Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement

A recent investigation by buguroo Labs throughout the last month has revealed us surprising insights into the latest Dridex campaigns. In this report, we are not going to cover information related to how Dridex works, how it is spread or which sophisticated mechanisms are used in order to avoid detection and mitigation from the “good guys.”

We are going to show that something is changing in how the Dridex infrastructure is being used. Suddenly and surprisingly, this ultra-sophisticated malware, which is targeting the most important companies around the world and turning their security upside down, also has its own code vulnerabilities. These vulnerabilities allow us to analyze the impact of the new Dridex campaigns from a different point of view, based on the data it has stolen, not just its detection ratio.

Key Findings

  • The Dridex infrastructure is not invulnerable. Some of the gate URLs that are part of the 220 subnet can be exploited. Ultra-sophisticated malware has crude vulnerabilities.
  • Analysis shows Dridex’s latest campaign has added new targets on its compromising workflow. It is built to steal credit card information using an Automatic Transfer System (ATS) mechanism. From compromising users’ credentials to hijacking end-users’ sessions in order to transfer money directly to fraudulent mule accounts, Dridex covers a lot of options to compromise victims’ data.
  • In just this one subnet campaign, Dridex’s panel has compromised data from more than 100 countries and has credit card data affecting more than 900 entities, wich is much more than we expected and shows a worrying increase of the malware’s scope.
  • Despite 70 percent of the stolen credit cards recovered being associated with English-speaking issuing organizations, around 85 percent of entities affected are located in non-English-speaking countries. The number of victims in the Middle East, Africa and Latin America is increasing widely, so Dridex can be considered a global threat.
  • During one 10-week period, attackers are estimated to have launched multiple campaigns with the 220 subnet, potentially compromising more than 1 million credit cards with approximately $100 million in estimated financial losses.
  • Dridex infrastructure is being used to distribute Locky ransomware.


  • Authors:
    • David García Muñoz
    • José Carlos Corrales Casas
  • Illustrations:
    • Elisabet Fernández Cerro

Get the full report

Register to read the full report and learn more about the analyzed campaign.

We use own and third party cookies to offer our services and advertising based on your interests.
By using our services, you agree to our use of cookies as described in our Cookies Policy. More info

Cookie options on this website are set to "allow cookies" to offer a better browsing experience. If you continue to use this website without changing your settings or clicking "OK" you will be consenting cookies from this site.