Full Report
The DanaBot malware has returned with a new version observed in attacks, six-months after law enforcement's Operation Endgame disrupted its activity in May. [...]
Analysis Summary
# Tool/Technique: DanaBot
## Overview
DanaBot is a modular malware that originated as a Delphi-based banking trojan and has since evolved into a versatile information stealer and loader. It operates on a Malware-as-a-Service (MaaS) model. The malware family has recently resurfaced with a new version (v669) following a significant infrastructure disruption caused by Operation Endgame in May.
## Technical Details
- Type: Malware family (Banking Trojan, Information Stealer, Loader)
- Platform: Windows
- Capabilities: Information theft (browser credentials, cryptocurrency wallet data), loading other modules, MaaS distribution.
- First Seen: Prior to May 2024 (disrupted), Resurfaced November 2025 (new variant).
## MITRE ATT&CK Mapping
Since the article focuses on the tool's capabilities rather than a live intrusion analysis, mappings are inferred based on its known functions as an information stealer and loader.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (via malicious emails/attachments)
- **TA0009 - Collection**
- T1005 - Data from Local System (targeting stored credentials/wallets)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied by C2 usage)
## Functionality
### Core Capabilities
- **Banking Trojan Functionality:** Initially designed as a banking trojan.
- **Information Stealing:** Targets and exfiltrates credentials and cryptocurrency wallet data stored in web browsers.
- **Modular Execution:** Functions as a loader for various modules.
### Advanced Features
- **MaaS Model:** Rented to other cybercriminals via subscription fees.
- **Evolved Toolset:** Updated functionality beyond banking, incorporating information-stealing and loader components.
- **Resilient C2 Infrastructure:** The new variant utilizes a rebuilt command-and-control infrastructure, specifically employing **Tor domains (.onion)** and **"backconnect" nodes** for improved operational security.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: [Not provided in the text]
- Registry Keys: [Not provided in the text]
- Network Indicators: C2 infrastructure utilizing Tor domains ([.onion addresses]), and "backconnect" nodes. (Defanged example: `c2server[.]onion`)
- Behavioral Indicators: Distribution via malicious emails (links/attachments), SEO poisoning, and malvertising campaigns. Financial reward mechanism evident through cryptocurrency addresses (BTC, ETH, LTC, TRX) for stolen funds.
## Associated Threat Actors
- Various cybercriminals leasing the malware via the Malware-as-a-Service (MaaS) model.
- The core operators who were disrupted by Operation Endgame but have since rebuilt infrastructure.
## Detection Methods
- Signature-based detection: Updating blocklists with new IoCs from the resurfaced campaigns.
- Behavioral detection: Monitoring anomalous network traffic related to Tor usage or atypical data retrieval from browser storage locations.
- YARA rules: [Not provided in the text]
## Mitigation Strategies
- **Blocklist Management:** Organizations should update their security tool blocklists with the new Indicators of Compromise (IoCs) identified by researchers like Zscaler.
- **Initial Access Prevention:** Enhance defenses against traditional initial access vectors: filter and scan email attachments/links, monitor for SEO poisoning results, and scrutinize malvertising sources.
- **Network Monitoring:** Implement monitoring for unusual outbound connections, particularly those attempting to resolve or communicate over Tor network protocols.
## Related Tools/Techniques
- Other malicious payloads potentially used by Initial Access Brokers (IABs) who pivoted during DanaBot's downtime.
- Various banking trojans and information stealers (Due to its evolution from a banking trojan to a modular stealer).