This is a tricky question and, in a bit of irony, there is a kind of like ... an unspoken ... or poorly documented philosophy of malware development. You kind of learn tricks of the trade as you write malware and witness malware campaigns operating in the wild. tl;dr idk it depends on wtf ur doing bro non-tl;dr To be direct, malware that works is not necessarily good malware. You can write a simple Windows batch script that deletes every file in an important directory and (technically) this would be "wiper" malware. This does not make it good, or sophisticated. Additionally, what defines "good" has changed over time. There tends to be trends with malware development. Malware tricks that used to work in the 90's are old news. Malware tricks from 2025 are old news (sort of). However, some malware tricks from the 90's are still applicable and can still be evasive. It's weird. You'll also see old tricks the 90's suddenly reappear and catch everyone off guard because... people simply forgot it even existed... The trick is usually only identified from industry veterans (or as the kids say, "unc" or "old heads") who are also surprised the trick has re-emerged. What's old is new. What's old is also old. What's new will eventually be old. Anyway, "good malware" also depends on the objective. State-sponsored malware (malware written by governments, or written for government or military usage) has extremely strict rules of engagement (usually, not always, but usually). State-sponsored is usually extremely narrow in scope and designed for a very small and limited audience. State-sponsored may not necessarily be super advanced and cutting edge, but because it is so narrow in scope it is difficult to identify. Conversely, financially motivated Threat Actors (malware developed for ... crime ...) is usually designed to be ass blasted in your face and sprayed across the internet. Financially motivated Threat Actors will typically (if it's "good malware") design malware to be modular. In other words, because it is being blasted all over the internet it will be detected quickly, hence their malware needs to be broken down into almost like ... plugins ... and they need to have it so their malware can quickly replace one segment of code with another (and quickly). If you've ever seen racing like NASCAR or F1, you'll notice vehicles can be torn apart in basically seconds and re-assembled, parts effortlessly replaced so it can quickly get back in the race. Likewise, modular malware needs to be able to change quickly to avoid it's inevitable detection. If you're curious, look up TrickBot, Emotet, or QakBot. They kind of defined what it means to be modular. They also kind of gave birth to what's known as "MaaS" (Malware-as-a-Service). State-sponsored Threat Actors malware is trickier because it needs to be designed for a target. For example, when the United States (allegedly) targeted the Chinese government (allegedly) as APT NightEagle (allegedly) the malware was developed to work almost exclusively for specific Chinese infrastructure and (allegedly) contained exploits which would work in ideal scenarios which (allegedly) were that of Chinese critical infrastructure. This can also be seen with what the Russian government alleges the United States and Israel (allegedly) did with Operation Triangulation whereas the malware (allegedly) only worked for specific sets of hardware (allegedly). Furthermore, this can also (allegedly) be seen with the United States (allegedly) purchasing cell phone malware from Israeli companies (allegedly) which were developed and sold to ICE (allegedly) to spy on people critical of ICE (allegedly). These companies are called NSO Group and Intellexa Alliance. Of course, the United States and Israel government vehemently deny the allegations from the Chinese and Russian government. Okay, I have to stop writing and schizo ranting for the time being. I have to go back to watching a baby and stuff.

"TrickBot, first identified in 2016 as a banking trojan targeting financial credentials, became one of the modern internet’s most adaptive malware ecosystems." Get your Malmons aka Malware Monster Cards MK I on Kickstarter: kickstarter.com/projects/lam…

偽サイトやおとりの作成からマルウェア開発、侵害後の作業まで、生成AIを全工程に使う新たなロシア系グループ「GreyVibe」が報告されています。高い技術力ではなく、AIで能力差を埋める運用が特徴とされ、技量の低い攻撃者が今後どう動くかを先取りした例だと指摘されています。一方で、AIの支援で作られたとみられるマルウェアの設計上の不備が、研究者へ長期の追跡の足がかりを与えていたとも報告されています。 【要点の整理】 ・おとりサイトの画像やサイト本体の作成、難読化・ローダー、Windows向けの遠隔操作型マルウェア（RAT）「LegionRelay」の全体開発、侵害後のスクリプト生成まで、ChatGPT・Gemini・画像生成のIdeogramなど複数のAIを使った痕跡をWithSecureが確認。単発の実験ではなく運用に組み込まれた使い方とされる ・開発者・運用者はロシア語話者でモスクワ時間帯(UTC 3)に活動し、標的や目的はロシアの国益と一致。一方で「letsrollboyos」「cuteuwu」等のネットスラング由来の命名、自作検体のVirusTotalへのアップロード、TrickBot系とみられるISOビルダーの利用など、サイバー犯罪寄りの兆候も併存 ・入口は多彩で、2025年8月以降の少なくとも6件の標的型メールや偽CAPTCHA誘導に加え、ウクライナの成人向けクラブを装う「PrincessClub」ではTelegramの偽女性アカウントで接触。感染後に通話機能で被害者の音声・映像を取得しうる仕掛けも後から追加された ・使われたのは自作のPowerShell製RAT「PhantomRelay」、連絡先や位置情報・メディアを盗むAndroid向けスパイウェア「FallSpy」、ブラウザやTelegram・WhatsAppのデータを抜くLegionRelayなど小規模なマルウェア群。基本型のPhantomRelayは無関係に見える別の犯罪クラスタでも確認 GreyVibeは現在も活動を続けており、メンバーの正体は分かっていません。サイバー犯罪とも国家活動とも言い切れない立ち位置のまま、AIで過去との結びつきを薄めながら動く攻撃者として、報告は手口の一層の多様化を見込んでいます。 詳細は以下を参照： labs.withsecure.com/publicat…

🍄 Mushroom Festival 4th BUGBUG “TrickBot” 現場販售⚡️ 【活動資訊】 📅 2026/03/07–03/08（六、日） 🕚 11:00–17:00 📍 大台南會展中心 主辦：@mushroom_toys 攤位：No.70 同一配色／四種感染株： -DROOL- / -BLOOD- / -TEAR- / -B.J.- (EN) Mar 7–8, 2026 / 11:00–17:00 Tainan / Booth No.70

former L3Harris employee steals zero-day exploits, sells them to a Russian broker with Trickbot ties, who flips them to unknown buyers US Treasury just sanctioned Operation Zero over it the exploit supply chain is wilder than most people realize — your defense contractors are the threat model too

These are at least eight high-value, classified hacking tools developed by a U.S. defense contractor (Trenchant, a subsidiary of L3Harris) specifically for the U.S. government and a few close allies (e.g., for intelligence, military, or national security operations). They’re not public or commercial software; they’re exclusive trade secrets designed to compromise enemy systems, extract sensitive info, or enable cyber operations without detection. Think advanced spyware, zero-day vulnerabilities (unknown bugs in software), or custom malware kits—tools that could be used for espionage, ransomware, or worse. Operation Zero acquired them illegally through a stolen pipeline: An Australian former employee of the contractor, Peter Williams, stole the tools between 2022 and 2025. He sold them to Zelenyuk’s operation for millions paid in cryptocurrency. Williams pleaded guilty in October 2025 to federal charges of trade secret theft, as part of an FBI and Justice Department probe. Under Executive Order 13694 (amended by E.O. 14306), which targets malicious cyber activities threatening U.S. security, the U.S. has frozen any assets or property of Zelenyuk, Operation Zero, and five affiliates (including his assistant Marina Vasanovich, a UAE-based firm called Special Technology Services LLC, and others like Azizjon Mamashoyev and Oleg Kucherov, the latter linked to the Trickbot ransomware group) that touch U.S. jurisdiction. American citizens and companies are banned from doing business with them—no transactions, no deals. This is the inaugural application of the Protecting American Intellectual Property Act (PAIPA, from 2023), which lets the State Department hit foreign actors who steal and profit from U.S. trade secrets posing a national security threat. Treasury Secretary Scott Bessent called it a clear message: “If you steal U.S. trade secrets, we will hold you accountable.”

Адміністрація США запровадила санкції проти мережі кіберзлочинців, які викрадали та продавали «цифрову зброю» американського походження. bukvy.org/minfin-ssha-naklav… Головним фігурантом став росіянин Сергій Зеленюк і його компанія Operation Zero (Matrix LLC). За даними Мінфіну США, Зеленюк організував міжнародну схему скуповування експлойтів - коду для зламу пристроїв і викрадення даних. Компанія отримала вісім кіберінструментів, розроблених для уряду США, які викрав австралієць Пітер Вільямс і продав за криптовалюту. Вільямс визнав провину в суді США. Operation Zero не повідомляла про вразливості розробників, а продавала їх іноземним спецслужбам. Під санкції також потрапили спільники в ОАЕ та Узбекистані й особи, пов’язані з групою Trickbot. Це перший випадок застосування Закону про захист інтелектуальної власності (PAIPA): активи фігурантів у США заморожені, а фінансові операції з ними підпадають під загрозу вторинних санкцій.

Departament Skarbu USA właśnie nałożył sankcje na rosyjskiego pośrednika w handlu exploitami (narzędziami służącymi do cyberataków) Siergieja Zieleniuka, alias "MORTENOIR", jego petersburską firmę Operation Zero, 22-letnią asystentkę, spółkę-przykrywkę w Dubaju, podejrzanego członka gangu cyberprzestępczego Trickbot oraz uzbeckiego wspólnika, który prowadzi w ZEA konkurencyjną firmę handlującą exploitami. To pierwszy w historii przypadek zastosowania amerykańskiej ustawy stworzonej specjalnie do karania kradzieży tajemnic handlowych zagrażających bezpieczeństwu narodowemu USA. Zieleniuk skupuje exploity na amerykańskie oprogramowanie i odsprzedaje je służbom wywiadowczym spoza NATO. Wśród jego nabytków znalazło się co najmniej osiem narzędzi do cyberataku skradzionych z amerykańskiej firmy przez jej własnego pracownika -- Australijczyka Petera Williamsa, który dostał za to miliony w kryptowalutach i przyznał się do winy. Sankcje obejmują zamrożenie aktywów, zakaz transakcji bankowych, zakaz inwestycji oraz roczny limit kredytowy 10 mln dolarów. Australijczyk kradnie amerykańską cyberbroń, sprzedaje Rosjaninowi, ten odsprzedaje dalej. Globalne łańcuchy dostaw w akcji? home.treasury.gov/news/press…

The US has imposed sanctions against a Russian for stealing and selling government cyber tools. The restrictions affected the Russian Sergei Zelenyuk, his company Operation Zero, as well as related individuals and structures, reported the US Department of the Treasury. Operation Zero acquired at least eight cyber tools created exclusively for the US government and its allies, which were stolen from an American company. Subsequently, these tools were resold to clients outside NATO, including foreign special services. The sanctions also targeted Zelenyuk's assistant Marina Vasanovich, the company Special Technology Services LLC, as well as Azizjon Mamashoyev and Oleg Kucherov, associated with the Russian cybercrime group Trickbot. The list also included the company Advance Security Solutions, founded by Mamashoyev.

You need to read and research more. It’s a very big and interesting case.. not about the bounties at all. It’s about the background of the founder, an ex Kaspersky researcher who was working with a TrickBot team member. lol

5/ The sanctioned network also includes Oleg Kucherov, who is linked to the Trickbot ransomware gang. They ransomwared US hospitals & healthcare facilities. Key insight: government offensive cyber operations , exploit brokers & cyber crime can blur.

Yes. Initially, I thought that Tramp was Oleg Kucherov (aka gabr - another member of TrickBot and Conti, he has been officially charged and is wanted). I learned about Oleg Nefedov thanks to you, investigated it further, and confirmed your information.

ВЧК-ОГПУ и Rucriminal.info выяснил, что отец хакера-баскетболиста Даниила Касаткина, которого на днях обменяли на французского журналиста Лорана Винатье, долгие годы (уволился в 2022 году) работал в закрытом ФГУП ЦНИИХМ, который был главным фигурантом расследования о «вирусе» Triton (Trisis), использованном при атаках на энергетическую инфраструктуру по всему миру. В спортивной же среде полагают, что об обмене Касаткина Путина лично попросил бывший министр обороны Сергей Иванов, возглавляющий сейчас Единую лигу ВТБ. На днях российские власти весьма неожиданно обменяли не самого звездного баскетболиста из России Даниила Касаткина, задержанного во Франции по запросу США, на весьма ценного для РФ «заложника» — французского журналиста Лорана Винатье. Напомним, баскетболист Даниил Касаткин, ранее игравший за московский профессиональный клуб МБА (выступает в Единой лиге ВТБ) , был задержан в парижском аэропорту Руасси - Шарль-де-Голль в июне 2025 года по запросу США. Его считают членом хакерской группировки, но 8 января 2026 года стало известно о том, что он был освобожден. Источники ВЧК-ОГПУ и Rucriminal.info в спортивной среде рассказал, что в самой Единой лиги освобождение Касаткина приписывают президенту лиги Сергею Иванову. Тому самому, который близкий приятель Владимира Путина, руководил АП и был министром обороны. Якобы он лично попросил об этом президента РФ. После странной гибели старшего сын Александра (был зампредом правления Внешэкономбанка, якобы утонул в Дубае в 2014 году), Сергей Иванов сильно сдал и его карьера резко пошла вниз. Но, по словам источника, с Путиным он до сих пор действительно общается. В пользу этой версии говорит поведение ПБК «МБА» - клуба, за который выступал Касаткин. Сразу после задержания во Франции, клуб заявил, что разрывает контракт с игроком. Но потом быстро пошел на «попятную» - объявил, что по возвращению сразу заключит с Касаткиным новый контракт и всячески поддерживает игрока. Когда события такого уровня происходят с баскетболистом без громкой карьеры, это говорит о том, что история явно вышла за пределы спорта. Если же внимательно посмотреть на биографию семьи Касаткина, то возникает и другая версия обмена. Отец Даниила, Сергей Геннадиевич Касаткин, много лет проработал во ФГУП «Центральный научно-исследовательский институт химии и механики». Это закрытый НИИ, выполняющий работы в интересах Минобороны и гособоронзаказа. В частности, в 2019 году американский журнал The Space Review выяснил, что ЦНИИХМ занимается созданием секретных военных спутников-инспекторов, которые могут использоваться для уничтожения спутников потенциального противника. И именно ЦНИИХМ в 2018 году оказался в центре международного скандала после публикации отчёта американской компании FireEye о вредоносном ПО Triton (Trisis), использованном при атаках на энергетическую инфраструктуру по всему миру. По данным The New York Times, одна из таких атак привела к остановке нефтехимического предприятия в Саудовской Аравии. Эксперты FireEye заявляли, что следы в программном коде вели к группе TEMP.Veles, использовавшей в том числе IP-адреса ЦНИИХМ и бывших сотрудников института. Как ВЧК-ОГПУ и Rucriminal.info выяснили благодаря утечкам, официально Сергей Касаткин числился на скромной должности, но опыт показывает, что из таких «почтовых ящиков» в ФПР никогда не передают реальные должности сотрудников. В августе 2022 года Касаткин-старший уволился по собственному желанию, и перешел в НПП «Фрезер» ГИЦ — структуру, которая занимается НИОКР, опытно-конструкторскими работами и внедрением технологий в промышленность. Семейную картину дополняет дядя Даниила, Алексей Касаткин. Он служил в подразделениях специального назначения, мы нашли его фото, где он позирует в краповом берете на голове. Согласно утечкам, родственник спортсмена получает выплаты от Пенсионного фонда примерно с 30-летнего возраста, что характерно для льготных категорий силовиков. Теперь — версия американских властей. По данным следствия США, Касаткин причастен к деятельности ransomware-группировки, которая в 2020–2022 годах атаковала около 900 компаний, включая два федеральных учреждения. Следствие заявляло, что Касаткин участвовал в переговорах о выплате выкупа, действуя от имени хакеров. То есть, преступления совершались на момент, когда Даниил Касаткин покинул США, где он жил, учился несколько лет играл за студенческие клубы. На этом фоне особенно бросается в глаза то, что, судя по датам и известным деталям обвинений, Даниил Касаткин мог быть подельником группы хакеров, которые несмотря на обвинения спокойно живут в России. Речь о девяти фигурантах расследования о трояне-вымогателе Trickbot и Conti. Они на свободе, ведут бизнес, активны онлайн, у некоторых даже есть собственные каналы, а один и вовсе записан у пользователей, как «опер ФСБ». И именно на этом фоне баскетболист не первой лиги оказывается объектом международного обмена на ценного заложника. Версия про «обычного спортсмена, случайно попавшего под подозрение», или как заявлял адвокат, купившего ноутбук с вредоносным ПО, в такой конфигурации выглядит всё менее убедительно. The Cheka-OGPU and Rucriminal.info have discovered that the father of basketball hacker Daniil Kasatkin, who was recently exchanged for French journalist Laurent Vinatier, worked for many years (he resigned in 2022) at the secretive Central Scientific Research Institute of Chemical Medicine, which was the main focus of the investigation into the Triton (Trisis) "virus" used in attacks on energy infrastructure worldwide. Sports circles believe that former Defense Minister Sergei Ivanov, now head of the VTB United League, personally requested Putin to exchange Kasatkin. Recently, Russian authorities quite unexpectedly exchanged the less-than-stellar Russian basketball player Daniil Kasatkin, detained in France at the request of the United States, for a highly valuable "hostage" for Russia: French journalist Laurent Vinatier. As a reminder, basketball player Daniil Kasatkin, formerly of the Moscow professional club MBA (playing in the VTB United League), was detained at Paris's Roissy-Charles de Gaulle Airport in June 2025 at the request of the United States. He was believed to be a member of a hacker group, but on January 8, 2026, it was announced that he had been released. Sources of the Cheka-OGPU and Rucriminal.info in the sports community reported that within the United League itself, Kasatkin's release is attributed to the league's president, Sergei Ivanov. Ivanov, a close friend of Vladimir Putin, headed the Presidential Administration, and served as Minister of Defense. He allegedly personally requested this from the Russian president. After the mysterious death of his eldest son, Alexander (he was deputy chairman of the board of Vnesheconombank and allegedly drowned in Dubai in 2014), Sergei Ivanov's career declined sharply. But, according to a source, he does still communicate with Putin. This theory is supported by the behavior of PBC MBA, the club where Kasatkin played. Immediately after his arrest in France, the club announced it was terminating the player's contract. But then quickly backtracked, announcing that they would sign Kasatkin to a new contract upon his return and would support him in every way. When events of this magnitude happen to a basketball player without a distinguished career, it suggests the story has clearly gone beyond sports. A closer look at the Kasatkin family biography, however, suggests another version of the exchange. Daniil's father, Sergei Gennadievich Kasatkin, worked for many years at the Central Research Institute of Chemistry and Mechanics. This is a classified research institute that carries out work for the Ministry of Defense and state defense procurement. Specifically, in 2019, the American magazine The Space Review discovered that CNIIHM was developing secret military inspector satellites that could be used to destroy potential enemy satellites. In 2018, CNIIHM found itself at the center of an international scandal following the publication of a report by the American company FireEye on the Triton (Trisis) malware used in attacks on energy infrastructure worldwide. According to The New York Times, one such attack led to the shutdown of a petrochemical plant in Saudi Arabia. FireEye experts claimed that traces in the software code led to the TEMP.Veles group, which used, among other things, the IP addresses of CNIIHM and former institute employees. As the VChK-OGPU and Rucriminal.info discovered thanks to leaks, Sergei Kasatkin's official position was modest, but experience shows that employees' actual positions are never transferred from such "mailboxes" to the FPR. In August 2022, Kasatkin Sr. resigned voluntarily and transferred to NPP Frezer GITs, a company engaged in R&D, experimental design work, and the implementation of technologies in industry. The family picture is completed by Daniil's uncle, Alexey Kasatkin. He served in the special forces; we found a photo of him posing with a maroon beret. According to leaked documents, the athlete's relative has been receiving payments from the Pension Fund since around age 30, which is typical for privileged categories of security officials. Now, the US authorities' version. According to US investigators, Kasatkin is involved in the activities of a ransomware group that attacked approximately 900 companies, including two federal agencies, between 2020 and 2022. Investigators claimed that Kasatkin participated in ransomware negotiations, acting on behalf of the hackers. That is, the crimes were committed at the time Daniil Kasatkin left the United States, where he lived, studied, and played for student clubs for several years. Against this backdrop, it is particularly striking that, judging by the dates and known details of the charges, Daniil Kasatkin could have been an accomplice to a group of hackers who, despite the charges, are living peacefully in Russia. We are talking about nine individuals involved in the investigation into the Trickbot and Conti ransomware Trojans. They are at large, running businesses, active online, some even have their own channels, and one is even listed by users as an "FSB operative." And it is against this backdrop that a minor-league basketball player finds himself the subject of an international exchange for a valuable hostage. The theory about "an ordinary athlete who accidentally fell under attack" "suspect," or as the lawyer who bought the laptop with malware stated, looks less and less convincing in this configuration.

Microsoft ha mitigado la vulnerabilidad CVE-2025-9491, explotada como zero-day en todas las versiones de Windows. 📂 El fallo permite ocultar comandos maliciosos en archivos .lnk (Accesos directos), usados para desplegar malware como Ursnif, Gh0st RAT y Trickbot. #Windows

🤔 VIEW FROM THE COUCH: THE DAY THE BULLETPROOF HOST WENT DARK Dutch police just seized thousands of servers from CrazyRDP in Zoetermeer/The Hague. Not a random VPS outfit – a bulletproof hoster that’s been sitting at the center of 80 cases: ransomware, botnets, phishing, and CSAM. This wasn’t a raid, it was a season finale. – Operation Endgame started in 2024 taking down IcedID, Trickbot & friends. – 2025 added DanaBot, hundreds more servers, and millions in seized crypto. – This week: 1,025 servers and 20 domains ripped out of the global malware ecosystem – plus CrazyRDP’s racks hosting thousands of criminal VMs. You don’t let a host like that run for years unless you’re: 🔹 Mapping every gang that pays for “no-questions-asked” servers 🔹 Tracking CSAM ransomware crypto wallets in one stack 🔹 Waiting for the moment to pull the plug on the infrastructure, not just the users Ross Ulbricht’s servers. SolarWinds. The Pentagon IP honeypot on Jan 20, 2021. Cracked & Nulled forum takedowns. Operation Chargeback on the credit-card fraud empire. And now CrazyRDP. The pattern isn’t “random busts.” The pattern is global, staged removal of the Dark Web’s logistics layer servers, forums, payment rails, and now the bulletproof hosts that glued it all together. The timeline never lies. 🛋️ @Homeranger17 @TGOTCouch17 @ReckoningTruthZ @burnedspy360 @Great_Upset @ScottZPatriot @WillReagan11 @BeerCan45 @RadicalForLiber @ccblanchard99 @Thucydides17A @AFANGChief @Spaceshot76 @MRSRedVoteR @AstuteActual @Sparkness14 @jwcollins1955 @Aussie_Sharon74

#Rhadamanthys and #VenomRAT are the latest malware to be disrupted by Operation Endgame. Since May 2024, the operation has affected IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, DanaBot, WarmCookie, Trickbot, and Hijack Loader, among other malware and botnets.

These materials were found independently, verified via multiple OSINT sources (flight data, leaks, and metadata). Archive attached for researchers and investigators. #Conti #Trickbot #Cybercrime #Ransomware #OSINT

In a newly found archive, I discovered private Rocket-Chat logs of Conti & Trickbot members — including Stanton. These files were Trick-Leaks.👇