A new module for the TrickBot trojan has been discovered that targets the Active Directory database stored on compromised Windows domain controllers. The ADll module takes advantage of the “Install from Media”” command to dump the Active directory database and various Registry hives to the %Temp% folder. This data can then be used to further spread laterally throughout the network and is especially helpful for the actors behind the Ryuk Ransomware
Source: and then exfiltrate the files back to the attacker’s servers.”