After Microsoft seized the U.S. servers of a botnet it feared could snarl state and local computer systems to sow distrust in the presidential election, the software giant now claims the international operations of Trickbot also have largely been shut down.

Security researchers had questioned the effectiveness of Microsoft’s efforts to thwart the Trickbot botnet, a network of computers secretly infected by malware that can be controlled remotely, after seeing international servers still active and sending out malware via spam late last week. But Tuesday, Microsoft said its continuing efforts with global partners eliminated 94% of Trickbot’s “critical operational infrastructure,” including so-called command-and-control servers when the company first seized U.S.-based servers and new infrastructure Trickbot’s operators tried to bring online.

The U.S. seizures and the international cooperation with tech partners have “always been about disrupting Trickbot’s operations during peak election activity — doing what we can to take action at a critical time — and we’re encouraged by what we’re seeing,” Tom Burt, Microsoft’s vice president of customer security and trust, wrote in the blog post.

Trickbot, which is run by Russian-speaking criminals, posed a “theoretical but real” threat to election integrity by launching ransomware attacks, in which data is rendered inaccessible unless the victim pays a ransom, Burt told The Washington Post in an interview last week. Microsoft’s concern was not that the botnet could alter actual results, but rather that it could hobble election-reporting systems or other election technology that would shake the confidence of voters, especially those already on edge from President Donald Trump’s unfounded assaults on the integrity of mail-in ballots.

Several days after Microsoft’s initial action, security researchers, such as Intel 471, questioned the effectiveness and noted Trickbot’s international operations still spreading malware. On Tuesday, though, Intel 471 said in a blog post that the global efforts were showing “success against Trickbot infrastructure.” It noted “a small number” of Trickbot command-and-control servers continue to operate in Brazil, Colombia, Indonesia and Kyrgyzstan.

Microsoft said it has disabled 120 of the 128 servers it identified as Trickbot infrastructure around the world, including devices that came online after its initial action. The company, though, expects Trickbot operations to continue to find other ways to stay active.


“This is challenging work, and there is not always a straight line to success,” Burt wrote.

More on Microsoft »


Microsoft’s efforts may also have been helped by U.S. Cyber Command, which launched its own campaign against Trickbot in recent weeks. And last week, the European policy agency Europol arrested 20 people for allegedly belonging to an international ring that laundered millions of euros stolen by cybercriminals through malware schemes, and aided Trickbot’s operators.