{ "id": "0a8cb2e0-ef61-4744-86cf-fe9b8e89e532", "created_at": "2026-04-06T00:14:33.269717Z", "updated_at": "2026-04-10T03:36:37.098545Z", "deleted_at": null, "sha1_hash": "b1ecdd54677e2b4ce87ea6b7315d75b35fb5fbc3", "title": "Stopping Serial Killer: Catching the Next Strike - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139922, "plain_text": "Stopping Serial Killer: Catching the Next Strike - Check Point Research\r\nBy ramanl\r\nPublished: 2021-01-04 · Archived: 2026-04-05 17:24:58 UTC\r\nBrief\r\nWhen we look at a prevalent malware family, we give credit to its authors regarding the established malicious infrastructure.\r\nNew malicious activity is flowing smoothly, command-and-control servers appear, everything works like Swiss watch. Are\r\nthere any weak points in such a construction?\r\nTo answer this question we may think about a race car. It’s a masterpiece crafted for maximum speed, however, the more\r\nspeed it has, the less chances it has to make a sharp turn. Malware infrastructure has the same weakness of inertia. When\r\nevery joint works fine, you should have a strong reason to change something in it.\r\nWe can use it for our benefit just like movie detectives do. Take a city map, mark the spots of previous crimes ─ and you\r\nwill likely understand the pattern and even get a probable place of next crime activity, it will likely follow the determined\r\ntemplate. In this research we show how to transform these actions to the world of malware. We take one of the most\r\nprevalent contemporary botnets called Dridex, mark its previous crime scenes, build the map and draw conclusions helping\r\nus to catch the next strike. We show evidence of success of such an approach measured in strict numbers and explain how to\r\nuse this idea in other real world cases.\r\nIntroduction\r\nThe Dridex Banking Trojan first appeared in 2014 and is still one of the most prevalent malware families. In March 2020,\r\nDridex topped the list of most wanted malware.\r\nDridex was created by a cyber-crime group called “Evil Corp” which has caused an estimated damage of $100 million to the\r\nbanking system worldwide. A lot of research has been issued already covering different aspects of the malware details and\r\nhow the cyber-crime group functions.\r\nIn this article we provide a summary of key details known about Dridex to date. We explore pre-history of Dridex\r\ndevelopment, give an overview and show its key technical features and methods of spreading. We explain how we can\r\nintercept this malware at the earliest stages of the infection chain. We also provide graphs that show evidence of the success\r\nof our approach and how our customers are protected against this malware.\r\nBackground\r\nDridex has a famous lineage. Let’s take a step back in history to find out more about the time period when its earliest\r\nversion appeared.\r\nThe key names in this story:\r\nEvgeniy Bogachev ─ Creator of the infamous ZeuS malware.\r\nMaksim Yakubets ─ Alleged leader of Evil Corp cyber-crime group which is responsible for Dridex operations.\r\nPre-Dridex era – It all starts with ZeuS\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 1 of 20\n\nZeus is a Trojan Horse malware. Its capabilities include turning an infected machine into a botnet node, stealing banking\r\ncredentials, downloading and executing separate malicious modules. The members of cyber crime group attempted to steal\r\naround 220 million USD worldwide utilizing ZeuS according to FBI investigation.\r\nThe timeline below shows key points in ZeuS evolution:\r\nFigure 1 – Chronology of ZeuS evolution.\r\nWhen ZeuS source code was leaked in 2011, various branches of this malware started to appear. It was very popular\r\nmalware and gave rise to lots of different malware branches. ZeuS versions may be in a ZeuS online museum. At the time of\r\nthis writing, ZeuS was associated with 29 different malware families, featuring around 490 versions in total.\r\nIn May 2014, the FBI issued a bulletin with description of Evgeniy Bogachev and the promised reward of 3 million USD\r\n“for information leading to the arrest and/or conviction.”\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 2 of 20\n\nFigure 2 – Description of Evgeniy Bogachev on the FBI site.\r\nDridex era\r\nAfter the botnets of direct ZeuS successors were taken down, Dridex’s time came. This malware is a result of Bugat\r\nevolution (which appeared in 2010). Bugat v5 was recognized as Dridex in 2014.\r\nMore names appear on the stage at this time.\r\nAndrey Ghinkul (from Moldova) was allegedly one of the administrators behind Dridex botnets in 2015.\r\nIgor Turashev was allegedly one of the administrators behind Dridex botnets as well.\r\nDenis Gusev was one of the key investors behind EvilCorp.\r\nMore names connected to Dridex can be found in US treasury sanctions statement.\r\nThe timeline below shows some milestones in Dridex evolution:\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 3 of 20\n\nFigure 3 – Chronology of Dridex evolution.\r\nDridex in turn gave rise to a number of ransomwares starting with Bitpaymer in 2017. This branch continued with\r\nDoppelPaymer, which was developed in 2019, and WastedLocker, which was developed in 2020.\r\nRecent past\r\nIn 2019, Dridex had at least 14 active botnets, some of which had already been  spotted previously, and others newly\r\ndeveloped. Botnets are differentiated by their ID numbers. These are among the most active at this time: 10111, 10222,\r\n10444, 40200, 40300.\r\nAt the end of 2019, the FBI issued a bulletin with a description of the author of Dridex and a promised reward of 5 million\r\nUSD (compared with 3 million USD previously for E. Bogachev).\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 4 of 20\n\nFigure 4 – Description of Maksim Yakubets on the FBI site.\r\nThere is also evidence of Maksim’s luxurious lifestyle, undoubtedly due to income from his malicious activities.\r\nFigure 5 – Cars, girls, money; the luxurious lifestyle of Maksim Yakubets.\r\nTo date, Maksim Yakubets has not been apprehended by law enforcement.\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 5 of 20\n\nAs mentioned previously, in 2020, Dridex topped the lists of the most prevalent malware families in the world.\r\nInfection chain\r\nBefore we start the analysis of Dridex samples themselves, we want to understand the infrastructure behind the malware.\r\nHow is it delivered? What are the targets? What is the initial detection rate of supporting files? We will find the answers to\r\nall of these questions below.\r\nFlow\r\nWhen the operators want to spread Dridex, they use established spambots from different cyber-crime groups to send\r\nmalicious documents attached to handily crafted e-mails. At different times of the Dridex lifecycle, Necurs, Cutwail and\r\nAndromeda botnets have all been involved in spreading Dridex.\r\nWhen a user downloads and opens such a document (it may be Word or Excel), the embedded macros are launched with the\r\naim of downloading and executing the Dridex payload.\r\nFigure 6 – Dridex infection chain execution flow.\r\nTargets\r\nDridex targets different high-profile entities from various parts of the world:\r\nU.S. bank accounts.\r\nU.S. credit card companies.\r\nU.S. financial investment corporations.\r\nEuropean bank accounts.\r\nGovernmental agencies in Saudi Arabia, Qatar, Oman.\r\nLures\r\nTo increase the successful rate at which Dridex is spread, malicious actors disguise their spam e-mails to look like legitimate\r\nones. We can name examples of UPS, FedEx and DHL as companies whose logos and mailing style are used as bait in such\r\ne-mails.\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 6 of 20\n\nFigure 7 – Examples of lures.\r\nWhen the victim clicks the link, either the archive with the malicious document or the malicious document itself is opened.\r\nInitial detection rate\r\nWhen first seen in the wild, Dridex delivery files show a very low detection rate. In the screenshot below we see the initial\r\ndetection rate of the Excel document which delivers Dridex:\r\nFigure 8 – Initial detection rate of the Dridex delivery file.\r\nThe same is true for other delivery files.\r\nLoader and Payload\r\nThe Dridex sample consists of the loader and the payload. We discuss key points of each part below.\r\nAnti-debug technique\r\nThe Dridex loader utilizes the OutputDebugStringW function to make malware analysis more difficult. Different loaders\r\nproduce different outputs (with the “Installing…” string being very popular) but the idea is the same everywhere: making a\r\nlong loop that contains a lot of meaningless debug messages. In the figure below, we see the example of such a loop with an\r\niteration of around 200 million:\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 7 of 20\n\nFigure 9 – Loop with 0xBEBBE7C (around 200 million) iterations calling OutputDebugStringW.\r\nThe output looks like this in the log:\r\nFigure 10 – Dridex debug messages that overwhelm the analysis log.\r\nObfuscation\r\nThe payload is heavily obfuscated; almost no function is called directly. Call resolutions are performed with the help of hash\r\nvalues identifying the library and the function it contains. An example of such a resolution is shown in the screenshot below:\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 8 of 20\n\nFigure 11 – Example of the call resolution in the Dridex payload.\r\nAll the functions important for key Dridex’ tasks are called this way.\r\nFigure 12 – Example of resolved calls to Internet functions.\r\nWe used the Labeless tool to resolve obfuscated function calls.\r\nStrings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample.\r\nConfiguration\r\nThe main point of interest inside the payload is its configuration. It contains the following important details:\r\nBot ID.\r\nNumber of C\u0026C servers.\r\nList of the C\u0026C servers themselves.\r\nAn example of the configuration:\r\nFigure 13 – Example of the Dridex configuration inside the payload.\r\nThe bot ID in this example is 12333. The Command and Control servers are:\r\n92.222.216.44:443\r\n69.55.238.203:3389\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 9 of 20\n\n66.228.47.181:443\r\n198.199.106.229:5900\r\n104.247.221.104:443\r\n178.254.38.200:884\r\n152.46.8.148:884\r\nNetwork activity\r\nDridex sends POST requests to the servers from the configuration to get further commands, waiting for 200 OK responses.\r\nPlease note that these servers are not real C\u0026C servers but rather proxies for connecting to the real ones.\r\nFigure 14 – The Dridex botnet infrastructure.\r\nThe information which is sent by the malware to the C\u0026C servers contains the following data:\r\nComputer name\r\nBotnet ID number\r\nType of request\r\nOS architecture\r\nList of installed software\r\nThis data is encrypted with the RC4 algorithm, the key for which is stored among encrypted strings inside the malware.\r\nThere are at least 6 different types of request; among them are the following ones:\r\n“list” – gets configuration\r\n“bot” – receives bot module\r\nPutting IOCs together\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 10 of 20\n\nThe earlier the infection is caught, the better the chances of mitigation. To catch the infection as quickly as possible while\r\nspending the minimum amount of resources, we want to focus on the initial delivery stage.\r\nHowever, detection is only one aspect. We may confidently say that something is malicious, but we also want to classify the\r\nthreat. To do so, we have to be sure that this particular malware is indeed Dridex.\r\nLet’s take a look at the Dridex infection chain again and determine the different stages which we can use for its detection\r\nand identification:\r\nFigure 15 – Different stages of Dridex detection.\r\nAt different stages of the Dridex infection, we can use the following indicators for its detection.\r\n1\r\nst\r\n stage, malicious documents:\r\nHashes of the documents\r\nImages inside documents\r\nInternal structure of the document\r\nMacros used inside\r\n2\r\nnd\r\n stage, servers:\r\nDomains\r\nURLs\r\n3\r\nrd\r\n stage, loaders and payloads:\r\nHashes of the samples\r\nIP addresses in the configuration file\r\nWhy are so many factors important?\r\nWe have seen a correlation between infrastructures and indicators of Dridex and other prevalent malware families such as\r\nEmotet and Ursnif. Malicious documents share common indicators when used for the delivery of all the malware\r\nmentioned above. Some C2 servers – or to be precise, proxy servers – are used both by Dridex and Emotet, though ports and\r\nconnection types are different.\r\nThat’s why we have to analyze a lot of details before we draw a conclusion of what malware we’re dealing with. The more\r\nunique factors related to a particular botnet we have, the easier it is to say if another attack has the same patterns.\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 11 of 20\n\nThe ideal way to classify malware is of course getting and analyzing the final payload: if it’s Dridex, then everything that\r\nwas launched before it is classified as Dridex as well. However, it may take some time (sometimes a significant amount\r\nafter the initial malicious document is obtained) before the result is known. We can do the classification faster, with high\r\nconfidence, by analyzing all the indicators we get at the earliest stages of infection chain.\r\nIP addresses to draw a map\r\nAnother interesting note is utilizing the same network for downloading Dridex samples. We analyzed domains used for this\r\npurpose, resolved their IPs and discovered that quite a few of them reside in the same network 84.38.180.0/22 with less than\r\n1024 addresses available in total. Network belongs to Russian ASN Selectel that rarely takes down the malicious content or\r\nspam.\r\nWe saw the following IP addresses linked to Dridex domains in the 84.38.180.0/22 network (and other networks within the\r\nsame ASN). Dates show the first time the Dridex domain pointed to the corresponding IPs:\r\nIPs Date Domains\r\n84.38.182.248 May 10\r\nrokadorc.com\r\nnrokadorc.com\r\n84.38.183.77 June 17\r\njuneusdousigninc.com\r\nusdousigninc.com\r\n84.38.182.236\r\n84.38.183.213\r\nJune 22\r\nmarutoba.com\r\nterrasimonad.com\r\nenterassimonad.com\r\n84.38.181.195 June 28 caranatrium.com\r\n84.38.183.114\r\n84.38.183.237\r\nJuly 06\r\nmenodlap.com\r\nturendong.com\r\nmadustag.com\r\nWhile this factor alone is not enough to identify Dridex, this is a good auxiliary detail to refer to when dealing with Dridex\r\nIOCs.\r\nDetection\r\nThe graphs below show Dridex spikes on different dates when we caught the incoming threats at its earliest stages.\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 12 of 20\n\nFigure 16 – Dridex infection spike on June 29.\r\nFigure 17 – Dridex infection spike between July 6 – July 8.\r\nIt is crucial to be able to intercept Dridex infection as early as possible. In many cases, if the spam is not being sent for\r\nseveral days consecutively, like it was between July 6 and July 8, the botnet activity slows down the next day and we do not\r\nget as many IOC matches as during its spike. Given that new infections appear at around afternoon UTC+3, we have less\r\nthan 12 hours to react to the incoming threat.\r\nDridex development\r\nSince July 22 we haven’t observed any fresh Dridex spam samples. Dridex made a re-appearance on September 7, showing\r\na massive increase in its activity spike for 2 consecutive days:\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 13 of 20\n\nFigure 18 – Recent September spike in Dridex activity.\r\nDridex operators updated the 1st stage of Dridex execution: they have added more URLs from where payload may be\r\ndownloaded – as opposed to the single URL in the earliest versions of malicious documents. Now their number may be as\r\nhigh as 50 within the single document.\r\nWe’re constantly monitoring this botnet and detecting its payload at different stages of execution.\r\nWe hope this publication provided useful insights on different variants and methods to deal with this threat. We also believe\r\nthat these methods may be applied when encountering other threats as well.\r\nAs cyber attacks become increasingly evasive, more controls are added, making security more complicated and tedious to\r\nthe point that user workflows are affected. Until now.\r\nFueled by the Power of ThreatCloud, the Most Powerful Threat Intelligence and AI technologies  to prevent unknown cyber\r\nthreats\r\nSandBlast Network provides the best zero-day protection while reducing security overhead and ensuring business\r\nproductivity.\r\nProtection signatures\r\nBanker.Win.Dridex.A\r\nBanker.Win.Dridex.B\r\nBanker.Win.Dridex.С\r\nBanker.Win.Dridex.D\r\nBanker.Win.Dridex.E\r\nBanker.Win.Dridex.F\r\nBanker.Win.Dridex.gl.H\r\nBanker.Win.Dridex.J\r\nBanker.Win.Dridex.K\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 14 of 20\n\nIOCs\r\nBelow we list some of the indicators linked to Dridex. Please note that the list is not full by any means.\r\nDomains:\r\nrokadorc[.com\r\nnrokadorc[.com\r\njuneusdousigninc[.com\r\nusdousigninc[.com\r\nmarutoba[.com\r\nterrasimonad[.com\r\nenterassimonad[.com\r\ncaranatrium[.com\r\nmenodlap[.com\r\nturendong[.com\r\nmadustag[.com\r\nfattnumdelordine[.com\r\narmomaq[.com\r\ncaissefamilylaw[.com\r\nsecretpath[.xyz\r\nIP addresses:\r\n84[.38.181.195\r\n84[.38.182.236\r\n84[.38.182.248\r\n84[.38.183.77\r\n84[.38.183.114\r\n84[.38.183.213\r\n84[.38.183.237\r\nDridex 1st layer proxy C\u0026C servers:\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 15 of 20\n\nhttps://45.79.8.25[:443\r\nhttps://185.201.9.197[:9443\r\nhttps://217.160.78.166[:4664\r\nhttps://108.175.9.22[:33443\r\nhttps://51.38.124.206[:443/\r\nhttps://207.180.230.218[:3389/\r\nhttps://2.58.16.87[:8443/\r\nhttps://45.177.120.36[:691/\r\nhttps://52.114.132.73[:443\r\nhttps://192.232.251.32[:443\r\nhttps://162.144.41.190[:443\r\nhttps://40.122.160.14[:443\r\nhttps://67.213.75.205[:443\r\nhttps://217.160.78.166[:4664\r\nhttps://108.175.9.22[:33443\r\nhttps://185.201.9.197[:9443\r\nURLs:\r\nhttps:[//discuss.ojowa.com/themes/wowonder/javascript/tinymce/js/dkfjgbji.gif\r\nhttps:[//sjoeberg.nu/a/jdfggo.rar\r\nhttps:[//greatstr.com/webadmin/djfhgeh.pdf\r\nhttps:[//axalta.grupojenrab.mx/wp-admin/ssfisjgniwerg.pdf\r\nhttps:[//bombshellshow.me/wp-content/jdfggo.rar\r\nhttps:[//amaimaging.net/wp-content/rjkthgowertgoiwe.zip\r\nhttps:[//pharmacy.binarybizz.com/vendor/njdfhgeroig.rar\r\nhttps:[//construtorahabite.com.br/wpadmin/rjkthgowertgoiwe.zip\r\nhttps:[//drinkangola.com/wp-content/plugins/wordpress-seo/config/composer/dkfjgbji.gif\r\nhttps:[//mcciorar.iglesiamcci.cl/njdfhgeroig.rar\r\nhttps:[//eduserve.sezibwa.com/images/njdfhgeroig.rar\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 16 of 20\n\nhttps:[//idklearningcentre.com.ng/wp/wp-content/plugins/jetpack/3rd-party/dkfjgbji.gif\r\nhttps:[//agencia.fal.cl/wp-includes/njdfhgeroig.rar\r\nhttps:[//sweepegy.com/djfhgeh.pdf\r\nhttps:[//tallermecanicoyllantera.grupojenrab.mx/wp-admin/rjkthgowertgoiwe.zip\r\nhttps:[//neocuboarquitetura.com.br/viewer/ssfisjgniwerg.pdf\r\nhttps:[//vyvanse.co/auth14/zxc.zip\r\nhttps:[//minsann.se/NewFolder/ad/style/theme/upload/84348fh34hf.pdf\r\nhttps:[//admin.grandoceanvilla.com/pug/includes/css/84348fh34hf.pdf\r\nhttps:[//glowtank.in/js/ssfisjgniwerg.pdf\r\nhttps:[//leandrokblo.com/wp-content/plugins/w3-total-cache/ini/apache_conf/dkfjgbji.gif\r\nhttps:[//medszoo.in/jdfggo.rar\r\nhttps:[//properties.igpublica.com.br/excelPo/rjkthgowertgoiwe.zip\r\nhttps:[//coomiponal.com/simulador/zxc.zip\r\nhttps:[//inkrites.com/wp-content/themes/zerif-lite/ti-prevdem/img/84348fh34hf.pdf\r\nhttps:[//manogyam.com/storage/njdfhgeroig.rar\r\nhttps:[//radiantmso.com/wp-content/plugins/smart-slider-3/library/media/dkfjgbji.gif\r\nhttps:[//etsp.org.pk/uploads/jdfggo.rar\r\nhttps:[//tmpartners-gh.com/djfhgeh.pdf\r\nhttps:[//heraldfashion.store/wp-admin/zxc.zip\r\nhttps:[//danojowacollection.com/djfhgeh.pdf\r\nhttps:[//leboudoirstquayportrieux.fr/image/ssfisjgniwerg.pdf\r\nhttps:[//quiz.walkprints.com/wp-includes/js/tinymce/themes/inlite/84348fh34hf.pdf\r\nhttps:[//siebuhr.com/pmosker/zxc.zip\r\nhttps:[//karyagrafis.com/njdfhgeroig.rar\r\nhttps:[//businessquest.com.my/schedule/jdfggo.rar\r\nhttps:[//maisaquihost.com.br/teste/rjkthgowertgoiwe.zip\r\nhttps:[//getsolar4zerodown.info/djfhgeh.pdf\r\nhttps:[//emyhope.com/wp-content/plugins/jetpack/_inc/blocks/84348fh34hf.pdf\r\nhttps:[//igpublica.com.br/asset/zxc.zip\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 17 of 20\n\nhttps:[//speakerpedia.in/images/zxc.zip\r\nhttps:[//timamollo.co.za/sitepro/jdfggo.rar\r\nhttps:[//eb3tly.online/njdfhgeroig.rar\r\nHashes (malicious documents):\r\n15d3edcf37b1e4d03a5c61c1c7752130a9899b978c94f80d8dabc45f416fc253\r\n16b98e2156fb721a760cd3d4e5c1a8c18dee54f795c6d8624339e25c5e33c2b1\r\n97defc4fa68d6d3d76226b2ab02c8c3c0544b4d035083057b52d101f5884cbf1\r\n99842250e5da8f987227c22d864ea6552cbf176710cd5c45f430bc2765cbf534\r\n9a54d7a8551641f3c77a6f2743890f30e5d5ed4854fcadb25fc1a45bf928cefb\r\na633110b7d2f045d88b43c95838372d556de7bf9d2543149b9e5a984f9377539\r\ncbbb3ffd6f20060d8176954afb0f26fb220a281fd0e49facd02be8f597f24645\r\nd3e9f6933d519b6bd1514ceaaa14df64722214c0c6c2a60a6924c92f284b3c08\r\nd77234374d79b24022c26ecdd16a684ae7e94efba502422d74852b0eddd4f1b4\r\nd943478cb08756734a766eb5da189eef45577c29d33cbd679976e5cb97f2c9f2\r\nHashes (malware samples):\r\n84d3573747fbdf7ca822fd5a48726484c8b617e74a920dc2a68dd039b8f576fd\r\na633e85176faf87dfa99e89e559e3be3f2854592a3adb9f6ea6aab88c06dd198\r\nad4d2f9fcadce231e18e50de3bb58028ae13eaf76a9c085d0073230e0fa17a9e\r\nb0699861417da2e3626eb78d62d305b7ca5e03f06e5e6bfd0eea99d64306495e\r\nb5b71c61a29f80c667772f5d008789816e0c7a53193536fc660a6f72009b23de\r\nb66a5d391335b6dc827225b6531f172151d8a87c7514de789bcaf1999b0645ff\r\nc37accc1f995cb32235edbea877813109627eca4b209f060bee357489c6bb31b\r\nc6de2ef240cdca97e8d5d6fdcfc7bfd8d5c81a47204d268bd08e4b963d66a64b\r\nc8cca37f43f4aa66b4bfbf811931c57971d2f1571cfebbb7d24235c07e108f26\r\ncc33c8c4eb3588fdd48ddb081f77040283c2f6b8c37777f8202b858b64a5952b\r\nd18d211cf75fbc048d785af92b76a1aa7a01e381313b1a5e66e9cf564cbe78d4\r\nf8c974a6572fd522a64d22da3bf36db7e912ccb700bd41623ed286f1e8b0e939\r\nfa61c3c9e2089deb3f2b40333f5ee0860177692c436c50b07eef85993a1dbfa9\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 18 of 20\n\nfcc0db0ce710f68915b4d73274d69bb5765012b02631bb737c66a32a9a708aab\r\nReferred Sources\r\n1. The Malware Dridex: Origins and Uses // https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf\r\n2. Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers //\r\nhttps://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf\r\n3. Dridex: A History of Evolution // https://securelist.com/dridex-a-history-of-evolution/78531/\r\n4. Evolution of the GOLD EVERGREEN Threat Group //\r\nhttps://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group\r\n5. Dridex (Bugat v5) Botnet Takeover Operation //\r\nhttps://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation\r\n6. ZeuS Virus // https://usa.kaspersky.com/resource-center/threats/zeus-virus\r\n7. ZeuS versions // https://zeusmuseum.com/\r\n8. More than 100 arrests, as FBI uncovers cyber crime ring // https://www.bbc.com/news/world-us-canada-11457611\r\n9. Evgeniy Bogachev // https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev\r\n10. Maksim Yakubets // https://www.fbi.gov/wanted/cyber/maksim-viktorovich-yakubets\r\n11. Bugat Botnet Administrator Arrested and Malware Disabled // https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/bugat-botnet-administrator-arrested-and-malware-disabled\r\n12. Two Russians Indicted Over $100M Dridex Malware Thefts // https://www.bankinfosecurity.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473\r\n13. Dridex Banking Trojan Makes a Resurgence, Targets US // https://www.bankinfosecurity.com/dridex-banking-trojan-makes-resurgence-targets-us-a-9079\r\n14. TA505 group updates tactics and expands the list of targets // https://securityaffairs.co/wordpress/90472/cyber-crime/ta505-recent-campaigns.html\r\n15. Email scam aims to drop Dridex on machines by impersonating FedEx, UPS // https://www.cyberscoop.com/fedex-ups-dridex-email-scam-votiro/\r\n16. Process Injection and Manipulation // https://www.deepinstinct.com/2019/09/15/malware-evasion-techniques-part-1-\r\nprocess-injection-and-manipulation/\r\n17. Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques //\r\nhttps://securityboulevard.com/2019/07/dridexs-bag-of-tricks-an-analysis-of-its-masquerading-and-code-injection-techniques/\r\n18. Dridex – From Word to Domain Dominance // https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\n19. Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware //\r\nhttps://home.treasury.gov/news/press-releases/sm845\r\n20. The FSB’s personal hackers // https://meduza.io/en/feature/2019/12/12/the-fsb-s-personal-hackers\r\n21. Malware Analysis of Dridex, BitPaymer and DoppelPaymer Campaigns // https://lifars.com/2019/11/analysis-of-dridex-bitpaymer-and-doppelpaymer-campaign/\r\n22. BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 //\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\n23. WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group //\r\nhttps://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 19 of 20\n\n24. Reverse Engineering Dridex And Automating IOC Extraction // https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction\r\nSource: https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nhttps://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/" ], "report_names": [ "stopping-serial-killer-catching-the-next-strike" ], "threat_actors": [ { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434473, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b1ecdd54677e2b4ce87ea6b7315d75b35fb5fbc3.pdf", "text": "https://archive.orkl.eu/b1ecdd54677e2b4ce87ea6b7315d75b35fb5fbc3.txt", "img": "https://archive.orkl.eu/b1ecdd54677e2b4ce87ea6b7315d75b35fb5fbc3.jpg" } }