DanaBot malware has resurfaced with a new version six months after international law enforcement disrupted its operations through Operation Endgame in May 2024.
Security researchers discovered a new variant of DanaBot, version 669, actively infecting Windows systems. The updated malware features a rebuilt command-and-control infrastructure using Tor domains (.onion) and "backconnect" nodes. The malware originally emerged as a Delphi-based banking trojan delivered through email and malvertising, operating under a malware-as-a-service model where cybercriminals could rent access for a subscription fee. Over time, it evolved into a modular information stealer and loader, targeting credentials and cryptocurrency wallet data stored in web browsers.
In May 2024, an international law enforcement effort codenamed Operation Endgame disrupted DanaBot's infrastructure and announced indictments and seizures, degrading its operations. The malware was first disclosed by Proofpoint researchers and had been used in numerous large-scale campaigns since its emergence. From 2021 onward, DanaBot reappeared occasionally, remaining a persistent threat to internet users. While the operation was down following law enforcement action, many initial access brokers pivoted to other malware alternatives.
Attack methods: Current DanaBot infections use multiple initial access vectors:
Infrastructure changes: The new version features technical updates including Tor-based command-and-control domains and backconnect nodes, making detection and takedown more difficult.
Cybersecurity researchers announced their discovery of the resurfaced threat on social media, stating that "DanaBot has resurfaced with version 669 after nearly a 6-month hiatus following the Operation Endgame law enforcement actions in May." The researchers revealed that DanaBot is sporting rebuilt infrastructure and listed the IP addresses for DanaBot's new command-and-control infrastructure, as well as new cryptocurrency wallets used to siphon victim funds.
Malware-as-a-service (MaaS) is a business model where cybercriminals develop malware and rent it to other threat actors for a subscription fee. This model lowers the barrier to entry for cyberattacks, allowing less technically skilled criminals to launch campaigns. DanaBot's MaaS model made it accessible to multiple threat actors simultaneously, contributing to its use in various campaigns. Information stealers like DanaBot target sensitive data stored in web browsers, including login credentials, cryptocurrency wallet information, and other personal data that can be monetized or used for further attacks.
DanaBot's return shows that disrupting infrastructure alone isn't enough when core operators remain at large. Despite a six-month disruption and international law enforcement coordination, the malware has returned because the financial incentives remain strong and key individuals weren't arrested. This pattern shows that cybercriminal operations can rebuild quickly when their expertise and business relationships survive takedowns. For healthcare organizations and other entities handling sensitive data, this resurgence serves as a reminder that threats considered "disrupted" can rapidly return with updated capabilities. The malware's evolution to use Tor infrastructure and cryptocurrency theft specifically targets the types of digital assets and data that healthcare entities manage, making it a relevant threat to monitor.
DanaBot uses predefined modules that target specific browser-stored credentials and cryptocurrency data.
Yes, depending on the modules deployed by the operator, DanaBot can perform limited lateral movement.
Yes, some variants include routines that attempt to evade or bypass security software.
Yes, Tor routing significantly slows down detection and takedown efforts.
No, the malware currently targets Windows systems only.