Operation Endgame Crushes DanaBot Malware, Shuts Down 150 C2 Servers and Halts 1,000 Daily Attacks

Operation Endgame II has delivered a devastating strike against DanaBot, a notorious malware that has plagued systems since its emergence in 2018.

Initially designed as a banking trojan targeting financial credentials, DanaBot evolved into a multi-purpose threat, facilitating information theft and enabling secondary attacks like ransomware through payloads such as Latrodectus.

At its peak in 2025, DanaBot maintained an average of 150 active command-and-control (C2) servers daily, orchestrating attacks on approximately 1,000 victims across more than 40 countries, with Mexico and the United States bearing the brunt of the impact.

This operation, a collaborative effort involving Black Lotus Labs, Team Cymru, law enforcement, and industry partners like PQ Hosting / Stark Industries, has disrupted this sprawling botnet, dismantling a significant portion of its infrastructure and exposing the sophisticated tactics behind its resilience.

A Major Blow to a Persistent Cyber Threat

DanaBot’s strength lay in its intricate, multi-tiered C2 architecture, designed to obfuscate tracking and insulate its operators.

Infected systems communicated with Tier 1 (T1) servers over TCP/443, which were routed through Tier 2 (T2) servers often dedicated or shared based on affiliate access levels and further proxied via Tier 3 (T3) servers, predominantly hosted in Russia.

This layered setup, mirroring tactics used by other malware like Emotet and Qakbot, made direct attribution challenging.

At any given time, a third of T1 servers operated through a single cloud provider, while management infrastructure tied back to residential IPs in Novosibirsk, Russia, and proxy services like ADMAN-AS.

Operation Endgame II uncovered nearly 400 distinct C2 IPs active in 2025, with only 25% flagged on VirusTotal, highlighting DanaBot’s stealth through targeted attacks and strategic timing around high-profile events like the 2024 US election.

Furthermore, victim data often transited via Tor, obscuring the true scale of infections, which ranged from 1,000 to 3,000 weekly, including high-value targets like law firms and universities.

Unraveling a Complex Multi-Tiered Architecture

The operation’s success stemmed from meticulous telemetry analysis and intelligence gathering, revealing backend jumpboxes used for remote access over RDP and VNC, alongside suspected backup servers exchanging data on TCP/2048.

Despite periods of downtime, such as the April 2025 lull in “Cloud” cluster activity, DanaBot’s operators demonstrated adaptability by cycling infrastructure and maintaining C2 lifecycles averaging over a month.

However, the takedown disrupted key T2 and T3 nodes, severing communication channels and halting daily attacks.

Black Lotus Labs has shared a list of Indicators of Compromise (IoCs) on GitHub, urging defenders to monitor for residual activity.

As cyber threats continue to evolve with initial access brokers and diversified malware delivery, this collaborative effort underscores the power of unified action against cybercrime, offering hope that sustained vigilance and advanced network defenses can curb even the most persistent threats like DanaBot.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!