On May 23, 2025, the U.S. Department of Justice (DoJ) announced the dismantling of the online infrastructure associated with DanaBot, a sophisticated malware also known as DanaTools. At the same time, charges were released against 16 individuals for their alleged involvement in the development and distribution of the malware, which was controlled by a Russia-based cybercriminal organization.
DanaBot infected over 300,000 computers worldwide, facilitating fraud and ransomware attacks, and causing damage estimated at at least $50 million. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both from Novosibirsk, Russia, are currently at large.
The malware operated under a "malware-as-a-service" (MaaS) model, with leased access ranging from $500 to several thousand dollars per month. DanaBot, codenamed Scully Spider and Storm-1044, is a multifunctional tool similar to Emotet, TrickBot, QakBot, and IcedID, capable of acting as a stealer and carrier for subsequent payloads, such as ransomware.
DanaBot used various methods to infect victims' computers, including spam emails containing malicious attachments or hyperlinks. The infected computers became part of a botnet, allowing operators to coordinate their remote control.
The Delphi-based, modular malware was capable of stealing data from victims' computers, hijacking banking sessions, and stealing device information, browsing history, stored account credentials, and cryptocurrency wallets. It could also provide full remote access, log keystrokes, and capture video.
Law enforcement action, part of Operation Endgame, resulted in the seizure of DanaBot's command and control (C2) servers, including dozens of virtual servers hosted in the United States. This operation involved collaboration with several international agencies to counter cybercriminal activity on a global scale.
A curious finding from the investigation is that some members of the DanaBot organization accidentally infected themselves with their own malware, allowing investigators to collect compromising data from their computers. This data helped identify the organization's members.
The dismantling of the DanaBot network represents a significant step in the fight against international cybercrime. However, the evolving nature of these threats requires continued vigilance and global collaboration to prevent and counter future malicious activity.
Source: https://thehackernews.com/2025/05/us-dismantles-danabot-malware-network.html?utm_source=chatgpt.com
Copyright @2023 Leonardo Network Srl VAT IT01749180533. All Rights Reserved.
