Operation Endgame 2.0

May 23, 2025, 1:06 p.m.

Description

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos, exfiltrating files, injecting content into web browsers, and deploying second-stage malware. It operates as a Malware-as-a-Service platform, enabling various attacks. DanaBot has been used in targeted attacks against government officials in the Middle East and Eastern Europe, and for DDoS attacks against Ukrainian servers. The malware implements a custom binary protocol encrypted with RSA and AES, and uses hardcoded C2 servers with Tor as a backup communication channel. Over 50 nicknames have been associated with DanaBot affiliates.

External References

https://otx.alienvault.com/pulse/683046e8073360953a9307d2
Tags
espionage
darkgate
ddos
danabot
malware-as-a-service
smokeloader
hijackloader
operation endgame
keylogger
targeted attacks
lumma
globeimposter
cactus
2025-05-23

Date

  • Created: May 23, 2025, 9:59 a.m.
  • Published: May 23, 2025, 9:59 a.m.
  • Modified: May 23, 2025, 1:06 p.m.

Indicators

  • 75ff0334d46f9b7737e95ac1edcc79d956417b056154c23fad8480ec0829b079
  • e2c228d0bf460f25b39dd60f871f59ea5ef671b8a2f4879d09abae7a9d4d49fb
  • 871862d1117fd7d2df907406a3ce08555196800b0ef9901dd4c46f82b728263d
  • 2f8e0fc38eaf08a69653f40867dcd4cc951a10cd92b8168898b9aa45ba18a5c8
  • 91.243.50.68
  • 77.91.76.17
  • 77.239.99.248
  • 77.239.101.139
  • y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion
Download all indicators here!

Attack Patterns

  • Danabot
  • HijackLoader
  • DarkGate
  • Smokeloader
  • Cactus
  • Lumma
  • GlobeImposter
  • Danabot

Additional Informations

  • Defense
  • Government
  • Ukraine