The notorious DanaBot malware has returned after a six-month hiatus with an upgraded infrastructure and enhanced stealth mechanisms targeting Windows users once again.
Security researchers at Zscaler ThreatLabz have uncovered a new variant, DanaBot version 669, marking a major comeback for the cybercriminal group behind the attacks following its disruption during Operation Endgame in May 2025.
Back Online With New Tricks
According to a new report from Zscaler ThreatLabz, DanaBotโs operators have rebuilt their command-and-control (C2) network using both traditional IP servers and hidden Tor (.onion) domains to communicate with infected devices, making it more resilient and harder to trace. Researchers also identified a โbackconnectโ channel that likely allowed attackers to access and control infected systems remotely.
The new variantโs infrastructure includes IP addresses 62.60.226[.]146, 62.60.226[.]154, and 80.64.19[.]39 communicating over port 443, along with several active Tor-based C2 endpoints. A separate node at 158.94.208[.]102 handles reverse connections over ports 443 and 8080.
Whatโs more concerning is that the group has also added new ways to steal money. DanaBot now targets cryptocurrency as well as traditional banking logins, with stolen funds being funnelled to Bitcoin, Ethereum, Litecoin, and TRON wallet addresses linked to the group, signalling that the operators have resumed monetizing their attacks through digital currency theft.
From Banking Trojan To Cybercrime Mainstay
Originally discovered in 2018, DanaBot began as a banking trojan that stole financial credentials spread through phishing emails and malicious ads. Written in Delphi, it evolved into a modular, plug-in-based malware capable of stealing passwords, browser data, and cryptocurrency wallet details.
Unlike one-off malware, DanaBot operates under a malware-as-a-service (MaaS) model, meaning criminals can โrentโ it, and allow them to launch customized attacks for a subscription fee. Over the years, it has been spotted in campaigns across Australia, Europe, and North America, often spreading through phishing emails, SEO poisoning, or malicious ads.
Resilient After Operation Endgame
DanaBotโs comeback follows Operation Endgame in May 2025, a global law enforcement effort that brought agencies from over a dozen countries โ including the Netherlands, Germany, the U.S., and the U.K. โ to dismantle major malware operations like Qakbot, Bumblebee, Trickbot, and DanaBot.
While the operation seized infrastructure, issued arrest warrants, and temporarily crippled multiple ransomware supply chains, the disruption didnโt last forever, as shown by Zscalerโs findings. The core DanaBot operators appear to have escaped capture and have rebuilt their infrastructure, proving once again that cybercriminal groups are quick to adapt and recover.
Defensive Measures
Security experts say the new campaign is a reminder that malware disruptions rarely last forever, even after major takedowns. Organizations are urged to:
- Avoid clicking on suspicious email links or attachments
- Keep antivirus and security tools up to date
- Train employees to recognize phishing emails and malicious links
- Block the newly identified indicators of compromise (IoCs) shared by Zscaler
DanaBotโs re-emergence is a reminder that while global law enforcement operations can deliver major blows to cybercrime, they rarely wipe out the threat completely. As long as stolen data and cryptocurrency remain lucrative, attackers will keep resurfacing, signalling a growing shift toward cryptocurrency theft over traditional banking fraud.
