Spam emails containing the Dridex malware are being seen almost daily despite the arrest of one of its key operators in August.
The finding confirms that while law enforcement can claim temporary victories in fighting cybercriminal networks, it's sometimes difficult to completely shut down their operations.
The U.S. Department of Justice said on Oct. 13 it was seeking the extradition of a 30-year-old Moldovan man, Andrey Ghinkul. Prosecutors allege he used Dridex malware to steal $10 million from U.S. companies and organizations.
Dridex, also referred to as Cridex or Bugat, is advanced malware that collects financial login details and other personal information that can be used to drain bank accounts.
The U.S. and U.K. said the Dridex botnet -- or the collection of computers infected with the malware -- had been disrupted following their operations.
Two weeks before the DOJ's announcement, Palo Alto Networks wrote that it noticed a drop in Dridex activity but that it resumed again around the start of October.
Often, those employing Dridex tricked people into downloading it by sending spam emails with malicious links or attachments, such as XML files and Microsoft Office documents.
Much of that activity has now resumed, wrote Brad Duncan, a security researcher with Rackspace, on the Internet Storm Center blog.
He wrote that there appear to be more files labeled as Dridex on VirusTotal, a repository of malware samples. Although some of the samples could mislabeled, it backs up what Palo Alto noticed.
"Plenty of us are seeing Dridex malspam on a near-daily basis now," Duncan wrote.