Full Report
Note: This research was conducted and is presented as a collaboration between Black Lotus Labs, Team Cymru, and other partners. We stand by the assessments in the combined analysis presented in this research. Executive Summary DanaBot first emerged in […] The post Inside DanaBot’s Infrastructure: In Support of Operation Endgame II appeared first on Lumen Blog.
Analysis Summary
# Threat Actor: DanaBot
## Attribution & Identity
DanaBot is tracked as an evolved, versatile, and persistent threat that operates using a Malware-as-a-Service (MaaS) model. It utilizes a multi-tiered architecture separated among various "affiliates" who purchase access. The analysis presented is a collaboration between Black Lotus Labs, Team Cymru, and other partners, contributing insight gained during Operation Endgame II.
## Activity Summary
DanaBot first emerged in 2018 as a banking trojan. It has since evolved to function as an infostealer and malware delivery platform, capable of establishing access for follow-on activities such as ransomware deployment (observed delivering threats like Latrodectus). Despite years of activity, it remained operational through 2025 until significantly disrupted by Operation Endgame II. The platform maintained an average of 150 active C2 servers daily, affecting roughly 1,000 daily victims across more than 40 countries. The infrastructure was highly stealthy, with only 25% of C2 servers having a public detection score greater than zero on VirusTotal. Its operations often involved cycling activity around high-profile events.
## Tactics, Techniques & Procedures
- **Stealth and Obfuscation:** Insulating C2 servers in multiple tiers to obfuscate tracking, similar to Emotet, IcedID, and Qakbot.
- **Multi-Tiered C2 Architecture:** Employing a layered communications infrastructure (T1, T2, T3 C2s) to proxy traffic between the victim and final controller, often involving two or three tiers before reaching the control panel.
- **Infection Vector (implied by mitigations):** Phishing and social engineering are primary means of initial access used by affiliates to distribute the malware.
- **Credential Theft:** The initial primary function was financial credential theft.
- **Defense Evasion:** Utilizing C2 communication over TCP/443 and selecting fewer targets than other loaders to maintain low visibility.
- **Professionalization:** Offering user-friendly functionality with structured pricing and customer support to affiliates.
## Targeting
- **Sectors:** Implied broad targeting due to its MaaS model, including victims that support ransomware operations.
- **Geography:** Consistently impacted countries include Mexico and the United States, with overall impact across more than 40 countries.
- **Victims:** Not explicitly named, but its role as an initial access broker suggests targeting organizations ripe for ransomware deployment.
## Tools & Infrastructure
- **Malware Families Used:** DanaBot (primary), observed delivering Latrodectus.
- **Infrastructure (C2):** Maintained an average of 150 active C2 servers daily in 2025. The architecture included:
- Tier 1 (T1) C2s (communicating with victims over TCP/443).
- Tier 2 (T2) C2s (dedicated or shared servers controlling T1s, with 5-6 active concurrently).
- Tier 3 (T3) C2s (upstream servers obfuscating further).
- Potential backup server at the highest tier.
- **C2/IP Static Nature:** Upstream and backend IPs remained largely static since June 2024. (Specific IOCs listed in the original article's GitHub repository are not transcribed here).
## Implications
DanaBot represented a sophisticated, professionalized Malware-as-a-Service platform that successfully leveraged deep C2 obfuscation to maintain long-term operational security, even while acting as a feeder for other major cybercrime operations, including ransomware. Its disruption via Operation Endgame II demonstrates the success of large-scale, coordinated law enforcement and industry collaboration against established criminal infrastructures.
## Mitigations
- Bolster defenses against phishing as an initial access vector.
- Fully monitor network resources.
- Ensure proper patch management is maintained.
- Conduct ongoing phishing and social engineering training for employees.
- For Corporate Network Defenders:
- Continue looking for attacks on weak credentials and suspicious login attempts, even from residential IPs that bypass standard geofencing/ASN blocking.
- Protect cloud assets from communicating with bots attempting password spraying attacks and block associated IoCs via Web Application Firewalls (WAFs).
- Leverage sophisticated network perimeter countermeasures proactively to stop traffic from malicious points.