Article Details

DanaBot malware is back to infecting Windows after 6-month break. The DanaBot malware has returned with a new version observed in attacks, six-months after law enforcement's Operation Endgame disrupted its activity in May. According to security researchers at Zscaler ThreatLabz, there is a new variant of DanaBot, version 669, that has a command-and-control (C2) infrastructure using  Tor domains (.onion) and “backconnect” nodes. Zscaler also identified and listed several cryptocurrency addresses that threat actors are using to receive stolen funds, in BTC, ETH, LTC, and TRX. DanaBot was first disclosed by Proofpoint researchers as a Delphi-based banking trojan delivered via email and malvertising. It operated under a malware-as-a-service (MaaS) model, being rented to cybercriminals for a subscription fee. In the years that followed, the malware evolved into a modular information stealer and loader, targeting credentials and cryptocurrency wallet data stored in web browsers. The malware was used in numerous campaigns, some of which were large-scale, and reappeared occasionally from 2021 onward, remaining a steady threat to internet users. In May this year, an international law enforcement effort codenamed ‘Operation Endgame’ disrupted Danabot’s infrastructure and announced indictments and seizures, which significantly degraded its operations. However, according to Zscaler, Danabot is again active, with a rebuilt infrastructure. While the Danabot operation was down, many initial access brokers (IAB) pivoted to other malware. DanaBot resurfacing shows that cybercriminals are resilient in their activity as long as there is a financial incentive, despite a multi-month disruption, especially when core operators aren’t arrested. Typical initial access methods observed in DanaBot infections include malicious emails (via links or attachments), SEO poisoning, and malvertising campaigns, some of which led to ransomware. Organizations can defend against DanaBot attacks by adding to their blocklists the new indicators of compromise (IoCs) from Zscaler and by updating their security tools. Secrets Security Cheat Sheet: From Sprawl to Control Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start. Get the cheat sheet and take the guesswork out of secrets management.