Dridex is a prolific banking trojan that, per MITRE ATT&CK, first appeared in 2014. By December 2019 the US Treasury estimated Dridex had infected computers across hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex). It is distributed mainly through malicious email attachments, and its operators have also been linked to delivering ransomware.
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1185 T1056.004 T1055.012 T1021.002 T1071.001 T1547.001
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_DRIDEX {
meta:
description = "Detects Dridex (banking_trojan)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "dridex" ascii wide nocase
$s2 = "dridex" ascii wide nocase
$s3 = "bugat v5" ascii wide nocase
$s4 = "cridex" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Dridex Activity
id: b38ef686caf0103866339452d3d1c4fb
status: experimental
description: Detects generic indicators of the dridex malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*dridex*"
- "*dridex*"
- "*bugat v5*"
- "*cridex*"
condition: selection
level: mediumCISA has published an advisory on this family: https://www.cisa.gov/news-events/alerts/2019/12/13/dridex-malware
A prolific banking trojan, first seen in 2014, that steals banking credentials and financial information.
By December 2019 the US Treasury estimated infections across hundreds of financial institutions in over 40 countries and more than $100 million in theft.
It was built from the source code of the earlier Bugat banking trojan, also known as Cridex.
Most often through phishing emails carrying malicious Office documents with macros.
Its operators have been associated with delivering ransomware as a follow-on payload in some campaigns.
Disable macros from untrusted documents, be cautious with email attachments, use multi-factor authentication on financial accounts, and keep systems patched.
MITRE ATT&CK's Dridex entry (S0384), linked on this page.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/dridex.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.