Skip to content

Dridex

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term."

According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method."

IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

Linked Threat Actors

Evil CorpINDRIK SPIDERTA505

C2 Infrastructure

Hosting/VPS 67%
Education 33%

Last 7 days

Jul 3, 2026
C2 Hosts: 3

Further Reading

A Deep Dive into Packing Software CryptOne opens in a new tab

A packing software called CryptOne became popular recently among some major threat actors. It was first reported by Fox-IT.

deepinstinct.com
Ten process injection techniques: A technical survey of common and trending process injection techniques opens in a new tab

Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another proc...

elastic.co
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp opens in a new tab

What really happened to Evil Corp after the OFAC sanctions? Did they cut and run, or are they still operating with impunity?

sentinelone.com
FriedEx: BitPaymer ransomware the work of Dridex authors opens in a new tab

ESET research has found that the ransomware FriedEx, a.k.a. BitPaymer, is actually the work of the notorious gang responsible for the Dridex banking trojan.

welivesecurity.com
The malware that usually installs ransomware and you need to remove right away opens in a new tab

If you see any of these malware strains on your enterprise networks, stop everything you're doing and audit all systems.

zdnet.com
Il polo italiano della Cyber Security opens in a new tab

Costruiamo un digitale sicuro, insieme. Sicurezza, Resilienza, Innovazione Tinexta Cyber è una delle principali realtà italiane nel campo della cybersecurity e della system integration, parte del G...

yoroi.company

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.