New versions of Emotet have been dropping Cobalt Strike beacons directly, rather than relying on intermediate payloads such as Trickbot.
Researchers observed known threat groups infecting victims with TrickBot for the first time in June, suggesting that the malware operators are expanding their distribution channels.
The EtterSilent builder has been used in campaigns alongside Ryuk ransomware, the Gozi banking trojan, and BazarLoader.
The TrickBot trojan now includes a capability to scan for vulnerable UEFI firmware implementations and could soon exploit them.
The Trickbot malware operation is back, with a fresh spam campaign delivering malicious Word documents.