Hackers are using the Dyre malware to target customers of over 1,000 banks, according to experts at Symantec.
The security firm said in its Dyre: Emerging threat on financial fraud landscape (PDF) threat report that it had detected rapid growth in the use of Dyre following takedown operations against previously popular tools like Gameover Zeus.
"Following takedowns of a number of other major financial threats, such as Gameover Zeus and Shylock, Dyre has filled the vacuum and emerged as the main active threat in this arena," read the report.
"The group behind Dyre has put considerable time and effort into expanding its operations, adding to its infrastructure and broadening its reach to target the customers of more than 1,000 banks and other organisations."
The Gameover Zeus takedown occurred in June 2014 when law enforcement agencies across the globe, including the UK National Crime Agency, temporarily shut down the botnet's infrastructure.
Dyre infections peaked immediately after the takedown, and Symantec detected roughly 32,500 victim machines in June 2014.
Infection levels have since dropped and Symantec detected a more modest 10,000 victims in February.
The Symantec researchers said that the creators of Dyre have been using it to target industries outside the financial sector in a bid to regain their fallen glory.
"In addition to financial websites, the Dyre attackers have targeted a number of careers- and HR-related websites, presumably because stealing credentials may facilitate harvesting potentially valuable personal information," read the report.
"Interestingly, a number of web hosting companies are also targeted."
The criminals are also reportedly making a number of technical upgrades to the Dyre malware, including a move to use a more sophisticated malware downloader.
"Upatre is one of the main downloader-type threats circulating at present and the malware has been used by a number of high-profile attack groups in recent campaigns to install threats such as Gameover Zeus and Cryptolocker," said Symantec.
"The Dyre attackers have followed suit and, since June 2014, Upatre has been used as the main means of installing Dyre on a victim's computer."
Despite the developments, Symantec said that phishing remains the hackers' primary attack strategy, and the end goal of financial gain remains the same.
Symantec reported that, while attribution is difficult, evidence suggests that Dyre's developers are based in Eastern Europe.
"Symantec observed that 99 percent of [Dyre's command and control] IP addresses are based in Europe. The majority of the servers are located in Ukraine and Russia (227 out of 285), amounting to around 80 percent of all IP addresses observed," read the report.
Eastern Europe has always been regarded as a hotbed of malicious online activity and a primary hosting spot for many of the world's worst cyber crime operations.
However, Level 3 research challenged this on Monday, revealing that North America has overtaken Eastern Europe as hackers' top choice, and currently hosts one in five of all botnets.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software