Danabot: Analyzing a fallen empire

May 26, 2025, 9:44 a.m.

Description

ESET Research shares insights into Danabot, an infostealer recently disrupted by law enforcement. The malware, tracked since 2018, evolved from a banking trojan to a versatile tool for data theft and malware distribution. Operated as a malware-as-a-service, Danabot offered features like data stealing, keylogging, and remote control. Its infrastructure included C&C servers, an administration panel, and proxy servers. Distribution methods varied from email spam to Google Ads misuse. The takedown operation involved multiple cybersecurity companies and law enforcement agencies, leading to the identification of individuals responsible for Danabot's development and operations.

External References

https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/
https://otx.alienvault.com/pulse/683357a6f329fa7aedccd8a8
Tags
infostealer
lockbit
data theft
darkgate
zloader
botnet
lumma stealer
matanbuchus
cybercrime
danabot
latrodectus
malware-as-a-service
smokeloader
banking trojan
systembc
buran
rescoms
recordbreaker
ursnif
2025-05-23
2025-05-25
nonransomware
proxy servers
crisis
c&c infrastructure
malware-as-service

Date

  • Created: May 25, 2025, 5:47 p.m.
  • Published: May 25, 2025, 5:47 p.m.
  • Modified: May 26, 2025, 9:44 a.m.

Indicators

  • 8da728a03e795aa9fb0aa4613759d6bdb10797107dcfb0bb23253514f890a062
Download all indicators here!

Attack Patterns

  • NonRansomware
  • Crisis
  • Ursnif - S0386
  • Buran
  • Matanbuchus
  • Latrodectus
  • Rescoms
  • Danabot
  • Lumma Stealer
  • DarkGate
  • Smokeloader
  • RecordBreaker
  • Zloader
  • SystemBC
  • Ursnif
  • LockBit
  • Danabot

Additional Informations

  • Defense
  • Finance
  • Government
  • Australia
  • Poland
  • Ukraine
  • Russian Federation