After a pause in the activities involving the Dridex malware, three documents containing the Dridex malspam malware have been discovered. The documents obtained followed the same infection process as previous iterations of Dridex. In order to deploy Dridex on a vulnerable Windows host, the victim must download the document and enable macros. Upon doing so, the macro will cause Powershell to retrieve a DLL over HTTPS encrypted traffic. This DLL is the installer for Dridex and is immediately run. Post-infection, Dridex makes HTTPS calls in order to obtain the requisite malspam data. Persistence is obtained via three simultaneous methods: Windows Registry update, scheduled task, and Windows Startup menu shortcut. The malware uses existing EXE files to load the malware. The specific DLLs used by Dridex are named in such a way that they match legitimate DLLs and would be run by corresponding EXEs. Beyond any blatant changes, the Dridex malware is unchanged and traffic patterns are the same. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.