DanaBot malware has resurfaced with a new version six months after international law enforcement disrupted its operations through Operation Endgame in May 2024.
What happened
Security researchers discovered a new variant of DanaBot, version 669, actively infecting Windows systems. The updated malware features a rebuilt command-and-control infrastructure using Tor domains (.onion) and "backconnect" nodes. The malware originally emerged as a Delphi-based banking trojan delivered through email and malvertising, operating under a malware-as-a-service model where cybercriminals could rent access for a subscription fee. Over time, it evolved into a modular information stealer and loader, targeting credentials and cryptocurrency wallet data stored in web browsers.
The backstory
In May 2024, an international law enforcement effort codenamed Operation Endgame disrupted DanaBot's infrastructure and announced indictments and seizures, degrading its operations. The malware was first disclosed by Proofpoint researchers and had been used in numerous large-scale campaigns since its emergence. From 2021 onward, DanaBot reappeared occasionally, remaining a persistent threat to internet users. While the operation was down following law enforcement action, many initial access brokers pivoted to other malware alternatives.
Going deeper
Attack methods: Current DanaBot infections use multiple initial access vectors:
- Malicious emails containing links or attachments
- SEO poisoning techniques
- Malvertising campaigns
- Some infections have led to ransomware deployments
Infrastructure changes: The new version features technical updates including Tor-based command-and-control domains and backconnect nodes, making detection and takedown more difficult.
What was said
Cybersecurity researchers announced their discovery of the resurfaced threat on social media, stating that "DanaBot has resurfaced with version 669 after nearly a 6-month hiatus following the Operation Endgame law enforcement actions in May." The researchers revealed that DanaBot is sporting rebuilt infrastructure and listed the IP addresses for DanaBot's new command-and-control infrastructure, as well as new cryptocurrency wallets used to siphon victim funds.
In the know
Malware-as-a-service (MaaS) is a business model where cybercriminals develop malware and rent it to other threat actors for a subscription fee. This model lowers the barrier to entry for cyberattacks, allowing less technically skilled criminals to launch campaigns. DanaBot's MaaS model made it accessible to multiple threat actors simultaneously, contributing to its use in various campaigns. Information stealers like DanaBot target sensitive data stored in web browsers, including login credentials, cryptocurrency wallet information, and other personal data that can be monetized or used for further attacks.
Why it matters
DanaBot's return shows that disrupting infrastructure alone isn't enough when core operators remain at large. Despite a six-month disruption and international law enforcement coordination, the malware has returned because the financial incentives remain strong and key individuals weren't arrested. This pattern shows that cybercriminal operations can rebuild quickly when their expertise and business relationships survive takedowns. For healthcare organizations and other entities handling sensitive data, this resurgence serves as a reminder that threats considered "disrupted" can rapidly return with updated capabilities. The malware's evolution to use Tor infrastructure and cryptocurrency theft specifically targets the types of digital assets and data that healthcare entities manage, making it a relevant threat to monitor.
FAQs
How does DanaBot decide which data to steal from an infected device?
DanaBot uses predefined modules that target specific browser-stored credentials and cryptocurrency data.
Can DanaBot spread laterally across a network once inside an organization?
Yes, depending on the modules deployed by the operator, DanaBot can perform limited lateral movement.
Is DanaBot capable of disabling antivirus tools during infection?
Yes, some variants include routines that attempt to evade or bypass security software.
Do Tor-based command-and-control servers affect how quickly defenders can block DanaBot traffic?
Yes, Tor routing significantly slows down detection and takedown efforts.
Can DanaBot infect mobile devices or is it limited to Windows systems?
No, the malware currently targets Windows systems only.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
