{
	"id": "2e37e8f4-cfcb-49f0-87fe-49aead807141",
	"created_at": "2026-04-06T00:21:50.125933Z",
	"updated_at": "2026-04-10T03:20:38.931876Z",
	"deleted_at": null,
	"sha1_hash": "374b3e68c3cbf315b3a3e4a0755f4530035331a7",
	"title": "Operation Endgame: Global Law Enforcement Takes Down DanaBot Malware Scheme",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51970,
	"plain_text": "Operation Endgame: Global Law Enforcement Takes Down\r\nDanaBot Malware Scheme\r\nBy Flashpoint\r\nPublished: 2025-05-22 · Archived: 2026-04-05 22:55:45 UTC\r\nToday, a federal grand jury has indicted 16 individuals, including two Russian nationals, for their alleged\r\ninvolvement in developing and deploying the DanaBot malware. This widespread cybercrime operation infected\r\nover 300,000 victims worldwide, caused over $50 million in damages, and facilitated fraud and ransomware, with\r\na specific variant targeting military and government entities. \r\nThese law enforcement actions were taken in conjunction with Operation Endgame, a global law enforcement\r\neffort to dismantle cybercriminal organizations. This involved the Defense Criminal Investigative Service (DCIS)\r\nagents successfully seizing and taking down DanaBot command and control servers, including dozens hosted in\r\nthe United States.\r\nFlashpoint is proud to have contributed to this investigation as part of an alliance of government agencies and\r\nprivate sector partners.\r\n“Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including\r\nsensitive military, diplomatic, and government entities, and causes many millions of dollars in losses.\r\nThe charges and actions announced today demonstrate our commitment to eradicating the largest\r\nthreats to global cybersecurity and pursuing the most malicious cyber actors, wherever they are\r\nlocated.”\r\nUnited States Attorney Bill Essayli\r\nUnderstanding Malware-as-a-Service (MaaS)\r\nMalware-as-a-Service has fundamentally reshaped the cybercrime landscape by lowering the barrier to entry for\r\neven unsophisticated threat actors. Like legitimate Software-as-a-Service (SaaS) models, MaaS platforms allow\r\ncybercriminals to “rent” access to complex malware and its infrastructure, enabling them to launch attacks of their\r\nown without needing a team or technical expertise. \r\nThis model helps to create a robust illicit economy where similar MaaS tools are readily available, such as\r\ninformation-stealing malware or Ransomware-as-a-Service (RaaS). As such, it is critical for organizations to\r\nleverage comprehensive threat intelligence and employ robust security measures.\r\nThe DanaBot malware allegedly operated on a malware-as-a-service model, with the administrators leasing access\r\nto the botnet and support tools to client coconspirators for a fee that was typically several thousand dollars a\r\nmonth.\r\nhttps://flashpoint.io/blog/operation-endgame-danabot-malware/\r\nPage 1 of 3\n\nDanaBot: A Pervasive Malware-as-a-Service Threat\r\nDanaBot’s core functionality revolves around collecting sensitive information from compromised systems. This\r\nincludes credentials from browsers, FTP, Secure Shell protocol (SSH), and email clients, as well as capturing data\r\nthrough clipboard sniffing and keylogging. It can also grab specific files and cryptocurrency wallets. \r\nDanaBot incorporates remote access trojan (RAT) capabilities, enabling attackers to issue terminal commands,\r\nprovide remote access via hidden virtual network computing (HVNC), and perform HTML injections. DanaBot\r\nalso operated as a malware-as-a-service (MaaS) platform, allowing threat actors to purchase and use its\r\ncapabilities.\r\nThe malware’s infrastructure is typically divided into several components: a “bot” that infects target systems and\r\nperforms data collection, an “OnlineServer” that manages the RAT functionalities, a “client” for processing\r\ncollected logs and bot management, and a “server” that handles bot generation, packing, crypting, and command-and-control (C2) communication. DanaBot has evolved to include features like Tor fallback for C2 recovery and\r\nJabber integration for notifications.\r\nBeyond financial fraud, a second version of the DanaBot botnet specifically targeted computers in military,\r\ndiplomatic, government, and other related entities in North America and Europe, posing a significant threat to\r\nnational security.\r\nThe Power of Partnership\r\nThese law enforcement actions taken in conjunction with Operation Endgame and Operation PowerOFF, represent\r\nan ongoing coordinated effort among international law enforcement agencies aimed at dismantling and\r\nprosecuting cybercriminal organizations around the world. The investigation into DanaBot was spearheaded by\r\nthe FBI’s Anchorage Field Office and the Defense Criminal Investigative Service, working closely with\r\nGermany’s Bundeskriminalamt (BKA), the Netherlands National Police, and the Australian Federal Police.\r\n“The enforcement actions announced today, made possible by enduring law enforcement and industry\r\npartnerships across the globe, disrupted a significant cyber threat group, who were profiting from the\r\ntheft of victim data and the targeting of sensitive networks. The DanaBot malware was a clear threat to\r\nthe Department of Defense and our partners. DCIS will vigorously defend our infrastructure, personnel,\r\nand intellectual property.”\r\nSpecial Agent in Charge, Kenneth DeChellis\r\nFlashpoint is honored to provide valuable assistance alongside a strong alliance of industry partners. This\r\ncollaborative effort underscores the critical role of private sector intelligence and expertise in disrupting global\r\ncybercrime operations.\r\nFor a comprehensive understanding of Operation Endgame, check out the DOJ’s full announcement. Flashpoint\r\nremains committed to working alongside law enforcement to provide timely and actionable intelligence that helps\r\nprotect critical infrastructure and combat the evolving threat landscape.\r\nhttps://flashpoint.io/blog/operation-endgame-danabot-malware/\r\nPage 2 of 3\n\nSource: https://flashpoint.io/blog/operation-endgame-danabot-malware/\r\nhttps://flashpoint.io/blog/operation-endgame-danabot-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://flashpoint.io/blog/operation-endgame-danabot-malware/"
	],
	"report_names": [
		"operation-endgame-danabot-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434910,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/374b3e68c3cbf315b3a3e4a0755f4530035331a7.pdf",
		"text": "https://archive.orkl.eu/374b3e68c3cbf315b3a3e4a0755f4530035331a7.txt",
		"img": "https://archive.orkl.eu/374b3e68c3cbf315b3a3e4a0755f4530035331a7.jpg"
	}
}