{
	"id": "b957d64a-3b0a-4b0d-a455-63b6740b01d9",
	"created_at": "2026-04-06T00:19:52.950236Z",
	"updated_at": "2026-04-10T13:11:48.658869Z",
	"deleted_at": null,
	"sha1_hash": "9c2dfa22e8bf33852b820f53f9436f05ac1caf97",
	"title": "New Dyre Malware Campaign Distribution Techniques US | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 528173,
	"plain_text": "New Dyre Malware Campaign Distribution Techniques US |\r\nProofpoint US\r\nBy October 08, 2015 Proofpoint Staff\r\nPublished: 2015-10-10 · Archived: 2026-04-05 13:56:12 UTC\r\nThis week, Proofpoint researchers observed the now infamous “man-in-the-browser” (MITB) banking malware\r\nDyre experimenting with new ways to deliver spam malicious attachments in spam emails. These innovations\r\nincluded two significant changes in Dyre behavior:\r\nDyre employed the spambot Gophe to send thousands of randomized documents (hashes and file names)\r\nper spam campaign\r\nThe spammed attachments are using a RTF trick (or a feature of Windows OS) that allows dropping an\r\nexecutable – but not running it – simply by opening the RTF document\r\n1. Changes in Email Campaign Behavior\r\nIn past instances, Proofpoint researchers have observed that when Dyre actors employ Microsoft Word document\r\nattachments, they have used a relatively high ratio of messages to unique documents (i.e., hashes): that is, using\r\nonly a few unique Word document attachments for a large number of messages. (This is in contrast to zipped\r\nexecutable attachments, where they have frequently been observed using a large number of attachments for each\r\ncampaign.) [1]\r\nHowever, on October 8, Proofpoint researchers observed the Gophe spammer botnet used by these actors sending\r\ntens of thousands of unique Word documents in a single campaign. The Dyre botnet propagates itself using the\r\nGophe spambot – among others – to propagate itself, downloading and running Gophe after the Dyre malware\r\npayload is successfully installed. The Gophe bot then sends messages to all the addresses in the victim’s Outlook\r\nor Thunderbird contact list, then deletes itself upon completion of this email run. Dyre downloads and runs the\r\nGophe spambot again when needed, as often as several times a day.\r\nIn this case, Gophe communicated with its command \u0026 control (C2) servers (62.210.182[.] 246 and\r\n178.162.193[.] 207) and received templates, randomized documents, and word lists for additional randomization\r\nof the spam.\r\nDyre’s Gophe spambot then crafted emails with the downloaded templates, filters, wordlists and other parameters.\r\nAppendix A includes the complete detected bot configuration, but we should highlight one of the parameters,\r\n“address_in_message” with the value “5”. This parameter instructs the bot to send an attachment to five recipients,\r\nand then move on to crafting an email with a different attachment to next five recipients. (Fig. 1)\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 1 of 10\n\nFigure 1: Phishing email with attachment to five recipients and zipped document with randomized name.\r\nThe attachment name was also randomized using an extensive wordlist. Below is a small sample of the over\r\n60,000 words used:\r\nchariot\r\ncustom-house\r\ncomputer engineer\r\nzigzag\r\nhedge\r\nwarding\r\nsitty\r\nbeaded\r\nsphygmography\r\nconventional\r\nmannequin\r\nThe continual recombination of thousands of unique document hashes with a very wide variety of random words\r\nwork together result in an email campaign that will virtually undetectable by signature--based defenses.\r\n2. Attachment Changes\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 2 of 10\n\nWhen the email recipient opens the attachment, they encounter a ‘secure’ Office document. The lure is almost\r\nidentical to the one Proofpoint researchers recently described in “Dyre Campaigners Set Sights on the Fulfillment\r\nand Warehousing Industry” [2]. However, instead of using a macro known as Xbagging or Bartallex [3] to\r\ndownload the Upatre payload from the Internet, a different set of ruses and redirections is employed to drop an\r\nUpatre payload that is embedded within the document itself.\r\nFigure 2: The malicious document attachment\r\nThe document includes a malicious macro, which operates as follows:\r\n1. Document macro writes two RTF files in the %TMP% folder, runs one of them and sleeps.\r\n2. The first RTF file has an embedded Upatre executable as a Packager Shell Object. When this RTF file is\r\nopened by the document macro, the embedded executable is dropped (but not executed) into %TMP%\r\nfolder without user interaction. (This seems to be a feature of Microsoft Office that only works for RTFs,\r\nbut not for other file formats such as DOC or DOCX.)\r\n3. The document macro finishes its sleep loop and executes the binary placed into %TMP% by the RTF.\r\nThis long chain of redirections is another example of the continued innovations threat actors and malware authors\r\nemploy in order to evade detection by both antivirus and behavioral defense solutions.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 3 of 10\n\nExamining the macro details closely we can see more clearly how these steps proceed. (Analyst comments are\r\ninline after “###”.)\r\nFigure 3: Malicious macro in document attachment\r\nThe malicious macro opens “199.rtf” (Fig. 4), which includes an embedded Upatre executable as a Packager Shell\r\nObject. (Packager Shell Objects are bundles that can be embedded in a document and double-clicked to execute\r\ndirectly from the document.) A small icon – easily resized – representing the object is displayed in the upper left\r\ncorner of the document attachment, and when this RTF file is opened by the document macro, the embedded\r\nexecutable is dropped (but not executed) into %TMP% folder as “w1.exe” without any user interaction. We tested\r\nother formats such as DOC and DOCX and this behavior does not appear to be reproducible with these other\r\nformats. It should be noted that none of the Microsoft Office formats execute the Packager Shell Object binary\r\nautomatically – the user needs to double click it.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 4 of 10\n\nFigure 4: RTF file with embedded executable by Packager Shell Object\r\nIt should be noted that this macro appears to be a service or shared between groups, as it has also been observed in\r\nother malware campaigns [4].\r\nConclusion\r\nContinuous innovation is an essential trait of modern advanced threats in order for them to stay ahead of adapting\r\ndefenses. As this campaign demonstrates, techniques that have been observed previously in use by one set of\r\nactors – such as cycling attachment names, high numbers of unique attachments, and malicious macros that drop\r\nembedded malware payloads – can be adopted by threat actors to bring new life and renewed effectiveness to their\r\ncampaigns. This cycle of innovation and adaptation is a key aspect of many of the cybersecurity challenges facing\r\nconfronting organizations today, and shows no sign of abating.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/Dyre-Straits-Evolution-of-the-Dyre-Banking-Trojan-Challenges-Traditional-Defenses\r\n[2] https://www.proofpoint.com/us/threat-insight/post/Dyre-Campaigners-Sights-On-Fulfillment-Warehousing-Industry\r\n[2] https://www.proofpoint.com/us/threat-insight/post/Its-Not-Personal-Its-Business\r\n[3] https://isc.sans.edu/forums/diary/Malicious+spam+with+Word+document/20225/\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 5 of 10\n\nGophe Spam Bot Configuration Parameters\r\nno_send_emails\r\nno_send_if_name_contain\r\npostmaster\r\nno_send_if_name_contain\r\nnoreplay\r\nno_send_if_name_contain\r\nnoreply\r\nno_send_if_name_contain\r\nadmin\r\nno_send_if_name_contain\r\nadministrator\r\nno_send_if_name_contain\r\nMailer-Daemon\r\nno_send_if_name_contain\r\nnull\r\nno_send_if_name_contain\r\nscan\r\nno_send_if_name_contain\r\nbak\r\nno_send_if_name_contain\r\ncopy\r\nno_send_if_name_contain\r\nfax\r\nno_send_if_domain_contain\r\n@sample\r\nno_send_if_domain_contain\r\n@gmail\r\nsend_emails_params\r\naddress_in_message\r\n5\r\nsend_interval_sec_min\r\n1\r\nsend_interval_sec_max\r\n1\r\nsend_order_array\r\n;EmailsFromAddressBook;EmailsFromOutBox;EmailsFromInBox;EmailsFromOther;\r\nIndicators of Compromise (IOCs)\r\nValue Type\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 6 of 10\n\n197.149.90[.]166 Upatre C2\r\n94ECC7D1F0FA098975A0984E55BA77EC93719B56DC3157D36311E18C51D581DC Upatre SHA-256\r\n[hxxps://65.255.135.178/limto1.tar] Dyre payload\r\n[hxxps://188.93.122.150/limto1.tar] Dyre payload\r\n[hxxps://88.93.122.150/limto1.tar] Dyre payload\r\n[hxxps://67.222.201.105/limto1.tar] Dyre payload\r\n[hxxps://212.72.123.130/limto1.tar] Dyre payload\r\n[hxxps://50.24.13.21/limto1.tar] Dyre payload\r\n[hxxps://186.16.203.154/limto1.tar] Dyre payload\r\n[hxxps://93.103.20.189/limto1.tar] Dyre payload\r\n[hxxps://190.121.163.46/limto1.tar] Dyre payload\r\n[hxxps://202.79.57.155/limto1.tar] Dyre payload\r\n[hxxps://202.70.89.57/limto1.tar] Dyre payload\r\n[hxxps://190.121.164.10/limto1.tar] Dyre payload\r\n[hxxps://181.40.117.66/limto1.tar] Dyre payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 7 of 10\n\n[hxxps://201.217.51.92/limto1.tar] Dyre payload\r\n[hxxps://94.40.82.66/limto1.tar] Dyre payload\r\n[hxxps://69.9.204.114/limto1.tar] Dyre payload\r\n[hxxps://201.217.56.83/limto1.tar] Dyre payload\r\n[hxxps://24.33.131.116/limto1.tar] Dyre payload\r\n[hxxps://72.230.82.80/limto1.tar] Dyre payload\r\n[hxxps://173.248.31.6/limto1.tar] Dyre payload\r\n[hxxps://208.117.68.78/limto1.tar] Dyre payload\r\n[hxxps://69.144.171.44/limto1.tar] Dyre payload\r\n[hxxps://24.148.217.188/limto1.tar] Dyre payload\r\n[hxxps://173.216.247.74/limto1.tar] Dyre payload\r\n[hxxps://37.57.144.177/limto1.tar] Dyre payload\r\n[hxxps://68.70.242.203/limto1.tar] Dyre payload\r\n[hxxps://27.109.20.53/limto1.tar] Dyre payload\r\n[hxxps://67.222.201.61/limto1.tar] Dyre payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 8 of 10\n\n[hxxps://203.129.197.50/limto1.tar] Dyre payload\r\n[hxxps://112.133.203.43/limto1.tar] Dyre payload\r\n[hxxps://45.64.159.18/limto1.tar] Dyre payload\r\n[hxxps://150.129.49.11/limto1.tar] Dyre payload\r\n[hxxps://213.92.138.154/limto1.tar] Dyre payload\r\n[hxxps://109.199.11.51/limto1.tar] Dyre payload\r\n[hxxps://82.115.76.211/limto1.tar] Dyre payload\r\n[hxxps://78.72.233.105/limto1.tar] Dyre payload\r\n[hxxps://82.160.64.45/limto1.tar] Dyre payload\r\n[hxxps://197.210.199.21/limto1.tar] Dyre payload\r\n[hxxps://78.108.101.67/limto1.tar] Dyre payload\r\n[hxxps://94.40.82.239/limto1.tar] Dyre payload\r\n[hxxps://185.89.64.160/limto1.tar] Dyre payload\r\n[hxxps://87.126.65.67/limto1.tar] Dyre payload\r\n[hxxps://93.183.155.22/limto1.tar] Dyre payload\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 9 of 10\n\n[hxxps://87.97.168.205/limto1.tar] Dyre payload\r\n[hxxps://62.233.252.207/limto1.tar] Dyre payload\r\n[hxxps://85.11.144.37/limto1.tar] Dyre payload\r\n[hxxps://188.167.93.231/limto1.tar] Dyre payload\r\n[hxxps://91.240.236.148/limto1.tar] Dyre payload\r\n[hxxps://91.240.236.122/limto1.tar] Dyre payload\r\n[hxxps://93.115.172.232/limto1.tar] Dyre payload\r\n62.210.182.246 Gophe C2\r\n178.162.193.207 Gophe C2\r\nSource: https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nhttps://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques"
	],
	"report_names": [
		"dyre-malware-campaigners-innovate-distribution-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c2dfa22e8bf33852b820f53f9436f05ac1caf97.pdf",
		"text": "https://archive.orkl.eu/9c2dfa22e8bf33852b820f53f9436f05ac1caf97.txt",
		"img": "https://archive.orkl.eu/9c2dfa22e8bf33852b820f53f9436f05ac1caf97.jpg"
	}
}