Researchers have discovered the Dridex banking Trojan has once again evolved and is now using compromised FTP websites in phishing campaigns.

The Trojan was first spotted back in 2014 after targeting banks in the United Kingdom.

Since then, Dridex has become infamous for striking financial institutions across Europe.

The malware spreads through phishing campaigns, duping victims into downloading and executing malicious macros hidden in Microsoft documents, as well as attacks by way of web injections.

Once the Trojan has compromised a PC, it steals online banking credentials which can then used fraudulently by operators to plunder bank accounts.

Spam and phishing campaigns utilizing the Trojan usually rely on HTTP download locations for malware payloads. However, Forcepoint Security Labs said on Thursday that a “peculiar” email campaign distributing a Dridex variant has chosen a more unusual method.

In a blog post, the team said compromised FTP websites are now being used to distribute the malware, which also exposes the credentials of the vulnerable domains in the process.

In this particular campaign, malicious emails were distributed on January 17 this year and remained active throughout the day. The emails were sent primarily to top-level domains including .com, .fr, and

France, the UK, and Australia were the most targeted countries.

According to the team, the sender domains were from compromised accounts from the FTP websites, and sender names — such as [email protected], [email protected], and [email protected] were rotated…