- DanaBot has resurfaced with version 669 and rebuilt infrastructure after Operation Endgame disruption
- It features modular payloads, encrypted C2, and supports crypto theft via BTC, ETH, LTC, and TRX
- Zscaler urges organizations to block new IoCs and update defenses against DanaBot’s return
DanaBot, the infamous banking trojan disrupted during the recent Operation Endgame efforts has resurfaced, researchers have revealed.
Cybersecurity researchers Zscaler said they observed DanaBot resurface with version 669, sporting rebuilt infrastructure.
“DanaBot has resurfaced with version 669 after nearly a 6-month hiatus following the Operation Endgame law enforcement actions in May,” the tweet reads. Zscaler also listed the IP addresses for DanaBot’s new command-and-control (C2) infrastructure, as well as new cryptocurrency wallets used to siphon victim funds.
Not so disrupted after all
The full list of C2s and IP addresses can be found here. DanaBot can now receive cash in BTC, ETH, LTC, and TRX, Zscaler added.
DanaBot is a modular Windows banking trojan with an extensive list of dangerous features. It sports a plugin-based architecture that allows attackers to load additional payloads, including web-injects and form-grabbing, through which they can steal banking credentials, browser cookies, and passwords.
It also allows for keylogging and screen capture, remote access and control, encrypted C2 communications, and various persistence mechanisms. It was first spotted in May 2018, when security researchers detected it targeting banking customers in Australia. Soon enough, it expanded to other regions, including Europe and North America.
However, DanaBot went missing after a law enforcement operation in March 2025, called Operation Endgame. This sting is an ongoing, international operation, spearheaded by Europol, whose goal is to disrupt malware delivery ecosystems and the initial access infrastructure that enables ransomware and other large-scale cybercrime.
Some of the most popular backdoor, malware, and loader operations were already disrupted through Operation Endgame including IcedID, Smokeloader, Qakbot, Trickbot, and obviously – DanaBot. By hitting these components, authorities aim to break the ransomware kill-chain at its source, rather than only chasing end-stage ransomware gangs.
Besides disrupting malware and backdoors, the police also seized thousands of domains, confiscated millions of dollars in different cryptocurrencies, made numerous arrests, and issued even more international arrest warrants.
To defend against the reborn DanaBot attacks, organizations should add Zscaler’s new Indicators of Compromise (IoC) to their blocklist, and update their security stack with new signatures.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
