Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0024: Dyre

Dyre is a banking Trojan that has been used for financial gain. [1][2]

EnterpriseS0024MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Dyre is a Windows banking Trojan documented by ATT&CK as malware used for financial gain. Its practical importance is not just malware removal: the mapped behaviors include discovery, persistence through scheduled tasks and Windows services, process/DLL injection, web-based command and control, tool transfer, local staging, and exfiltration over the C2 channel. For leaders, this makes Dyre a useful test case for whether the organization can detect and contain financially motivated endpoint compromise before credentials, banking activity, or sensitive data are abused.

Executive priority

Prioritize Dyre as a control-validation scenario for Windows endpoint resilience, fraud-exposure reduction, SOC readiness, and incident response decision-making. Executives should ask whether endpoint, identity, network, and IR teams can prove visibility into persistence, injected processes, suspicious web communications, local staging, and exfiltration-like behavior. Because ATT&CK links Dyre to financially motivated use and a relationship where Wizard Spider uses this object, it is also relevant to threat intelligence-driven prioritization, but local exposure and current risk must be validated with internal telemetry and business context.

Technical view

ATT&CK lists Dyre as Windows malware with no standalone detection text, so defenders should validate coverage through the related techniques. Focus on Windows scheduled task creation or modification, Windows service creation or modification, process and DLL injection indicators, system/service/user/network/software discovery activity, packed or deobfuscated payload behavior, web-protocol C2 patterns, ingress file transfer, local data staging, and exfiltration over an existing C2 channel. SOC and IR teams should correlate endpoint process telemetry, persistence artifacts, network sessions, and file activity rather than relying on malware-name signatures alone.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Scheduled Task and Task Scheduler operational events
  • Windows service creation, modification, and registry-backed service configuration changes
  • Endpoint detection telemetry for process injection and DLL injection behavior
  • File creation, modification, packing/unpacking, and deobfuscation-related artifacts

Detection direction

  • Map detections to the related ATT&CK techniques rather than only to the Dyre name, because the object does not provide official detection guidance.
  • Validate Windows persistence detections for Scheduled Task and Windows Service abuse, including both command-line and registry/service-control visibility.
  • Tune discovery detections to reduce administrative false positives by correlating service, user, network, system, and software discovery with suspicious parent processes, new binaries, or unusual execution context.
  • Review behavioral coverage for process injection and DLL injection, recognizing that packed or deobfuscated malware may weaken static signature-only approaches.
  • Inspect web-protocol C2 analytics for suspicious destinations, beacon-like behavior, unusual user agents or paths where available, and endpoint-to-network correlation.

Mitigation priorities

  • Maintain strong Windows endpoint prevention and monitoring for unauthorized scheduled tasks, services, injected processes, and suspicious binaries.
  • Harden administrative controls around service creation, scheduled task management, and privileged execution paths.
  • Ensure egress monitoring and proxy/DNS logging can support investigation of web-protocol command-and-control and exfiltration over C2 channels.
  • Reduce credential and financial-fraud risk with least privilege, strong authentication, and rapid account containment procedures where endpoint compromise is suspected.
  • Prepare IR playbooks that combine host isolation, persistence review, credential-risk assessment, network scoping, and evidence preservation.
Analyst notes and limits

The decision value of this object is in the behavior chain expressed by its relationships: discovery, stealth, persistence, command and control, tool transfer, staging, and exfiltration. The official description is brief, and official detection is not provided. Treat Dyre as a scenario for validating layered Windows endpoint and network visibility against financially motivated malware behavior.

This take uses only the supplied ATT&CK/STIX fields, external references, and relationships. It does not assert active exploitation, current prevalence, customer exposure, specific indicators, or guaranteed detection. Platforms are limited to Windows for the malware object, although some related techniques list broader platforms. Local telemetry, asset criticality, identity context, and network architecture are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Dyre

Dyre is a banking Trojan that has been used for financial gain. [1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

16 rows
Domain ID Name Relationship / procedure
Enterprise T1016 System Network Configuration Discovery

Dyre has the ability to identify network settings on a compromised host.[2]
Enterprise T1033 System Owner/User Discovery

Dyre has the ability to identify the users on a compromised host.[2]
Enterprise T1497.001 System Checks Sub-technique

Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[1][2]
Enterprise T1074.001 Local Data Staging Sub-technique

Dyre has the ability to create files in a TEMP folder to act as a database to store information.[2]
Enterprise T1105 Ingress Tool Transfer

Dyre has a command to download and executes additional files.[1]
Enterprise T1055.001 Dynamic-link Library Injection Sub-technique

Dyre injects into other processes to load modules.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Dyre decrypts resources needed for targeting the victim.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

Dyre uses HTTPS for C2 communications.[1][2]
Enterprise T1082 System Information Discovery

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[2]
Enterprise T1027.002 Software Packing Sub-technique

Dyre has been delivered with encrypted resources and must be unpacked for execution.[2]
Enterprise T1055 Process Injection

Dyre has the ability to directly inject its code into the web browser process.[2]
Enterprise T1518 Software Discovery

Dyre has the ability to identify installed programs on a compromised host.[2]
Enterprise T1543.003 Windows Service Sub-technique

Dyre registers itself as a service by adding several Registry keys.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Dyre has the ability to send information staged on a compromised host externally to C2.[2]
Enterprise T1007 System Service Discovery

Dyre has the ability to identify running services on a compromised host.[2]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0102: Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1055.001: Dynamic-link Library Injection Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Group G0102: Wizard Spider Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1055: Process Injection Enterprise uses · Technique T1518: Software Discovery Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1007: System Service Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
ab9ea1fa9c296b90...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle ab9ea1fa9c29…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Dyre June 2015

    Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.

    Open source URL
  2. [2]
    Malwarebytes Dyreza November 2015

    hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

    Open source URL
  3. [3]
    Dyre

    (Citation: Symantec Dyre June 2015)

  4. [4]
    Dyreza

    (Citation: Sophos Dyreza April 2015)

  5. [5]
    Dyzap

    (Citation: Sophos Dyreza April 2015)

  6. [6]
    Sophos Dyreza April 2015

    Ducklin, P. (2015, April 20). Notes from SophosLabs: Dyreza, the malware that discriminates against old computers. Retrieved June 16, 2020.

    Open source URL
  7. [7]
    mitre-attack S0024
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use