Dridex. Rendering of graphs and diagrams ...
  March 19, 2024 ∘ 27 days ago
Botnet Ransomware Cybercrime Group Bank Trojan Stealer Loader

Dridex is one of the most technologically advanced banking Trojans, existing and regularly evolving since 2014.

Initially created as a banking Trojan with the function of stealing bank details by intercepting them (keylogging, web injections) or redirecting to the bank's phishing page, Dridex was subsequently used by operators as a botnet to deliver their own ransomware viruses to target systems: BitPaymer, DopplePaymer, Locky, WastedLocker, Macaw.

Dridex is classified as an evolution of the Zeus Trojan, has a similarity of the program code with the Bugat malware.

The operators of Dridex are one of the most wanted cybercriminal organized criminal groups «Evil Corp», also known as TA505. The group does not provide access to the Dridex botnet and ransomware viruses according to the RaaS and MaaS business models, preferring to act independently.

The geography of incidents related to Dridex is diverse: the victims are located in the United States, the European Union and the Asia-Pacific region. The «Evil Corp» group avoids the use of Dridex and related ransomware viruses against residents of the CIS countries. The program code contains the function of automatic self-removal in case of infection of a computer system located on the territory of a CIS member state.


Activity dynamics 

Malicious infrastructure growth dynamics  

Countries where most part of the malicious infrastructure is located 
Malicious infrastructure map 

Malicious infrastructure rose 

Extensions of captured samples 

June 19, 2022, 1:25 p.m.

«Evil Corp», one of the most active and wanted cybercrime groups, resumed the hunt in cyberspace using the trojan «Dridex» in conjunction with the popular families of «MaaS»-malware
April 14, 2022, 1:22 p.m.

One of the most popular stealers among the cybercriminal underground became a victim of the dramatic events in Ukraine and ceased to exist