The DanaBot malware operation has resumed its malicious activities, deploying a new version in active campaigns just six months after a significant international law enforcement action disrupted its infrastructure in May 20251. The return of this sophisticated information stealer and banking Trojan, now identified as version 669, demonstrates the resilience of cybercriminal enterprises when core operators remain at large2. This development poses a renewed threat to organizations worldwide, requiring immediate defensive updates.
The malware’s resurgence was confirmed through new campaigns observed in November 2025, featuring rebuilt command-and-control infrastructure and updated capabilities focused on cryptocurrency theft3. Security researchers have identified specific indicators of compromise, including direct C2 servers at IP addresses 62.60.226[.]146:443, 62.60.226[.]154:443, and 80.64.19[.]39:443, along with Tor-based C2 servers for increased operational resilience2. A backconnect server at 158.94.208[.]102 on ports 443 and 8080 has also been documented in the new campaigns.
Operation Endgame’s Impact and Limitations
Operation Endgame II, conducted in May 2025, represented a coordinated international effort to dismantle DanaBot’s operational infrastructure4. The action involved seizing servers, neutralizing domains, and resulted in federal charges against 16 defendants for their roles in the malware scheme5. According to the U.S. Department of Justice, the DanaBot operation had infected over 300,000 computers worldwide and caused an estimated $50 million in damages before the takedown. The operation was described as dealing a major blow to the cybercrime ecosystem, but the current resurgence highlights the challenge of permanent disruption when key architects avoid capture.
Two Russian nationals, Aleksandr Stepanov (also known as “JimmBee”) and Artem Aleksandrovich Kalinkin (alias “Onix”), were identified as key figures and leaders of the DanaBot scheme5. Both individuals are believed to be in Russia and remain at large, which likely facilitated the relatively quick rebuilding of operations. The malware’s previous infrastructure maintained an average of 150 active Tier 1 C2 servers per day, with approximately 1,000 daily victims across more than 40 countries, primarily targeting Brazil, Mexico, and the United States6.
Technical Capabilities and Evolution
DanaBot originated in 2018 as a banking Trojan but has evolved into a modular information stealer and loader platform operated as Malware-as-a-Service (MaaS)7. The malware’s core capabilities include keylogging, form grabbing, file extraction for espionage and cryptocurrency wallets, SOCKS proxy functionality, remote desktop access via VNC, web injects, screenshot and video capture, and clipboard hijacking8. This extensive feature set makes it particularly dangerous for both individual users and enterprise environments.
The malware establishes persistence through multiple mechanisms, including Windows Services, Registry Run keys, or Scheduled Tasks, using a unique algorithm based on the host’s hardware GUID8. For network communications, DanaBot employs a custom binary protocol encrypted with 1,024-bit RSA and 256-bit AES in CBC mode, with Tor available as a backup communication channel. Prior to the takedown, only 25% of its C2 servers had a VirusTotal detection score greater than zero, indicating highly evasive infrastructure design6.
Infection Vectors and Defense Recommendations
DanaBot primarily gains initial access through phishing emails containing malicious attachments or links, search engine optimization (SEO) poisoning, and malvertising campaigns1. Organizations should immediately update blocklists and security tools with the newly identified indicators of compromise. The new variant is configured to steal cryptocurrency, with hardcoded wallet addresses for Bitcoin, Ethereum, Litecoin, and TRON, making financial transactions a key detection point.
Corporate security teams should monitor for attacks originating from residential IP addresses and ensure cloud assets are protected with updated Web Application Firewall rules incorporating the known IoCs6. Ongoing phishing and social engineering training remains critical for defense against initial infection vectors. The hybrid infrastructure approach using both direct IP-based C2 servers and Tor hidden services requires defensive strategies that can handle both conventional and anonymized network traffic.
Broader Implications for Cybercrime Takedowns
The rapid recovery of the DanaBot operation following a significant law enforcement action illustrates the persistent challenge of permanently dismantling cybercriminal enterprises. The Malware-as-a-Service business model, where core developers lease the platform to affiliates for a monthly fee, creates distributed operational responsibility that can withstand the removal of individual components7. This resilience is further enhanced when key technical architects remain operational and can rebuild infrastructure.
The parallel takedown of Lumma Stealer around the same period provides an interesting contrast in operational impact4. While DanaBot has demonstrated significant recovery capability, the Lumma operation suffered what appears to be more substantial damage, with over 2,300 domains seized and traffic sinkholed from more than 394,000 infected Windows computers. The difference in recovery speed may relate to the capture of key personnel, infrastructure design differences, or the specific nature of the law enforcement actions taken against each operation.
The return of DanaBot underscores the need for continuous monitoring and adaptive defense strategies even after successful law enforcement actions against malware operations. Security teams should maintain awareness that disrupted threats may resurface with improved capabilities and should establish processes for rapidly integrating new IoCs into defensive systems as they become available through threat intelligence sources.
References
- “DanaBot malware is back to infecting Windows after 6-month break,” BleepingComputer, Nov. 12, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/danabot-malware-is-back-to-infecting-windows-after-6-month-break/
- “DanaBot Malware Version 669,” Cyber Press, Nov. 11, 2025. [Online]. Available: https://cyberpress.org/danabot-malware-version-669/
- “DanaBot Malware,” GBHackers, Nov. 11, 2025. [Online]. Available: https://gbhackers.com/danabot-malware/
- “Risky Bulletin: Authorities and security firms take down DanaBot and Lumma Stealer,” Risky.Biz, May 23, 2025. [Online]. Available: https://news.risky.biz/risky-bulletin-authorities-and-security-firms-take-down-danabot-and-lumma-stealer/
- “16 Defendants Federally Charged in Connection with DanaBot Malware Scheme that Infected Computers Worldwide,” U.S. Department of Justice, May 22, 2025. [Online]. Available: https://www.justice.gov/usao-cdca/pr/16-defendants-federally-charged-connection-danabot-malware-scheme-infected-computers
- “Inside DanaBot’s Infrastructure in Support of Operation Endgame II,” Team Cymru, Apr. 8, 2025. [Online]. Available: https://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii
- “DanaBot’s New Tactics and Targets Arrive in Time for Peak Phishing,” F5 Labs, Dec. 9, 2019. [Online]. Available: https://www.f5.com/labs/articles/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi
- “Operation Endgame 2.0: Danabusted,” Zscaler ThreatLabz, May 22, 2025. [Online]. Available: https://www.zscaler.com/blogs/security-research/operation-endgame-2-0-danabusted
- “Russia: DanaBot Hacker Malware Used for State Spying,” RFE/RL, Jun. 20, 2025. [Online]. Available: https://www.rferl.org/a/russia-danabot-hacker-malware-state-spying/33449258.html
