MalwareRansomwareUsed by 1 actor

DoppelDridex

DoppelDridex is a modified variant of Dridex associated with Evil Corp’s Doppel Spider subgroup. It has been described as a modified version of Dridex used by Doppel Spider alongside the DoppelPaymer ransomware variant. Based on the provided content, DoppelDridex was used to conduct banking fraud campaigns and also served as part of operations that preceded or accompanied ransomware activity. The broader Dridex family is a modular banking trojan originally designed to steal online banking credentials and support fraudulent transfers, with capabilities including web injection, keylogging, remote access, SOCKS proxying, credential theft, spamming, and email theft; however, only the association of DoppelDridex as a modified Dridex variant is directly stated for this malware. The content links DoppelDridex to Doppel Spider and notes that SCULLY SPIDER’s DanaBot botnet has been used to facilitate access for other malware including DoppelDridex, TrickBot, and Zloader. High-confidence targeting details, infection vectors, or unique IOCs specific to DoppelDridex are not provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

DOPPEL SPIDER

"...relationships depicted... DoppelDridex"

via crowdstrike bloggo.crowdstrike.com

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique

T1486Data Encrypted for ImpactEvidence1

TacticImpact

Deploying ransomware through which cyber actors remove victim access to data (usually via encryption), potentially causing significant disruption to operations.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cert ssi scadaNews

Dec 16, 2025

DoppelDridex is a modified variant of Dridex operated by the threat actor Doppel Spider, used for banking credential theft and as an initial access vector for ransomware deployment, particularly DoppelPaymer.

crowdstrike blogNews

Jan 16, 2026

Malware referenced in the eCrime ecosystem relationship diagram (name suggests Dridex-related tooling used in Doppel SPIDER ecosystem).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.