Russian authorities in November raided offices associated with a Moscow film distribution and production company as part of a crackdown on one of the world’s most notorious financial hacking operations, according to three sources with knowledge of the matter.

Cybersecurity experts said a password-stealing software program known as Dyre — believed to be responsible for at least tens of millions of dollars in losses at financial institutions including Bank of America Corp and JPMorgan Chase & Co  — has not been deployed since the time of the raid. Experts familiar with the situation said the case represents Russia’s biggest effort to date to crack down on cyber-crime.

Cyber-crooks behind the notorious Dyre malware have set their sights on customers of Spanish banks. First spotted in 2014, Dyre targets banks all over Europe, apart from in Russia and former Soviet republics.

However, a new Trojan configuration file analysed by the IBM team suggests that the malware is gearing up for a concerted assault on Spanish banks. IBM Security researchers say that Dyre is one of the most advanced malware codes active in the wild because of its feature-rich capabilities and its constant updates, which are designed to evade detection by anti-virus and static security mechanisms.

IBM Security has identified an active campaign using a variant of Dyre malware that has successfully stolen more than $1 million from targeted enterprise organizations. The campaign shows a brazen twist from the once-simple Dyre malware by adding sophisticated social engineering tactics likely to circumvent two-factor authentication.

In recent incidents, organizations have lost millions to attackers. While many popular banking Trojans have targeted individuals, Dyre has always been used to target organizations. Dyre has evolved to become simultaneously sophisticated and easy to use. 

The Department of Homeland Security formally sounded the alarm on Dyre, the banking Trojan that’s been spotted siphoning banking credentials from both large enterprises and major financial institutions as of late. 

The warning came in the form of an alert informing the public of the malware, which is spread through spam and phishing emails. Phishing emails peddling Dyre are now using malicious PDF attachments that leverage vulnerabilities to download the malware. Once it’s downloaded, it captures user login information and sends that on to attackers. Experts are encouraging users to use caution when it comes to opening attachments.

Salesforce.com is warning its customers that the Dyreza banker Trojan is now believed to be targeting some of the company’s users.

The Trojan, which has the ability to bypass SSL, typically goes after customers of major banks, but seems to be expanding its reach. Dyreza is relatively new among the banker Trojan crowd and it hasn’t had the reach or effect of older bankers such as Carberp or Zeus. But it has some interesting capabilities that make it troublesome. The malware installs itself on a victim’s machine after a user clicks on a malicious attachment in a spam message. Once on the machine, Dyreza reaches out to a C2 server and waits for the victim to visit a targeted banking site.