Dridex
Dridex is a long-running banking Trojan, first reported in 2011 or 2012, derived from the BUGAT/CRIDEX codebase and still active in the wild. It became one of the most prevalent financial Trojans by 2015. Dridex is widely associated with the Russia-based cybercriminal group Evil Corp, and reporting also links related large malspam activity and some delivery operations to TA505/Hive0065 and Storm-0324. U.S. Treasury sanctions and DOJ actions have explicitly tied Dridex to Evil Corp and named Maksim Yakubets and Igor Turashev as developers/operators.
Its primary purpose is theft of online banking credentials and related financial fraud. Reported capabilities include browser injection of fake bank login pages, API hooking, keylogging, screenshot capture, encrypted exfiltration over peer-to-peer networks, downloading additional payloads, incorporating victim systems into a botnet, establishing virtual network functionality, deleting files after execution, use of multiple proxy layers to hide terminal infrastructure nodes, persistence via scheduled tasks, and encrypted traffic using RSA. Treasury/CISA reporting also notes privilege escalation, directory modification, firewall rule modification, and peer-to-peer data exfiltration. Stolen credentials have been used to facilitate fraudulent ACH transfers, wire transfers, fraudulent account opening, business email compromise, and money mule activity.
Dridex is primarily distributed through phishing and malspam campaigns. Common infection vectors in the content include malicious attachments such as ZIP, RAR, XML, DOC, XLS, VBS, JAR, and PDF files; macro-enabled Word and Excel documents; compressed archives; and links to payloads hosted on command-and-control servers, FTP servers, or cloud storage sites. Campaigns commonly use business-themed lures such as invoices, transactions, scans, billing notices, payment notifications, and urgent financial matters, often instructing users to enable Office macros. The content also documents exploitation of Microsoft Office vulnerabilities, especially CVE-2017-0199, to deliver Dridex via malicious Word RTF documents without relying on macros in some campaigns, and associates Dridex with CVE-2012-0158 in broader exploitation reporting.
Observed targeting in the content centers on financial institutions and their customers, with attacks appearing primarily directed at English-speaking countries. Specific campaign reporting mentions large-scale email campaigns targeting millions of recipients, primarily in Australia, and other activity affecting Europe, healthcare organizations in COVID-19-themed campaigns, and broad enterprise victims. Dridex has also been observed among the botnet families with significant command-and-control detections.
The malware is linked in reporting to other criminal operations and payload ecosystems. The same botnets and delivery infrastructure have been used to distribute Dridex and Locky ransomware, sometimes simultaneously, and Treasury/CISA reporting notes code similarities between Dridex and BitPaymer/Friedex ransomware. DOJ reporting states that from 2016 onward Dridex was modified to facilitate ransomware installation. Dridex has also been associated with infrastructure such as Avalanche.
High-confidence indicators mentioned in the content include Dridex botnet ID 7500 in a CVE-2017-0199 campaign; injects C2 servers 23.95.23.219:443 and 63.141.250.167:443; worker C2 179.108.87.11:443; loader C2s 185.44.105.92:443, 64.79.205.100:4743, and 185.25.184.214:4743; payload URLs hxxp://btt5sxcx90[.]com/template.doc, hxxp://rottastics36w[.]net/template.doc, and hxxp://btt5sxcx90[.]com/7500.exe; malicious attachment SHA256 hashes c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629, 444d42f49971a88b798dfb8735ad14dc96285252bcb67a72d171dbdfe39ac2bd, and 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c; and additional Dridex-associated IPs from Treasury/CISA reporting including 62.149.158.252, 177.34.32.109, 2.138.111.86, 122.172.96.18, 69.93.243.5, 200.43.183.102, 79.124.76.30, 188.125.166.114, 37.59.52.64, 50.28.35.36, 154.70.39.158, 108.29.37.11, and 65.112.218.2.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex ... CVE-2012-0158 ... Associated Malware: Dridex | CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex; CVE-2012-0158 ... Associated Malware: Dridex | As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations... CVE-2012-0158 Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1 ... Associated Malware: Dridex | CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex | CVE-2017-0199 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated Malware: FINSPY, LATENTBOT, Dridex | As of December 2019, Chinese state cyber actors were frequently exploiting the same vulnerability—CVE-2012-0158—that the U.S. Government publicly assessed in 2015 was the most used in their cyber operations. ... CVE-2012-0158 Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Associated Malware: Dridex Mitigation: Update affected Microsoft products with the latest security patches | CVE-2012-0158 Vulnerable Products: Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Associated Malware: Dridex Mitigation: Update affected Microsoft products with the latest security patches
CVE-2017-0199 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated Malware: FINSPY, LATENTBOT, Dridex Mitigation: Update affected Microsoft products with the latest security patches | CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex | CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex; CVE-2012-0158 ... Associated Malware: Dridex | CVE-2017-0199 Vulnerable Products: Microsoft Office 2007 SP3/2010 SP2/2013 SP1/2016, Vista SP2, Server 2008 SP2, Windows 7 SP1, Windows 8.1 Associated Malware: FINSPY, LATENTBOT, Dridex | CVE-2017-0199 ... Associated Malware: FINSPY, LATENTBOT, Dridex ... CVE-2012-0158 ... Associated Malware: Dridex
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The most notorious among these are campaigns involving banking Trojans such as Dridex and TrickBot... More recent Hive0065 campaigns reported in March 2020 exploited the current interest in the COVID-19 pandemic, using Coronavirus-themed phishing emails to deliver the Locky ransomware and the Dridex banking Trojan.
The agency established sanctions for paying ransoms to specific threat groups identified by OFAC and designated sanctions against actors linked to Cryptolocker, SamSam, WannaCry (linked to the Lazarus Group) and Dridex (linked to Evil Corp.).
Storm-0324 has distributed a range of first-stage payloads since at least 2016, including: ... Dridex, a banking trojan
Proofpoint has found evidence of a prolific cybercrime group using the popularity of Netflix hit "Squid Game" to spread the Dridex malware... "The attachments are Excel documents with macros that, if enabled, will download the Dridex banking trojan..."
"TA573 is an affiliate distributor of Dridex, a malware strain that resurged in 2020... The malware itself is a creation of a Russian cyber crime group that calls itself Evil Corp..."
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueActive since 2009, the Avalanche botnet has been used for money muling schemes, distributing a wide variety of malware, and as a fast-flux communication infrastructure for other botnets.
Initial Access
3 techniquesWhile a focus on exploiting the human factor—that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks—remains a key trend in the current threat landscape...
Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets.
Example Links and Filenames... HTTPS://WWW.GOOGLE[.]COM/URL?Q=HTTPS://WWW.( Cloud Services Provider )[.]COM/... Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware.
Execution
7 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
In other cases, macros launch scripts that extract executables imbedded in the document as opposed to downloading the payload.
Many of the files, rather than containing the actual malware, contain hidden or obfuscated macros. Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware.
U.S. Government reporting has identified the top 10 most exploited vulnerabilities... malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology... the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are CVE-2017-11882, CVE-2017-0199, and CVE-2012-0158. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. | Malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2012-0158, CVE-2018-4878, CVE-2017-8759, and CVE-2015-1641. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. | U.S. Government reporting has identified the top 10 most exploited vulnerabilities by state, nonstate, and unattributed cyber actors from 2016 to 2019 as follows: CVE-2017-11882, CVE-2017-0199, CVE-2017-5638, CVE-2012-0158, CVE-2019-0604, CVE-2017-0143, CVE-2018-4878, CVE-2017-8759, CVE-2015-1641, and CVE-2018-7600. According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology.
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Where there is a message body, the body may specifically state that the contents of the e-mail underwent virus scanning or simply directs the victim toward the link or attachment.
The attachments are Microsoft Office documents containing malicious macros which download Shifu banking Trojan... Australian-targeted emails containing randomly named attachments that used malicious macros to download Ursnif. | Most of the emailed malicious document attachments are empty or used a generic 'Enable macros to view this document' lure.
Persistence
1 techniquePrivilege Escalation
2 techniquesDuring the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Through its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges...
Stealth
1 techniqueThe content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.
Credential Access
1 techniqueDiscovery
1 techniqueThe content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Collection
3 techniquesThe primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.
Modules include provisions for capturing screenshots... Dridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks
The primary threat to financial activity is the Dridex’s ability to infiltrate browsers, detect access to online banking applications and websites, and inject malware or keylogging software, via API hooking, to steal customer login information.
Command and Control
6 techniquesRecorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.
The P2P communication aspects of Dridex improve its concealment and redundancy... Dridex modules package, encrypt, and transmit captured information... via peer-to-peer (P2P) networks
Upon activation, the macros reach to a command and control server, FTP server, or cloud storage site to download the actual Dridex malware. Once downloaded and active, Dridex has a wide range of capabilities, from downloading additional software...
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Exfiltration
1 techniqueDridex modules package, encrypt, and transmit captured information, screenshots, etc., via peer-to-peer (P2P) networks in the XML format or in binary format, as seen in newer versions.
Impact
2 techniquesOnce downloaded and active, Dridex has a wide range of capabilities, from downloading additional software to establishing a virtual network to deletion of files.
Insurance company CNA Financial reportedly paid its attackers $40 million following a ransomware attack disclosed in March.
Other
1 techniqueThrough its history and development, Dridex has used several exploits and methods for execution, including modification of directory files, using system recovery to escalate privileges, and modification of firewall rules to facilitate peer-to-peer communication for extraction of data.
IOCs tracked for this family
68 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
109 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a prominent commodity malware family that historically received detailed analysis.
Malware attributed in the content to the Evil Corp cybercrime syndicate; discussed alongside BitPaymer ransomware in the context of sanctions.
"Notable examples include Agent Tesla and Dridex, researchers observed an increase of these malware being dropped via malicious XLL add-ins."
Referenced as a past 'client' payload associated with TA569/SocGholish MaaS-style access/resale ecosystem.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.