The DanaBot malware has returned with a new version observed in attacks, six-months after law enforcement’s Operation Endgame disrupted its activity in May.
According to security researchers at Zscaler ThreatLabz, there is a new variant of DanaBot, version 669, that has a command-and-control (C2) infrastructure using Tor domains (.onion) and “backconnect” nodes.
Zscaler also identified and listed several cryptocurrency addresses that threat actors are using to receive stolen funds, in BTC, ETH, LTC, and TRX.
DanaBot was first disclosed by Proofpoint researchers as a Delphi-based banking trojan delivered via email and malvertising.
It operated under a malware-as-a-service (MaaS) model, being rented to cybercriminals for a subscription fee.
In the years that followed, the malware evolved into a modular information stealer and loader, targeting credentials and cryptocurrency wallet data stored in web browsers.
The malware was used in numerous campaigns, some of which were large-scale, and reappeared occasionally from 2021 onward, remaining a steady threat to internet users.
In May this year, an international law enforcement effort codenamed ‘Operation Endgame’ disrupted Danabot’s infrastructure and announced indictments and seizures, which significantly degraded its operations.
However, according to Zscaler, Danabot is again active, with a rebuilt infrastructure. While the Danabot operation was down, many initial access brokers (IAB) pivoted to other malware.
DanaBot resurfacing shows that cybercriminals are resilient in their activity as long as there is a financial incentive, despite a multi-month disruption, especially when core operators aren’t arrested.
Typical initial access methods observed in DanaBot infections include malicious emails (via links or attachments), SEO poisoning, and malvertising campaigns, some of which led to ransomware.
Organizations can defend against DanaBot attacks by adding to their blocklists the new indicators of compromise (IoCs) from Zscaler and by updating their security tools.
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
