Inside DanaBot's Infrastructure: In Support of Operation Endgame II
May 23, 2025, 7:07 p.m.
Description
DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to its success. Operated likely from Russia, DanaBot's infrastructure includes Tier 1, Tier 2, and Tier 3 C2 servers. The botnet's size peaked during high-profile events, with Mexico and the US among the most impacted countries. Despite its longevity, only 25% of its C2 servers had detectable malicious signatures. Operation Endgame II, a collaborative effort between security firms and law enforcement, dealt a significant blow to DanaBot's operations.
Tags
Date
- Created: May 23, 2025, 6:49 p.m.
- Published: May 23, 2025, 6:49 p.m.
- Modified: May 23, 2025, 7:07 p.m.
Indicators
- 98.159.108.138
- 98.159.108.137
- 95.217.65.166
- 94.232.249.215
- 94.131.115.254
- 94.131.109.182
- 92.246.136.182
- 91.242.163.44
- 91.242.163.37
- 91.242.163.235
- 89.23.105.6
- 89.116.64.46
- 86.54.42.5
- 85.209.153.112
- 82.24.200.28
- 85.209.134.250
- 77.73.129.134
- 81.19.137.119
- 77.238.249.183
- 5.34.179.197
- 5.34.179.193
- 47.254.81.3
- 47.254.159.244
- 47.253.151.139
- 45.61.136.204
- 45.61.136.240
- 45.61.136.125
- 45.137.116.57
- 31.192.232.25
- 45.134.174.235
- 23.137.105.90
- 23.137.105.251
- 23.137.105.250
- 23.137.105.249
- 207.2.121.127
- 196.251.116.36
- 195.123.233.68
- 194.116.216.91
- 193.233.232.101
- 185.245.106.72
- 185.224.0.250
- 185.196.9.52
- 185.121.235.211
- 185.177.59.56
- 179.43.176.43
- 179.43.176.42
- 178.156.170.132
- 162.33.179.34
- 157.180.65.252
- 157.180.74.97
- 144.172.100.208
- 156.253.227.5
- 139.60.163.90
- 135.181.242.179
- 107.173.160.166
- 135.181.170.163
- 5.149.255.208
- 46.105.141.51
- 45.145.7.97
- 23.137.105.248
- 199.119.138.187
- 185.196.10.20
- 185.223.93.118
- 179.43.176.41
- 172.86.75.229