DanaBot Malware – Deep Dive
Overview: DanaBot, also known as DanaTools, is a sophisticated and highly adaptable banking Trojan and infostealer that first emerged around May 2018. It quickly became a prominent threat in the cybercriminal landscape due to its advanced capabilities and modular architecture, primarily designed to steal financial credentials and facilitate fraudulent transactions. Over the years, DanaBot evolved beyond just banking fraud, transitioning into a versatile initial access broker, often used as a precursor to more damaging attacks, including widespread ransomware deployments. Proofpoint tracks DanaBot as TA547, while ESET Research has been tracking its activity since its inception in 2018. Flashpoint has also provided significant intelligence on the DanaBot group, which they refer to as "The DanaBot Group."
Technical Characteristics and Capabilities:
Core Infostealer & Banking Trojan Functionality: DanaBot's foundational purpose is to intercept online banking credentials and steal various sensitive data. It achieves this through:
Web injects: Dynamically modifying legitimate banking websites in real-time to display fake login forms, request additional sensitive information, or alter transaction details. This is a hallmark of sophisticated banking Trojans.
Form grabbing: Capturing data entered into web forms before encryption and transmission.
Keylogging & Screen Recording: Recording keystrokes and capturing screenshots or even video of selected applications or websites at intervals to capture credentials, sensitive input, and visual context.
Session hijacking: Taking over active banking sessions.
Data from various clients: Ability to steal data from browsers, mail clients, FTP clients, and other popular software.
FileGrabber command: Commonly used for stealing cryptocurrency wallets and performing reconnaissance of file systems.
Clipboard data collection: Capturing information copied to the clipboard.
Modular Architecture (Delphi-based): A defining characteristic of DanaBot is its highly modular design, coded in the Delphi programming language. This provides immense flexibility to its operators:
Customization and Expansion: Easily add or remove specific modules for functionalities like VNC for remote access, SOCKS proxy for traffic relay, and various information-stealing capabilities from web browsers, FTP, SSH, and email clients. This modularity is a critical factor in its longevity and adaptability.
Evasion and Adaptability: Modularization complicates static analysis and allows for rapid updates to bypass evolving security measures.
Payload Delivery: DanaBot frequently acts as a loader, deploying a wide variety of second-stage malware payloads onto infected systems. ESET has observed it delivering:
Stealers: SystemBC, Rescoms, Ursnif, Smokeloader, Zloader, Lumma Stealer, RecordBreaker.
Remote Administration Tools (RATs): NetSupportManager.
Ransomware: LockBit, Buran, Crisis, and NonRansomware variants.
Hand-off to ransomware operators: Microsoft Threat Intelligence reported instances of DanaBot being used to directly hand over control of compromised systems to ransomware gangs.
Sophisticated C2 Communication: DanaBot employs a distinct, multi-tiered network architecture, utilizing a custom binary protocol encrypted with AES-256 (with RSA for session key key-exchange).
Components: The network comprises the malware (bot), the client (for administration), one or more proxies (to hide the backend server's location), and the backend server.
Encryption and Obfuscation: Traffic is compressed using ZIP and zlib. ESET notes that newer versions added random "junk bytes" to disguise communication, although an accidental bug in older versions (fixed in February 2025) sometimes exposed surrounding server memory, providing valuable insights to researchers.
Fallback Channels: Bots can be configured to communicate via the Tor network as a fallback if regular proxy chains become unavailable.
Scale: Lumen Technologies' Black Lotus Labs observed an average of 150 active C2 servers per day, making it one of the largest Malware-as-a-Service (MaaS) platforms by C2 count.
Evasion Techniques: To maintain persistence and avoid detection, DanaBot employs:
Anti-analysis checks: Detection of virtual environments and debuggers.
Code obfuscation: Encryption, packing, and other methods to hinder analysis.
Stealthy persistence mechanisms: Various methods depending on the version and user permissions.
Defender/Firewall Exclusions: Can configure exclusions in Windows Defender or Firewall.
Process Hiding: Ability to hide its own process.
Process Injection: Can inject its main component into other processes for protection.
Distribution Methods:
DanaBot has been widely distributed through diverse and evolving tactics by its various affiliates:
Email Campaigns (Primary Vector): ESET and Proofpoint highlight email as a primary distribution vector. Campaigns often feature:
Malicious Attachments: Weaponized documents (e.g., Microsoft Word with macros) or malicious executables.
Malicious Links: Redirecting users to compromised websites. Initial campaigns in 2018 often used themes related to invoices, payment advice, or shipping.
Malvertising & SEO Poisoning: Misusing Google Ads to display seemingly legitimate but malicious websites among sponsored search results. These often link to bogus software download sites (e.g., fake Advanced IP Scanner sites) or fraudulent "unclaimed funds" websites.
Social Engineering via Clipboard: A recent technique involves deceptive websites offering solutions for fabricated computer issues, luring victims into executing a malicious command secretly inserted into their clipboard.
Compromised Websites: Drive-by downloads from websites infected by attackers.
Other Malware Loaders: Distributed directly by other malware, including Smokeloader, DarkGate, and Matanbuchus (with which DanaBot developers partnered for bundle pricing).
Supply Chain Attacks: Notable instances include its distribution through compromised NPM packages (e.g.,
ua-parser-js,coa) in 2021, demonstrating its versatility in leveraging the software supply chain.
Malware-as-a-Service (MaaS) Model: DanaBot operates as a full-fledged MaaS platform. Its core development group (JimmBee and Onix, see below) lease access to their toolset to other threat actors, known as affiliates. These affiliates pay subscription fees, often ranging from $3,000 to $4,000 per month, for access to the administration panel and tools. ESET notes the authors even maintained a support page on the Tor network detailing capabilities and rental options.
Affiliate Toolset: The typical toolset provided to affiliates includes:
Administration Panel Application: A GUI application allowing affiliates to manage bots, view statistics, issue commands, configure web injects, view and export stolen data, set up alerts, and generate new DanaBot builds.
Backconnect Tool: A standalone utility enabling real-time remote control of bots via remote desktop (VNC/RDP) and file system reconnaissance.
Proxy Server Application: For both Windows and Linux, used to relay traffic and hide the C2 server's location, ensuring anonymity.
Build Generation Options: Affiliates can configure various build parameters (C2 server lists, obfuscation, bitness) and choose payload types (DLL, EXE loader, EXE dropper, MSI package). The actual build process is handled by the DanaBot authors' servers.
Infrastructure Options: While the authors initially used a single centralized server, they later offered affiliates the option of renting space on their shared infrastructure or installing a private C2 server for higher-tier customers. The shared infrastructure option was more popular.
Impact and Evolution:
DanaBot has infected over 300,000 computers globally, causing at least $50 million in damages through fraud and ransomware. Its victims have included individuals, businesses, and sensitive military, diplomatic, and government entities across North America, Europe, Brazil, and Mexico. ESET telemetry shows Poland historically as one of the most targeted countries, alongside the United States, Australia, Italy, and Ukraine in early campaigns.
Transition to Initial Access Broker: DanaBot transitioned from purely a banking Trojan to a prominent initial access broker, providing a critical foothold for other malware families, especially ransomware. Flashpoint highlights that The DanaBot Group's shift to focusing on providing access to systems for other groups allowed them to maximize their monetization efforts.
State-Sponsored Link (Scully Spider): CrowdStrike (tracking the actor as "Scully Spider") and Proofpoint identify a nexus with Russian government interests. Two specific DanaBot sub-botnets (24 and 25) were used for espionage, targeting diplomats, law enforcement, and military personnel in North America and Europe, indicating a blend of cybercrime and intelligence-gathering objectives. Flashpoint also points to this nexus, noting the group's "ambiguous" nature between state-sponsored and financially motivated activity.
DDoS Capabilities: DanaBot has also been observed utilizing compromised machines for launching DDoS attacks, such as against Ukraine’s Ministry of Defense and even a Russian Arduino development site, likely motivated by affiliate ambitions or political leanings.
Operation Endgame 2.0: DanaBusted
In May 2025, a significant international law enforcement operation, dubbed "Operation Endgame 2.0," delivered a major blow to DanaBot's operations. This coordinated effort involved agencies like Europol, Eurojust, the U.S. Department of Justice (DoJ), the FBI, and the Australian Federal Police, alongside private sector cybersecurity firms (including ESET, Flashpoint, Zscaler, Amazon, CrowdStrike, Google, Intel 471, Lumen, PayPal, Proofpoint, and Team Cymru). ESET's involvement dates back to 2018, providing critical technical analyses and C2 server identification. Flashpoint's intelligence, including detailed insights into the DanaBot Group's operations and key individuals, was instrumental in the success of the takedown.
Infrastructure Takedown: Authorities successfully seized DanaBot's command-and-control (C2) servers, including dozens of virtual servers hosted in the United States. This action effectively neutralized the threat actors' ability to issue commands, update the malware, or exfiltrate data from compromised systems. Over 300 servers and 650 domains linked to various malware operations, including DanaBot, were taken down worldwide.
Arrests and Indictments: The U.S. DoJ unsealed charges against 16 individuals for their alleged involvement in developing, administering, and deploying DanaBot. Key suspects, Aleksandr Stepanov (aka JimmBee, 39) and Artem Aleksandrovich Kalinkin (aka Onix, 34), both from Novosibirsk, Russia, were charged with conspiracy, fraud, identity theft, and computer crimes. JimmBee and Onix were noted as main developers and administrators who promoted the toolset on underground forums and handled sales. Flashpoint highlights that JimmBee was identified as a key developer and administrator since at least 2018. They remain at large.
Financial Seizures: Over EUR 3.5 million (approximately $3.97 million) in cryptocurrency was seized during this phase of Operation Endgame, adding to the total seizures of over EUR 21.2 million ($24.04 million) in the broader operation.
OpSec Blunder Unveiled: A critical detail, confirmed by the indictments, was that some of the DanaBot developers and administrators inadvertently infected their own personal computers with the malware (likely through a compromised WinRAR installer they acquired). This significant operational security blunder led to law enforcement accessing sensitive data from their systems, which helped in their identification and the overall takedown efforts. Flashpoint also points to this crucial error, which provided law enforcement with direct evidence.
Current Status and Future Outlook:
The disruption of DanaBot's infrastructure and the indictment of its operators represent a substantial victory for law enforcement and cybersecurity professionals. While such operations significantly impair malware functionality and impose costs on threat actors, cybercriminal groups often attempt to retool or re-form. ESET notes that it remains to be seen whether DanaBot can fully recover from this takedown. Flashpoint views this operation as a "monumental achievement," effectively dismantling a major player in the MaaS landscape. The collaboration between public and private sectors in "Operation Endgame" sets a precedent for future coordinated actions against global cybercrime.
Mitigation and Prevention:
Defending against sophisticated malware like DanaBot requires proactive and layered security measures:
User Education: Continuously educate users on recognizing phishing emails, suspicious links, and the dangers of downloading software from unofficial sources. Emphasize extreme caution with attachments, even seemingly legitimate ones, and vigilance against social engineering tactics like clipboard-based attacks.
Robust Endpoint Security: Implement advanced endpoint detection and response (EDR) solutions, antivirus software with behavioral analysis, and exploit prevention.
Strict Network Segmentation and Monitoring: Utilize firewalls, intrusion detection/prevention systems (IDS/IPS), and actively monitor network traffic for anomalous C2 communications and signs of exfiltration.
Comprehensive Patch Management: Ensure all operating systems, web browsers, and applications are regularly updated to close known vulnerabilities.
Multi-Factor Authentication (MFA): Enforce MFA for all online accounts, especially banking and critical services, to significantly mitigate the impact of stolen credentials.
Regular Data Backups: Maintain frequent, offsite backups of critical data to facilitate recovery from ransomware or other destructive attacks.
Proactive Threat Intelligence: Utilize up-to-date threat intelligence feeds to understand emerging DanaBot variants and distribution tactics.
Software Supply Chain Security: Be highly cautious about the sources of software downloads, especially for common utilities like file archivers, and verify their integrity where possible. Only download software from official vendor websites.
References: