Dridex Malware
Published: 12/23/2025
Written by: Lizzie Danielson
What is Dridex malware?
Dridex malware is a sophisticated banking trojan designed to steal financial information and facilitate malicious activity. It typically targets businesses and individuals through phishing campaigns, causing data breaches and financial loss. Known for its adaptability and evasion tactics, Dridex remains a high-priority threat for cybersecurity defenders.
When was Dridex first discovered?
Dridex first emerged in 2014, evolving from the Cridex trojan. It was initially uncovered by security researchers monitoring malicious email campaigns aimed at distributing the malware.
Who created Dridex?
Dridex is attributed to the cybercriminal group Evil Corp, known for conducting large-scale financial cyberattacks. Evil Corp is believed to operate from Russia and has been linked to numerous high-profile incidents.
What does Dridex target?
Dridex focuses on high-value financial targets, including businesses, payment processors, and individuals with access to significant funds. Its emphasis on enterprise environments highlights its intent for broad economic disruption.
Dridex distribution method
The primary method of distribution for Dridex is phishing emails embedded with malicious attachments or links. These emails often masquerade as legitimate communications, tricking victims into downloading payloads. Dridex can also spread through exploit kits and remote desktop protocol (RDP) vulnerabilities.
Technical analysis of Dridex malware
Dridex initiates infections by downloading from malicious email attachments. Once executed, it connects to its command-and-control (C2) servers for encryption keys and instructions. Its modular payload captures keystrokes, redirects web traffic, and extracts sensitive data. To maintain persistence, Dridex modifies registry values and operates as a rootkit to hide its activity.
Tactics, Techniques & Procedures (TTPs)
MITRE ATT&CK Techniques: T1203 - Exploitation of Vulnerabilities, T1059 - Command Execution.
Behavioral Traits: Use of polymorphic code for evasion and connection to distributed botnets.
Indicators of Compromise (IoCs)
Suspicious domains or IPs tied to C2 servers.
Malicious document hashes used for distribution.
Abnormal traffic patterns indicating system compromise.
Malware Guide
Our malware guide shows you how to shut down those infiltration paths before they ever become a crisis.
How to know if you’re infected with Dridex?
Symptoms of a Dridex infection include slow device performance, unauthorized bank account activity, sudden appearance of rootkit files, and unexplained outbound connections originating from endpoint devices or servers.
Dridex removal instructions
For manual removal of Dridex, isolate the infected system immediately to prevent lateral movement. Use endpoint detection and response (EDR) tools to locate and remove malicious processes. Huntress 24/7 SOC tools provide real-time monitoring and advanced cleanup for Dridex infections.
Is Dridex still active?
Dridex remains active and an ongoing threat. New variants continue to surface, showcasing its adaptability through enhanced social engineering tactics and capabilities. Organizations must remain vigilant against this persistent menace.
Mitigation & prevention strategies
To prevent Dridex infections, implement regular patching of vulnerable software, enforce multi-factor authentication (MFA), and conduct robust phishing awareness training. Network monitoring and managed detection and response (MDR) services like Huntress can detect suspicious activity and mitigate threats before significant damage occurs.
Related educational articles & videos
Dridex FAQs
Protect What Matters
