Home > Security > Security News

DanaBot Banking Trojan Resurfaces with Version 669 After Operation Endgame Takedown, Focused on Cryptocurrency Theft

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Cryptojacking
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google

Key Takeaways

The DanaBot banking trojan has made a significant return to the threat landscape with the appearance of version 669. This resurgence comes nearly six months after the coordinated international law enforcement effort, Operation Endgame, attempted to dismantle its operations in May 2025. 

New Command-and-Control Infrastructure

Security researchers at ZScaler have identified a newly established command-and-control (C2) infrastructure supporting DanaBot version 669. The reemergence indicates that the malware's operators have successfully regrouped, rebuilt their infrastructure, and resumed their campaigns.

The operators of DanaBot, a major malware-as-a-service (MaaS) platform active since 2018 that specializes in credential theft and banking fraud, have adopted a hybrid strategy to evade future takedowns, utilizing both traditional IP-based C2 servers and Tor-based hidden services for enhanced anonymity and persistence. 

DanaBot remerges
DanaBot remerges | Source: Zscaler via X

Several C2 endpoints have been identified, alongside backconnect servers designed to facilitate reverse shell connections and access to compromised systems.

Typical DanaBot infrastructure
Typical DanaBot infrastructure | Source: ESET

The primary objective of the new DanaBot variant remains financial theft, with a strong focus on cryptocurrencies. The malware is configured with dedicated wallet addresses to steal various digital assets, maximizing its monetization potential:

Cybersecurity Risks and Implications

The DanaBot malware resurgence poses significant cybersecurity risks for both individuals and financial institutions. Organizations are advised to:

In May, the U.S. indicted 16 Russian nationals in the DanaBot case as part of Operation Endgame after several operators unwittingly infected their own machines, exposing their real-world identities through uploaded credentials and internal communications.

Add a Comment
Related
GitHub
Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
AI, Robot, Content
LLM Side-Channel Attack ‘Whisper Leak’ Exposes Encrypted Communications
vulnerability
Triofox Unauthenticated Access Flaw, Chained with AV Scanning Feature Abuse to Deploy Remote Access Tools
cyberespionage
xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Cybersecurity Job Moves
Cybersecurity Industry Sees Key Executive Appointments Driving AI and Defense Innovation
Application-bound encryption bypassed
Critical runC Flaws Expose Docker and Kubernetes to Container Escape, Fixes Available
Most Popular
GitHub
Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
AI, Robot, Content
LLM Side-Channel Attack ‘Whisper Leak’ Exposes Encrypted Communications
vulnerability
Triofox Unauthenticated Access Flaw, Chained with AV Scanning Feature Abuse to Deploy Remote Access Tools
cyberespionage
xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act
Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
LLM Side-Channel Attack ‘Whisper Leak’ Exposes Encrypted Communications
Triofox Unauthenticated Access Flaw, Chained with AV Scanning Feature Abuse to Deploy Remote Access Tools
xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act

Most Popular
GitHub
Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
AI, Robot, Content
LLM Side-Channel Attack ‘Whisper Leak’ Exposes Encrypted Communications
vulnerability
Triofox Unauthenticated Access Flaw, Chained with AV Scanning Feature Abuse to Deploy Remote Access Tools
cyberespionage
xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act
Two-Thirds of Top AI 50 Companies Leaked Sensitive Data on GitHub, Including API Keys and Tokens
LLM Side-Channel Attack ‘Whisper Leak’ Exposes Encrypted Communications
Triofox Unauthenticated Access Flaw, Chained with AV Scanning Feature Abuse to Deploy Remote Access Tools
xHunt APT Group Spies on Kuwait, Leveraging Microsoft Exchange, IIS, and Custom Backdoors
Surfshark Highlights Cybersecurity and Data Research at 2025 IPI Congress
UK Regulator Ofcom Monitors VPN Use Following Online Safety Act

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: