This subdomain hosted a focused Dridex configuration extractor built around the same RATDecoders codebase that powered the rest of malwareconfig.com. You could submit a Dridex sample (or a maldoc carrying one) and the service would walk the dropper chain, locate the embedded config blob, decrypt it, and return the C2 list, botnet ID, and version string.
The extractor is no longer running. The underlying decoder logic, however, is still public and still useful as a reference.
where the decoder logic lives
- github.com/kevthehermit/RATDecoders — the original RATDecoders project. Read-only at this point, but the Dridex (and many other) family decoders are still there as Python reference implementations. Useful for understanding the historical config layout and as a starting point if you're writing your own extractor today.
- CAPESandbox / community — CAPE's community module repo includes maintained extractors for many of the families RATDecoders covered, kept current with the families that are still active.
document-side analysis (oletools)
Most of the inbound links to dridex.malwareconfig.com came from the oletools ecosystem, because Dridex was historically delivered through Office documents and oletools is the canonical toolkit for analyzing those documents:
- github.com/decalage2/oletools — Philippe Lagadec's OLE/Office analysis suite.
olevba,oledump,oleid,rtfobj. Active. - decalage.info — Philippe's site. Tutorials, release notes, related projects.
oletools was the standard tooling pipeline back when Dridex was primarily a maldoc threat. The maldoc delivery vector has shrunk significantly in the post-VBA-default-disabled era, but the same techniques apply to malicious LNKs, ISO-mounted droppers, OneNote attachments, and the modern ClickFix / fake-CAPTCHA chains, so the toolkit and its mindset are still very much in use.
dridex in 2026
Dridex itself has been quiet since the takedowns of 2020-2021 and the Evil Corp sanctions. The successor families using similar config-loading patterns include LockBit's loader chain, BumbleBee, IcedID's distillates, and various stealer-as-a-service families that adopted Dridex's "config blob with C2 list, botnet ID, RC4 key" layout. The extraction technique is more useful now than the family it was named after.
about this archive page
This page exists to keep the high-authority backlinks pointed at dridex.malwareconfig.com resolving to a 200, and to send the human reader who clicks one of those links to the right canonical project (RATDecoders or oletools, depending on what they were actually looking for).
This page is not run by Kevin Breen, Philippe Lagadec, or any of the CAPE Sandbox maintainers. For project questions, the right place is each project's GitHub issue tracker.
For questions about this page, email [email protected].
