Researchers believe that attackers behind the Anchor malware, the Trickbot gang, have ceased Trickbot operations are instead focusing on deploying stealthier versions of other malware families.
New versions of Emotet have been dropping Cobalt Strike beacons directly, rather than relying on intermediate payloads such as Trickbot.
Researchers observed known threat groups infecting victims with TrickBot for the first time in June, suggesting that the malware operators are expanding their distribution channels.
The EtterSilent builder has been used in campaigns alongside Ryuk ransomware, the Gozi banking trojan, and BazarLoader.
The TrickBot trojan now includes a capability to scan for vulnerable UEFI firmware implementations and could soon exploit them.