IntroductionOn May 22, 2025, international law enforcement agencies released information about additional actions that were taken in conjunction with Operation Endgame, an ongoing, coordinated effort to dismantle and prosecute cybercriminal organizations, including those behind DanaBot. This action mirrors the original Operation Endgame, launched in May 2024, which disrupted SmokeLoader, IcedID, SystemBC, Pikabot, and Bumblebee. Zscaler ThreatLabz has been tracking all of the aforementioned malware families and frequently provides technical assistance to support law enforcement investigations. In this blog, we will provide a glimpse into DanaBot’s capabilities and the group’s activities.DanaBot (aka DanaTools) is a Delphi-based malware family released in May 2018 that has been used for a wide variety of nefarious purposes from online banking fraud to espionage. DanaBot is typically sold as a service and leased to other threat actors. ThreatLabz has identified DanaBot activity associated with both cybercriminal and nation-state threat actors. DanaBot is most frequently used to steal sensitive information and deploy second-stage malware payloads including ransomware.Zscaler has previously reported on DanaBot activity. In October and November 2021, large-scale supply chain attacks were leveraged to distribute DanaBot. After Russia invaded Ukraine in early 2022, ThreatLabz identified a DanaBot instance that was used to issue commands to infected systems that pushed a distributed denial of service (DDoS) module targeting the Ukrainian Ministry of Defense’s webmail server and later an IP address associated with information about Russian prisoners of war (POWs). ThreatLabz also identified DanaBot samples that leveraged code obfuscation, although these obfuscation techniques were later abandoned by the malware author.Key TakeawaysDanaBot is a powerful modular malware family that is written in Delphi with the ability to monitor keystrokes, capture screenshots, record video of a victim’s desktop, exfiltrate files, inject arbitrary content into a web browser, and deploy second-stage malware payloads.DanaBot operates a Malware-as-a-Service (MaaS) platform that enables threat actors to launch an array of attacks.DanaBot has been used in targeted attacks against government officials in the Middle East and Eastern Europe.In March 2022, DanaBot was used to launch distributed denial of service (DDoS) attacks against a webmail server operated by Ukraine’s Ministry of Defense, and another server operated by Ukraine’s National Security and Defense Council that provided information related to Russian prisoners of war (POWs).DanaBot implements a custom binary protocol that is encrypted using 1,024-bit RSA and 256-bit AES in CBC mode. The command-and-control servers (C2s) are hardcoded, but Tor can be utilized as a backup communication channel.Technical AnalysisDanaBot is advertised on forums and sold as a service with monthly prices that have ranged from a few hundred to several thousand dollars depending on the buyer’s requirements. Each threat actor is provided with a client executable file (also written in Delphi) that enables them to communicate with a backend C2 server, update configuration parameters, create new builds, access stolen information, and manage infections. The figure below shows a screenshot of the DanaBot client application that is used for administration.Figure 1: DanaBot client administration application.Since inception in 2018, DanaBot has been regularly updated, with four distinct major versions of the malware. Over this period, ThreatLabz has identified at least 85 distinct build numbers. The developer has often released multiple builds per month as shown in the change log in the client application below.Figure 2: Example DanaBot change log with multiple releases per month.The most recent DanaBot version identified by ThreatLabz is 4006, which was compiled in March 2025. The major version 4xxx marks a new milestone for DanaBot. There appears to be an overall trend with an increasing number of builds for each successive major version as shown in the following figure.Figure 3: DanaBot major build version numbers identified by ThreatLabz.ModulesDanaBot has two main components: a loader and a main module. The loader is responsible for downloading and executing the main module, which implements the bulk of the malicious functionality. In addition, DanaBot can be configured to download external modules (e.g., a Tor client for C2 communications).Even though DanaBot has its own loader component, ThreatLabz has observed threat actor(s) deploying the main module directly using third-party downloaders/loaders including HijackLoader and SmokeLoader.Furthermore, one of the capabilities of DanaBot is downloading and executing additional malware payloads. ThreatLabz has observed DanaBot deploying different malware families such as Remote Access Trojans (RATs) like DarkGate, information stealers like Lumma (version 4), and ransomware families including Cactus and GlobeImposter.Malware capabilitiesDanaBot has the following built-in features:KeyloggerFile grabber (has been used for espionage and cryptocurrency wallet theft)Form grabber (steal information submitted through HTML forms in a web browser)Information stealer (from web browsers, FTP, SSH, and email clients)SOCKS proxyRemote desktop access (VNC)Web browser manipulation (aka web injects to add and/or modify arbitrary HTML/JavaScript content, redirect to another website, block access to a website, etc.)Capture screenshotsRecord video of the victim’s desktopExecute shell commandsDownload and execute second-stage payloadsClipboard hijackingThreat actorsDanaBot is a Malware-as-a-Service (MaaS) offering where threat actors, known as affiliates, purchase access to the platform. Affiliates then distribute and use the malware according to their own objectives.ThreatLabz has identified over 50 nicknames associated with DanaBot as shown in the table below.1stickheyarnoldkertis3amr_ba_botpinafas0291hiddenbillkertis999mrcoonnectpin_plusbaskerdhimarskorleonemyter919qviqerbrosnanhoh14888kxsnaher77qwaserdelladdinteraclastbifidoknatarajarosgrosdolkinboysjinpinglesliejmerciernataraja99soulreaver2020dsskalixamagatoxodesitva1kyrelbarto17kapmainfotopagaoliver4 galahad1337kas001001marasalonx grezia70kertismataloracle harveykertis2amendez_perezosgood Table 1: List of nicknames associated with DanaBot.PersistenceDanaBot establishes persistence on a compromised host using the following methods depending on the version and the user’s permissions:Windows Service: DanaBot creates a malicious service with the ImagePath value set to the legitimate path of svchost.exe and the ServiceDLL to DanaBot’s filepath. This method is only used if DanaBot has administrator privileges.Windows Run registry key: DanaBot uses the Windows registry Run key to run when a user logs in by adding a value that points to the executable filepath. DanaBot uses this method only if administrator privileges are not available.Scheduled Tasks: DanaBot creates a Windows scheduled task with a pseudorandom name for persistence.DanaBot generates unique names for various malware artifacts (e.g. filenames, registry names, scheduled task names, etc). Historically, DanaBot has used system information (e.g. the system’s hostname) to generate these values. In the most recent version of DanaBot (4006), the algorithm derives an MD5 hash from the hardware GUID of the compromised host and appends a numerical character at the end of the hash. The numerical character is unique to each malware artifact. Lastly, DanaBot uses the MD5 hash in combination with two hardcoded charsets to generate an alphabetical value. The Python script below replicates DanaBot’s algorithm to generate the malware’s artifact names.import hashlib
import winreg
def danabot_random(input_hash: str, custom_charset1: str, custom_charset2: str) -%26gt; str:
out = bytearray()
rand_str_len = 0
for c in input_hash:
char_int = int(c, 16)
if char_int %26gt;= 6:
rand_str_len = char_int
break
char1 = int(input_hash[0], 16)
if char1 %26lt;= 7:
charset_char = custom_charset1[char1].upper()
out += charset_char.encode()
else:
charset_char = custom_charset2[char1].upper()
out += charset_char.encode()
if rand_str_len %26lt; 2:
return out.decode()
remaining_len = rand_str_len - 2 + 1
for c in input_hash[1:]:
if not remaining_len:
break
hash_char = int(c, 16)
if hash_char %26lt;= 7:
charset_char = custom_charset1[hash_char]
out += charset_char.encode()
else:
charset_char = custom_charset2[hash_char]
out += charset_char.encode()
remaining_len -= 1
return out.decode()
def calculate_danabot_host_hwid() -%26gt; str | None:
reg_instance = winreg.ConnectRegistry(None, winreg.HKEY_LOCAL_MACHINE)
key_instance = winreg.OpenKey(reg_instance, r"System\CurrentControlSet\Control\IDConfigDB\Hardware Profiles")
hw_guid = None
for i in range(10):
try:
sub_key_instance = winreg.OpenKey(key_instance, winreg.EnumKey(key_instance, i))
hw_guid = winreg.QueryValueEx(sub_key_instance, "HwProfileGuid")[0]
break
except:
continue
if not hw_guid:
print("Failed to find hardware GUID")
return
danabot_host_hwid = hashlib.md5(hw_guid.encode()).hexdigest().upper()
return danabot_host_hwid
def get_danabot_random_name(field_char: str) -%26gt; str | None:
host_hwid = calculate_danabot_host_hwid()
if not host_hwid:
return
host_hwid += field_char
return
danabot_random(input_hash=hashlib.md5(host_hwid.encode()).hexdigest(), custom_charset1="wrtpsdfhlzcvbnm", custom_charset2="qeyuioaqeyuioaqe")ThreatLabz has leveraged this logic to develop a tool that can identify infections and detect DanaBot’s malware artifacts.Network architectureDanaBot leverages a distinct architecture with four main components: the malware (bot), the client (used for administration), one or more proxies (used as a layer of indirection to hide the location of the backend server), and a backend server. A high-level view of DanaBot’s network architecture is represented in the figure below.Figure 4: DanaBot network architecture.DanaBot’s architecture differs significantly from most malware families, since it does not leverage a web server (alongside scripting programming languages) for backend communications or for administration.Network protocolDanaBot uses a custom TCP-based binary protocol, which is encrypted via 1,024-bit RSA and 256-bit AES in CBC mode. The first version of DanaBot leveraged a loader that utilized HTTP requests, but the loader protocol was migrated to a binary format in version 2, before being reverted back to HTTP. DanaBot also later added an RSA key exchange to the main module’s network protocol to prevent eavesdropping.The current version of DanaBot uses the following message structures for network communications. Depending on the version, DanaBot will use one of the following header structures:struct encoded_header_type_1 {
uint64_t sizeof_packet_data;
uint32_t compression_type;
uint64_t random_value;
uint64_t sumof_random_value; // random_value + sizeof_packet_data
};
struct sub_header_type_2 {
uint8_t data[];
uint8_t random_data[];
uint32_t sizeof_packet_data;
uint32_t compression_type;
};
struct encoded_header_type_2 {
uint32_t total_packet_size;
sub_header_type_2 s_header_type_2;
};
struct encoded_header_type_3 {
uint32_t sizeof_packet_data;
uint32_t sizeof_packet_data_with_random_values;
uint8_t compression_type;
};The request data that follows the header is structured in the format shown below:struct data_t {
uint8_t size;
BYTE data[32];
};
struct sig_t {
uint32_t size;
uint32_t crc32;
BYTE data[32];
}
struct system_info_t {
uint32_t version;
uint32_t is_admin;
uint32_t process_integrity;
uint32_t arch;
uint32_t windows_version;
uint32_t timezone_bias;
};
struct packet_t {
uint32_t length;
uint64_t rand;
uint64_t checksum;
uint32_t old_affid;
uint32_t command;
uint32_t subcommand;
system_info_t si;
BYTE pad[36];
data_t bot_id;
data_t arg;
data_t data_checksum;
sig_t sig;
}Network commandsThe main module of DanaBot supports a variety of network commands that have evolved over time. The table below describes the network commands identified by ThreatLabz.Command IDSub-Command IDDescription10240Initial beacon request. The response is the same as the request (echo request).20480Requests a list of online records.20481Requests a list of updated C2s.20482Requests a list of command records.20483Downloads the command records received.20484Sends host information to the C2, such as a screenshot.20486Requests a C2 for a backconnect/alert session.20488Requests a list of download records.20489Downloads the download records received.40480Requests a 32-bit PE from the C2.40481Requests an updated DanaBot payload in DLL format.40482Requests the TOR module.40483Requests an updated DanaBot payload in EXE format.Table 2: Network commands supported by DanaBot’s main module.In addition to the commands above, DanaBot has dedicated commands for configuring module settings or issuing specific activities (e.g. removing DanaBot from the compromised host). These commands are listed in the table below.IDDescription0Configure screencapture/video settings.1Returns a list of processes, which are targeted for keylogging.2Returns a list of targeted websites.3Returns a list of web injects.4Returns a list of redirects targets.5Returns a list of websites to block.6Configures screenshot settings.7Sets alert preferences. Starts a backconnect session and alerts operators during specific operational events.8Removes DanaBot from the compromised host.9Re-executes DanaBot with administrator privileges.10Returns a list of target files to collect.11Instructs DanaBot to switch to TOR network communication.12Configure stealer settings.13Updates the beacon timeout value.14Adds persistence to the compromised host.15Adds firewall exclusions.16Instructs DanaBot to save the current settings/configuration in case of a process termination.17Injects DanaBot into a target process (e.g. the Windows task manager) along with the protector module.18Instructs DanaBot to use the protector module to hide the main module.Table 3: DanaBot commands.An example of the client application interface used to configure commands (which can be customized to target an IP address or bot ID) is shown below.Figure 5: DanaBot administration client command configuration menu.Targeted ActivityAlthough typically linked to criminal activity, ThreatLabz has identified a small subset of instances involving targeted activity, likely conducted by a nation-state threat actor. In these instances, DanaBot was used for espionage, targeting government officials in the Middle East and Eastern Europe. DanaBot’s features, like keylogging, taking screenshots, video recording, remote desktop viewing, and file grabbing, were used in some of these attacks. The figure below shows an example of the DanaBot administration client interface where a threat actor can view, delete, and download files.Figure 6: Example of DanaBot’s file grabbing features.Note that this is not the first time that cybercriminal threat groups have been associated with nation-state activity. From 2011 to 2014, Gameover Zeus (aka the Business Club) had also set up special instances that were used to collect intelligence related to countries located in the Middle East and Eastern Europe. In both cases, it is not clear whether those behind the malware were operating on behalf of an intelligence service, or whether they simply rented out access to anyone willing to pay for it.ConclusionOperation Endgame has once again dealt a blow to the cybercriminal ecosystem. However, as the previous operation demonstrated, much of the impact may be temporary. While the specific effects on DanaBot remain unclear, it is likely that some of the affiliated threat actors will persist in their attacks. It is also important to note that organizations must handle criminal and nation-state threats with a similar level of importance. As our research has shown, there are multiple instances where nation-state threat groups have made use of malware families that are typically linked with criminal activity.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to DanaBot at various levels. The figure below depicts the Zscaler Cloud Sandbox, showing detection details for DanaBot.Figure 7: Zscaler Cloud Sandbox report for DanaBot.In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to DanaBot at various levels with the following threat names:Win32.Downloader.DanabotWin32.Banker.DanabotIndicators Of Compromise (IOCs)IOCDescription149.28.241[.]120Alert/backconnect command-and-control (C2) server.91.243.50[.]68Alert/backconnect command-and-control (C2) server.77.239.101[.]139DanaBot main module command-and-control (C2) server.77.239.99[.]248DanaBot main module command-and-control (C2) server.77.91.76[.]17DanaBot main module command-and-control (C2) server.149.28.127[.]237DanaBot main module command-and-control (C2) server.y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad[.]onionDanaBot main module TOR command-and-control (C2) server.2f8e0fc38eaf08a69653f40867dcd4cc951a10cd92b8168898b9aa45ba18a5c8DanaBot main module.871862d1117fd7d2df907406a3ce08555196800b0ef9901dd4c46f82b728263dDanaBot main module.e2c228d0bf460f25b39dd60f871f59ea5ef671b8a2f4879d09abae7a9d4d49fbDarkGate (version 7) dropped by DanaBot.75ff0334d46f9b7737e95ac1edcc79d956417b056154c23fad8480ec0829b079Lumma (version 4) dropped by DanaBot.
↧