The DanaBot malware has reemerged in a new version after a six-month hiatus following a major international law enforcement operation. Dubbed "Operation Endgame," the May 2024 takedown disrupted the malware's infrastructure, but researchers at Zscaler have now identified a fresh variant, version 669, actively circulating. This latest iteration features updated command-and-control servers that utilize Tor domains and new "backconnect" nodes for stealth.
First identified as a banking trojan, DanaBot has evolved into a modular information stealer and loader distributed under a malware-as-a-service model. The new campaign continues to target sensitive data, including credentials and cryptocurrency wallet information from web browsers. Zscaler has also published a list of cryptocurrency addresses associated with the threat actors to help track stolen funds.
The resurgence demonstrates the resilience of financially motivated cybercriminals, especially when core operators avoid arrest. Initial infection vectors typically include malicious emails, SEO poisoning, and malvertising campaigns, which can sometimes lead to ransomware deployment. Organizations are advised to update their security tools with the newly published indicators of compromise to defend against this renewed threat.
Read more...