{ "id": "34c03396-83b6-4e8b-8a3e-7499ca36c1e2", "created_at": "2026-04-06T00:08:31.022182Z", "updated_at": "2026-04-10T03:33:15.484173Z", "deleted_at": null, "sha1_hash": "94353ab1352b29ba65b6aba99c5a2d855b598c19", "title": "Dridex malware trolls employees with fake job termination emails", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3323228, "plain_text": "Dridex malware trolls employees with fake job termination emails\r\nBy Lawrence Abrams\r\nPublished: 2021-12-22 · Archived: 2026-04-05 18:13:32 UTC\r\nA new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel\r\ndocument, which then trolls the victim with a season's greeting message.\r\nDridex is a banking malware spread through malicious emails that was initially developed to steal online banking\r\ncredentials. Over time, the developers evolved the malware to use different modules that provide additional malicious\r\nbehavior, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices\r\non the network.\r\nThis malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as\r\nBitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to\r\nransomware attacks on compromised networks.\r\nhttps://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nDridex affiliate trolls researchers, victims\r\nA Dridex affiliate has been conducting numerous malicious email campaigns over the past few weeks where\r\nthey troll researchers with email addresses and filenames composed of racist and antisemitic words.\r\nA security researcher known as TheAnalyst discovered that Dridex is again trolling people, but this time it's the victims who\r\nare being sent fake employee termination emails.\r\nThese emails use the subject of \"Employee Termination\" and tell the recipient that their employment is ending on December\r\n24th, 2021, and that \"this decision is not reversible.\"\r\nThe emails include an attached Excel password-protected spreadsheet named 'TermLetter.xls' that allegedly contains\r\ninformation on why they are being fired and the password required to open the document.\r\nDridex Employee Termination phishing email\r\nWhen the recipient opens the Excel spreadsheet and enters the password, a blurred \"Personnel Action Form\" will be\r\ndisplayed, saying they must \"Enable Content\" to view it properly.\r\nMalicious Excel attachment\r\nWhen the victim Enables Content, a popup will be displayed trolling the victim with an alert stating, \"Merry X-Mas Dear\r\nEmployees!\"\r\nhttps://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nPage 3 of 5\n\nDridex distributor trolling victims\r\nHowever, unbeknownst to the victim, malicious macros have been executed that create and launch a malicious HTA file\r\nsaved to the C:\\ProgramData folder.\r\nThis random-named HTA file pretends to be an RTF file but contains malicious VBScript that downloads Dridex from\r\nDiscord to infect the device, all while wishing the victim a Merry Christmas.\r\nMalicious HTA file disguised as an RTF file\r\nAs a little extra \"joke,\" the TheAnalyst told BleepingComputer that the Dridex file downloaded from Discord is named\r\n'jesusismyfriend.bin.'\r\nhttps://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nPage 4 of 5\n\nOnce Dridex is launched, it will begin installing additional malware, stealing credentials, and performing other malicious\r\nbehavior.\r\nTherefore, if you receive an email stating you are fired right before Christmas, be sure to reach out to your human resources\r\ndepartment or employer before opening the email.\r\nAs Dridex infections commonly lead to ransomware attacks, Windows admins need to stay on top of the latest malware\r\ndistribution methods and train employees on how to spot them as well.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nhttps://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/" ], "report_names": [ "dridex-malware-trolls-employees-with-fake-job-termination-emails" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434111, "ts_updated_at": 1775791995, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94353ab1352b29ba65b6aba99c5a2d855b598c19.pdf", "text": "https://archive.orkl.eu/94353ab1352b29ba65b6aba99c5a2d855b598c19.txt", "img": "https://archive.orkl.eu/94353ab1352b29ba65b6aba99c5a2d855b598c19.jpg" } }