As law enforcement agencies successfully dismantled the DanaBot malware network, a significant blow was dealt to a global cybercriminal operation that had alleged losses exceeding $50 million. The operation, termed “Operation Endgame II,” led to the federal charges against 16 individuals linked to the malware scheme, which facilitated a botnet to infect computers across multiple countries. This network reportedly showcased ties to Russian nationals and other international cybercriminals, highlighting its expansive reach.
The DanaBot malware operated using a sophisticated, multi-tiered architecture, reportedly involving around 150 active command and control (C2) servers at any given time. These servers were organized into three functional tiers: Tier 1 (T1) served infected machines, Tier 2 (T2) managed T1 servers, whereas Tier 3 (T3) provided further aggregation and obfuscation. DanaBot maintains an average of 150 active C2 servers to obscure tracking and bolster stealth. This network was known for its complex multi-layered C2 infrastructure that allowed for dynamic adjustment to evade detection, keeping traffic from compromised devices obscured through layers of proxy servers.
Evidence suggests that DanaBot primarily targeted sensitive data and login credentials, promoting criminal activities once it compromised host devices. The malware’s scale marked it as a critical threat, particularly to the cybersecurity and financial sectors, with indicators showing ramped-up activity during sensitive periods, such as the December holidays and the 2024 U.S. elections. The threat actors behind DanaBot exploited zero-day vulnerabilities to maintain their advantage over security measures.
Investigators identified nearly 400 distinct C2 IP addresses, with only a fraction appearing in common threat intelligence databases, underscoring its operational stealth.
The extensive crackdown involved significant coordination among law enforcement agencies worldwide, resulting in the seizure of approximately 150 C2 domains and servers. This disruption primarily targeted the core developers and operators behind DanaBot, aimed at preventing its resurgence.
