Malicious actors behind the information-stealing malware TrickBot have added a new module that has helped them illicitly gather a database of 250 million legitimate email addresses.

Millions of these harvested addresses are linked to government agencies and employees in the U.S., according to Deep Instinct, whose researchers uncovered the new module and the giant database. In all likelihood, these addresses were collected for the purpose of targeting them in future TrickBot operations, explains a July 12 blog post by Deep Instinct malware and cyber intelligence expert Shaul Vilkomir-Preisman, who was assisted by fellow researcher Tom Nipravski.

U.S. governmental organizations whose emails show up in the TrickBot database include the Department of Justice, Department of Home Security, State Department, Social Security Administration, Internal Revenue Service, House of Representatives, NASA, the Postal Service and more. Various universities and governmental entities in the U.K. and Canada were cited in the database, including the U.K. Ministry of Defense and U.K. Public Health Office.

“Spot-checking a few thousands of these compromised email addresses against previously recorded leaks and breaches leads us to believe that this is a new mass compromise of e-mails, not previously seen or reported before,” says Vilkomir-Preisman in the blog post.

Dubbed TrickBooster, the new module is described by Deep Instinct as an email-based infection and distribution module. TrickBooster harvests credentials and contacts from an infected victim’s address book, inbox and outbox, and can also send spam emails that victim’s compromised account, later deleting those messages from the outbox and trash folders to conceal malicious activity.

Some of the TrickBooster samples observed by Deep Instinct came signed with security certificates – issued by Thawte Consulting and its parent company DigiCert – that seem to originally have been issued to various legitimate small-to-medium businesses within the U.S. Deep Instinct said that it DigiCert/Thawte has revoked the certificates after being alerted of the scam.

Once downloaded by Trickbot, TrickBooster harvests not only the victim’s list of email contacts but also his or her own e-mail credentials, and sends that information to a malicious C2 server. Such data can later be sold and traded on the dark web.

In the next stage of operation, the server then instructs the malware use the compromised account to send spam to other email addresses – perhaps for monetization purposes or to spread the malware further.

According to Deep Instinct the malware does an excellent job of covering up its activities by deleting the original infecting executable file. “The result is that it is missed by nearly all scanning security vendors, an impressive stealth factor that is much desired among malware operators,” the blog post states.