- DanaBot resurfaced with version 669 and rebuilt infrastructure after Operation Endgame’s hiatus
- It has modular C2 crypto payloads and supports cryptocurrency theft via BTC, ETH, LTC and TRX.
- Zscaler urges organizations to block new IoC and improve their defenses against the return of DanaBot
Researchers have discovered that DanaBot, the famous banking trojan used in the recent Operation Endgame, has resurfaced.
Cybersecurity researcher Zscaler said they observed the return of DanaBot with version 669 while the infrastructure was being rebuilt.
“DanaBot has resurfaced with version 669 after a nearly six-month hiatus following Operation Endgame law enforcement operations in May,” the tweet read. Zscaler also listed the IP addresses of DanaBot’s new command and control (C2) infrastructure, as well as the new cryptocurrency wallets used to steal victims’ funds.
At least it didn’t bother me
The full list of C2 and IP addresses can be found here Here. Zscaler added that DanaBot can now accept funds in BTC, ETH, LTC and TRX.
DanaBot is a modular banking trojan for Windows with a long list of dangerous features. It has a plugin-based architecture that allows attackers to load additional payloads, including web injections and form hijacking, allowing them to steal banking credentials, browser cookies, and passwords.
It also enables key logging and screenshots, remote access and control, encrypted C2 communication and various persistence mechanisms. It was first discovered in May 2018, when security researchers discovered it was targeting Australian bank customers. The company quickly expanded into other regions, including Europe and North America.
However, DanaBot disappeared following a police operation called Operation Endgame in March 2025. This is an ongoing international operation led by Europol aimed at disrupting the malware distribution ecosystems and the initial access infrastructure that enables ransomware and other large-scale cybercrime.
Some of the most popular backdoors, malware and loaders have already been disrupted by Operation Endgame, including IcedID, Smokeloader, Qakbot, Trickbot and of course DanaBot. By attacking these components, authorities aim to break the chain of destruction of ransomware at the source, rather than just targeting gangs in the late stages of ransomware.
In addition to fighting malware and backdoors, police have also seized thousands of domains, seized millions of dollars in various cryptocurrencies, made numerous arrests, and issued even more international arrest warrants.
To defend against new DanaBot attacks, organizations should add Zscaler’s new Indicators of Compromise (IoC) to their blocklist and update their security stack with new signatures.
IN BeepTeam