The DanaBot malware has resurfaced with a new version just six months after its activity was severely disrupted by the international law enforcement action known as Operation Endgame in May.
According to security researchers at Zscaler ThreatLabz, the new variant, version 669, is actively using a rebuilt command and control (C2) infrastructure that relies on Tor domains (.onion) and "backconnect" nodes for stealth. Zscaler also identified several cryptocurrency addresses used by the attackers to receive stolen funds in BTC, ETH, LTC, and TRX.
DanaBot's Resilience
First identified as a banking trojan operating under a malware as a service (MaaS) model, DanaBot evolved into a modular information stealer targeting credentials and cryptocurrency wallet data saved in web browsers. Although Operation Endgame significantly degraded the malware’s operations and caused initial access brokers to pivot to other threats, DanaBot's quick reappearance demonstrates the resilience of cybercriminals when core operators are not arrested. The financial incentive remains strong enough to motivate a complete infrastructure rebuild.
Typical initial access methods for DanaBot include malicious emails, SEO poisoning, and malvertising campaigns, some of which lead to ransomware deployment. Organizations should update their security tools immediately and block the new indicators of compromise (IoCs) provided by Zscaler to defend against this renewed threat.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
