467/68 Friday, November 14, 2025
Researchers have detected new DanaBot activity, marking the return of the malware after it was dismantled during the large-scale international Operation Endgame in May. The newly observed variant features a rebuilt command-and-control (C2) infrastructure using Tor-based (.onion) domains and backconnect nodes to remotely control infected devices. Investigators also identified several cryptocurrency wallet addresses-likely used to receive stolen funds-in BTC, ETH, LTC, and TRX.
DanaBot has long been considered a high-impact threat. First discovered as a banking trojan spread through phishing emails and malicious advertisements under a Malware-as-a-Service (MaaS) model, it later evolved into a modular malware platform capable of stealing personal data, passwords, and cryptocurrency wallet information from browsers, as well as downloading additional malicious payloads. DanaBot has appeared in numerous campaigns since 2021.
Its reemergence highlights the adaptability and resilience of the threat actors behind it. Even though previous infrastructure was taken down, the operators quickly rebuilt and resumed operations. DanaBot continues to spread through familiar methods such as malicious email attachments, phishing links, SEO poisoning, and malware-laden ads, with some campaigns linked to ransomware groups.
Experts advise organizations to block the latest indicators of compromise (IoCs), enforce robust security monitoring, and keep systems and security tools updated regularly to mitigate the risk of infection.
