- DanaBot has resurfaced with version 669 and rebuilt infrastructure after Operation Endgame disruption
- It has modular payloads, encrypted C2 and supports crypto theft via BTC, ETH, LTC and TRX
- Zscaler encourages organizations to block new IoCs and update defenses against DanaBot’s return
DanaBot, the infamous banking Trojan disrupted during the recent Operation Endgame effort, has resurfaced, researchers have revealed.
Cybersecurity researchers Zscaler said they observed DanaBot reemerge with version 669, with a rebuilt infrastructure.
“DanaBot has re-emerged with version 669 after a nearly 6-month hiatus following Operation Endgame law enforcement actions in May,” the tweet reads. Zscaler also listed the IP addresses of DanaBot’s new command-and-control (C2) infrastructure, as well as new cryptocurrency wallets used to siphon victim funds.
Not that disturbed anyway
The full list of C2s and IP addresses can be found here. DanaBot can now accept cash in BTC, ETH, LTC and TRX, Zscaler added.
DanaBot is a modular Windows banking Trojan with an extensive list of dangerous features. It has a plugin-based architecture that allows attackers to load additional payloads, including web-injects and form-grabbing, through which they can steal banking information, browser cookies and passwords.
It also allows for keylogging and screen capture, remote access and control, encrypted C2 communication, and various persistence mechanisms. It was only discovered in May 2018, when security researchers discovered that it was targeting banking customers in Australia. Soon enough, it expanded to other regions, including Europe and North America.
But DanaBot disappeared after a law enforcement operation in March 2025, called Operation Endgame. This plug is an ongoing, international operation spearheaded by Europol, whose goal is to disrupt the malware delivery ecosystems and initial access infrastructure that enable ransomware and other large-scale cybercrime.
Some of the most popular backdoor, malware and loader operations were already disrupted through Operation Endgame, including IcedID, Smokeloader, Qakbot, Trickbot and of course – DanaBot. By targeting these components, authorities aim to break the ransomware kill chain at its source, rather than only hunting down late-stage ransomware gangs.
In addition to disrupting malware and backdoors, the police also seized thousands of domains, confiscated millions of dollars in various cryptocurrencies, made several arrests and issued even more international arrest warrants.
To defend against the reborn DanaBot attacks, organizations should add Zscaler’s new Indicators of Compromise (IoC) to their block list and update their security stack with new signatures.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
