delivered via malicious email attachments (HTML/JavaScript, VBScript in 7-Zip, DDE-enabled Word docs, embedded .lnk workflows), sometimes geo-targeted to specific countries.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.