DanaBot Malware Returns to Target Windows After 6-Month Hiatus
▼ Summary
– DanaBot malware has resurfaced with a new version (669) and rebuilt infrastructure, six months after law enforcement’s Operation Endgame disrupted it in May.
– The new variant uses Tor domains for command-and-control and backconnect nodes, with threat actors employing cryptocurrency addresses to receive stolen funds.
– Originally a banking trojan delivered via email and malvertising, DanaBot operates under a malware-as-a-service model and has evolved into a modular information stealer.
– Despite the significant disruption from Operation Endgame, DanaBot’s return demonstrates cybercriminals’ resilience when core operators remain unarrested and financial incentives exist.
– Organizations can defend against DanaBot by adding Zscaler’s new indicators of compromise to blocklists and updating security tools to counter typical infection methods like malicious emails and malvertising.
The DanaBot malware has resurfaced with a new version following a six-month period of inactivity after law enforcement’s Operation Endgame disrupted its infrastructure in May. Security analysts from Zscaler ThreatLabz have identified a fresh variant, version 669, which now uses Tor-based command-and-control servers and backconnect nodes. The researchers also published a list of cryptocurrency addresses, handling Bitcoin, Ethereum, Litecoin, and Tron, that attackers are using to collect stolen funds.
First exposed by Proofpoint researchers, DanaBot began as a banking trojan written in Delphi and distributed through malicious emails and online advertisements. It was offered as malware-as-a-service, allowing cybercriminals to rent access for a recurring fee. Over time, DanaBot transformed into a modular threat capable of stealing sensitive information and loading additional payloads. It specifically targeted login credentials and cryptocurrency wallet data stored in browsers.
The malware was used in multiple large-scale campaigns and continued to pose a threat intermittently from 2021 onward. Operation Endgame, an international law enforcement initiative executed in May, severely degraded DanaBot’s infrastructure through indictments and seizures. Despite this, Zscaler now reports that the malware is active again with rebuilt systems. During its downtime, many initial access brokers shifted to other malware families.
The return of DanaBot underscores the persistence of financially motivated cybercriminals, especially when core operators evade arrest. Common infection vectors include malicious email attachments or links, SEO poisoning, and malvertising campaigns, some of which have led to ransomware deployment. Organizations looking to defend against DanaBot should update their security tools and blocklists with the latest indicators of compromise released by Zscaler.
(Source: Bleeping Computer)
