- DanaBot resurfaced with version 669 and rebuilt the infrastructure after the disruption of Operation Endgame
- It features modular payloads, C2 encryption, and supports cryptocurrency theft via BTC, ETH, LTC, and TRX.
- Zscaler urges organizations to block new IoCs and update defenses against DanaBot’s return
DanaBot, the infamous banking Trojan disrupted during recent Operation Endgame efforts, has resurfaced, researchers have revealed.
Cybersecurity researchers Zscaler said they observed DanaBot resurface with version 669, sporting a rebuilt infrastructure.
“DanaBot has resurfaced with version 669 after a nearly 6-month hiatus following the Operation Endgame police actions in May,” the tweet reads. Zscaler also listed the IP addresses for DanaBot’s new command and control (C2) infrastructure, as well as the new cryptocurrency wallets used to siphon victims’ funds.
Not so disturbed after all
The full list of C2 and IP addresses can be found here. DanaBot can now receive cash in BTC, ETH, LTC, and TRX, Zscaler added.
DanaBot is a modular banking Trojan for Windows with an extensive list of dangerous features. It has a plugin-based architecture that allows attackers to load additional payloads, including web injections and form capture, through which they can steal banking credentials, browser cookies, and passwords.
It also enables keylogging and screen capture, remote access and control, encrypted C2 communications, and various persistence mechanisms. It was first detected in May 2018, when security researchers detected that it was targeting banking customers in Australia. Very soon, it expanded to other regions, including Europe and North America.
However, DanaBot disappeared after a police operation in March 2025, called Operation Endgame. This operation is an ongoing international operation, led by Europol, which aims to disrupt malware distribution ecosystems and the initial entry infrastructure that enables ransomware and other large-scale cybercrime.
Some of the most popular backdoors, malware, and loaders have already been disrupted by Operation Endgame, including IcedID, Smokeloader, Qakbot, Trickbot, and obviously DanaBot. By attacking these components, authorities aim to break the ransomware removal chain at its source, rather than simply pursuing late-stage ransomware gangs.
In addition to taking down malware and backdoors, police also seized thousands of domains, seized millions of dollars in different cryptocurrencies, made numerous arrests, and issued even more international arrest warrants.
To defend against reborn DanaBot attacks, organizations should add Zscaler’s new Indicators of Compromise (IoC) to their block list and update their security stack with new signatures.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
