{
	"id": "f9b4e9dc-8f58-47d7-8c82-99b92036218d",
	"created_at": "2026-04-06T00:17:30.18434Z",
	"updated_at": "2026-04-10T13:11:29.674343Z",
	"deleted_at": null,
	"sha1_hash": "548053804e7d45fe6b1e3e39b616d4edc3754380",
	"title": "Inside DanaBot’s Infrastructure: In Support of Operation Endgame II",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1669775,
	"plain_text": "Inside DanaBot’s Infrastructure: In Support of Operation\r\nEndgame II\r\nBy Team Cymru\r\nPublished: 2025-04-08 · Archived: 2026-04-05 14:18:20 UTC\r\nExecutive Summary\r\nDanaBot first emerged in 2018 as a banking trojan but has since evolved into a versatile and persistent threat.\r\nWhile it initially focused on financial credential theft, it is now used for a range of purposes including information\r\nstealing and establishing access for follow-on activity such as ransomware. Despite years of activity, DanaBot\r\nremained highly operational through 2025, until it was dealt a significant blow as part of Operation Endgame II.\r\nDanaBot maintained an average of 150 active C2 servers per day, with roughly 1,000 daily victims across more\r\nthan 40 countries. By C2-count, this was one of the largest “malware-as-a-service” platforms active in 2025, while\r\nthe botnet size was relatively modest in terms of daily victims. Of these, Mexico and the United States\r\nconsistently ranked among the most impacted. Its success can be partly attributed to its stealth; as of this writing,\r\nonly 25 percent of its C2 servers had a VirusTotal detection score greater than zero, suggesting that a significant\r\nportion of its infrastructure remained undetected. This was likely due to selecting fewer targets than other loaders\r\nof its kind, as well as cycling operations around high profile events. \r\nDanaBot operated with a multi-tiered architecture that Black Lotus Labs and Team Cymru assess to be separated\r\namong several users or “affiliates” that have purchased access to the malware. Depending on the affiliate and their\r\nlevel of access, they were assigned a dedicated “Tier 2” server or shared one with others. At any given time, at\r\nleast five to six Tier 2 servers were active. \r\nWe suspect that DanaBot is likely operated from Russia with management infrastructure originating from several\r\nIPs in residential areas of Novosibirsk, Russia and what appears to be two other threat actors accessing the\r\nmanagement infrastructure from Russian geolocated servers belonging to two separate proxy services.\r\nDuring Operation Endgame I, Black Lotus Labs and Team Cymru supported the broader effort to disrupt\r\nDanaBot, working closely with industry peers and law enforcement. The recent takedown dealt a serious blow and\r\nshowed how collaboration across the security community can lead to real progress against threat actors.\r\nIntroduction\r\nFirst reported by Proofpoint in 2018, DanaBot has evolved into a highly successful infostealer and malware\r\ndelivery platform. It has been observed delivering other threats such as Latrodectus, which is often linked to\r\nransomware operations. While we will not delve into DanaBot’s malware functionality in this post, we encourage\r\nreaders to explore the many excellent writeups available on that subject.\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 1 of 9\n\nDuring and since Operation Endgame I, Black Lotus Labs and Team Cymru have been collaborating behind the\r\nscenes, working closely with industry peers and law enforcement. Both of our organizations specialize in the\r\ntracking of threat actor infrastructure across the Internet. By combining our efforts, and those of several\r\ncontributing teams, we strongly believe we are able to have an even greater impact than if we had acted alone, in\r\nisolation. Additionally, PQ Hosting / Stark Industries (AS44477) were a key partner and collaborator in\r\nconfirming the role and activity of threat actor infrastructure and the coordinated takedown. Infrastructure\r\nidentified later in this blog post which was assigned to PQ / Stark was purposefully left “online” for intelligence\r\ngathering purposes.\r\nOver the last few years, the cybercrime landscape has evolved, with a general decline in “noisy” delivery\r\ncampaigns and overt mechanisms. While several high-profile threats have been disrupted (or have simply faded\r\naway), others have opportunistically emerged to fill the void. Today, threat actors are diversifying their tactics,\r\nspreading their efforts across a wider array of malware families and delivery methods. The rise of the \"initial\r\naccess broker\" model has further professionalized this phase of the attack lifecycle. One malware family that has\r\nendured through these changes and continues to challenge defenders is DanaBot.\r\nBlack Lotus Labs and Team Cymru will focus on DanaBot’s infrastructure, providing a view into its scale and\r\nstructure based on insights gained through our collaboration during Operation Endgame II.\r\nGlobal Telemetry Analysis\r\nDanaBot consists of a diverse, multi-tiered architecture consisting of nearly 150 or more active C2 servers at any\r\ngiven time. Through periods of greater or lesser activity, both the upstream and backend infrastructure have\r\nremained largely static since June 2024.\r\nA layered communications infrastructure is used between a victim and the botnet controllers, where traffic is\r\nproxied through typically two or three tiers of C2s before it reaches the final tier, which consists of the panel that\r\nthe threat actors operate from. Emotet, IcedID, and Qakbot are just a few examples of other malware families that\r\nhave also leveraged this setup to insulate their C2s.\r\nFigure 1: High-level diagram of multi-tiered C2 architecture.\r\nWhen a victim is infected with DanaBot malware, they will begin to communicate with one or more Tier 1 (T1)\r\nC2s over TCP/443. We suspect that, depending on the affiliate and how they subscribe to the service, these T1 C2s\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 2 of 9\n\nwill be controlled by one of several Tier 2 (T2) C2s. These T2 C2s will generally have their own individual\r\nupstream Tier 3 (T3) C2s, obfuscating the architecture infrastructure even further. The T3 C2s then communicate\r\nwith what we suspect is a potential backup server, as well as with infrastructure that directly ties back to our\r\nsuspected DanaBot actors. We’ll dig into this more later.\r\nAt any time since we began monitoring in late 2024, a quarter to a third of all active T1 C2s in DanaBot’s\r\narchitecture are positioned in one single cloud service provider, and from there, on to one of two T2 servers and\r\ntheir T3s. The remaining T1 C2s were typically found communicating with one of three T2s, which then\r\nconnected to their respective T3 servers. We suspect that between the “Cloud” architecture and the non-”Cloud”\r\narchitecture, there is a mix of specific large affiliates having their own personal T2 and some smaller affiliates\r\nsharing T2s.\r\nBelow is an outline of the entire architecture we uncovered for the DanaBot pipeline and management\r\ninfrastructure, but we will individually address each “section” in more detail with larger maps.\r\nFigure 2: Overview of DanaBot pipeline and management infrastructure.\r\nBots and Tier 1 C2s\r\nDanaBot maintained a daily average of over 150 active T1 C2s throughout our study. What becomes interesting is\r\nwhere we see peaks and troughs. We noticed a surge of almost 50 C2s leading up to the November 2024 election\r\nin the US, followed by a lull in activity before ramping up to all-time highs during the December 2024 holidays.\r\nThis pattern suggests the DanaBot actors may use newsworthy events to their advantage, luring more victims to\r\ndownload malicious software, open a phishing email, and more.\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 3 of 9\n\nFigure 3: Total Number of DanaBot C2s over time\r\nWe also observed that the actor(s) who use the “Cloud” C2s seem to take the greater part of their architecture\r\noffline for extended periods. Throughout April 2025, we tracked most of the “Cloud” architecture as it went dark,\r\nonly to have both the T1s and one of the T2s reappear towards the end of April into May. The other T2 remained\r\nactive during this period, though it had far fewer C2s communicating with it, and those connections occurred\r\ninfrequently. We suspect this atypical period was either the actor taking a break from DanaBot activities, or they\r\nwere updating their servers during this time.\r\nBlack Lotus Labs and Team Cymru have noticed close to 400 distinct IPs acting as DanaBot C2s thus far in 2025,\r\nstill a considerable number given the December 2024 peak of 230. Regardless of the numbers, their C2s are well\r\ndistributed in many different countries and maintain a robust lifecycle.\r\nFigure 4: DanaBot C2 Distribution during 2025 where dark blue represents more C2s\r\nWe have observed the average C2 is active for over one month, and close to 25% stay engaged for over two\r\nmonths. While normally this wouldn’t be a successful operating model as it would allow network defenders to\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 4 of 9\n\ndiscover and easily block these IPs, DanaBot has somehow remained stealthy. For the C2s that were active in the\r\nlast month, only 25% of them have a score of greater than 0 in VirusTotal. Of greater concern, 65% have a score\r\nof 0 and no associated malicious files meaning actors who are using these DanaBot C2s are remaining very quiet\r\nand likely performing more targeted attacks.\r\nWhen we investigate the bot population, Black Lotus Labs and Team Cymru have found victims in over 40\r\ncountries with Brazil, Mexico, and the United States having the most.\r\nFigure 5: DanaBot Victim breakdown by country where dark blue represents more victims\r\nOn the low end we see around 1,000 victims per week, ranging as high as 3,000 victims, all in residential IP space.\r\nIt’s important to note that DanaBot has the functionality to transit victim data through Tor instead of using a direct\r\nconnection between the victim and the C2, so the true bot population is likely larger than what we can see. Aside\r\nfrom just residential victims, we have seen multiple higher value targets infected including law firms and\r\nuniversities among others.\r\nIt appears the actors who purchase DanaBot likely use it for different purposes. A small handful of C2s control the\r\nvast majority of the bot population where most of the C2s have relatively small amounts of victims, likely\r\nindicating some actors are using DanaBot for scale and others have specific victims they are trying to infect. A\r\nsecond reason for the difference in the number of victims infected by some C2s we observe is likely connected to\r\nthe aforementioned usage of Tor. Just under half of the C2s we track appear to route at least some portion of their\r\nvictim populations via this method, making victim enumeration more complex.\r\nAlthough the DanaBot C2s are active for extended periods of time, 50% of the infected victims only communicate\r\nwith the DanaBot C2 for a single day, and 75% of infections last less than three days. This leads us to believe that,\r\nin general, actors who are using DanaBot quickly get the information they need from the infected victims and\r\nmove quickly to downstream activities. Aside from information stealing and banking fraud, actors likely use\r\nDanaBot as a precursor to download other malware such as Latrodectus, or pass off access to a ransomware group.\r\nTier 2 C2s\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 5 of 9\n\nBlack Lotus Labs and Team Cymru tracked the daily average of 150 T1 C2s, to a select few T2 C2s. Apart from\r\none instance, T1s only talk to one T2, typically over TCP/443. We believe this is due to the infrastructure being\r\nsiloed based on actor and subscription packages.\r\nA pair of potential T2s were of interest as they did not fall into any specific pockets of activity. One T2 server,\r\n185.135.80.xxx, was located in Russia and only interacted with two identified Russia T1 C2s, each with very\r\nsmall victim volumes. This communication occurred over TCP/23213, rather than the typical TCP/443 used by the\r\nother clusters. We suspect this was the actors’ personal siloed architecture, which they used with their own\r\nmalware and aligns with the hosting they generally maintain for backend management. However, it became\r\ninactive at the end of March 2025.\r\nAnother host, 45.8.147.xxx, appeared to function as a T2 based on its upstream communication with both the\r\nretired and current T3 for one of the “Cloud” clusters, although no activity with T1 C2s was observed. We were\r\nnot able to confirm its exact purpose, but one theory is that it could be related to testing.\r\nFigure 6: DanaBot C2-to-Tier 2 infrastructure with associated port usage.\r\nTier 3 and Above\r\nWe identified most of the upstream T3s that each T2 communicated with, all of which were located in Russia. The\r\nT2 to T3 communication for one of the two “Cloud” clusters was over TCP/15643, while the non-”Clouds” were\r\nover TCP/443.\r\nThe unidentified T3s included the other “Cloud” cluster, and one T2 suspected to belong to the core DanaBot team\r\nor developer. An additional T2 was involved in the only observed instance of a T1 being shared with a second T2,\r\nwhich showed significantly higher activity. This may indicate that the cluster used two T2s, with one acting as a\r\nbackup, both connected to the same T3.\r\nAt least two of the identified T3s were observed sending large volumes of data to the same Russian server\r\n(185.175.158.xxx) on a monthly basis over TCP/2048, typically around the same time. This behavior pattern is\r\ncommonly associated with backup server activity. Given that no additional upstream infrastructure was identified\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 6 of 9\n\nand all known T3s were found in Russia, it is likely that the T3s represented the final tier and hosted the panels for\r\neach DanaBot cluster.\r\nFigure 7: DanaBot Tier 2-to-Tier 3 infrastructure with associated port usage.\r\nManagement Infrastructure\r\nRussian management infrastructure was observed connecting over RDP and VNC to what appeared to be the\r\nbackup server, as well as to both the current and retired T3s associated with one of the “Cloud” clusters. It\r\npossibly interacted with other T3s as well, but visibility into connections between various Russian providers is\r\nlimited.\r\nThis activity originated from two ADMAN-AS, RU servers that appeared to serve as “jumpboxes” used for\r\nbackend management. A jumpbox in this context served as a relay point for operators, enabling access to internal\r\ninfrastructure and external services without connecting directly from their own systems. Notably, one of these\r\nservers, 185.175.158.xxx, connected to the other, 185.133.40.xxx, over OpenVPN and VNC.\r\nIn addition to communicating with the backup server and some of the T3s, both jumpboxes interacted with other\r\nsuspected DanaBot-related infrastructure. 185.175.158.xxx connected to two additional ADMAN-AS, RU servers:\r\none over SSH and VNC, and the other over TCP/8080. The purpose of these two hosts could not be determined\r\nbased on the available data.\r\n185.133.40.xxx connected to three other jumpboxes that were used for external activities commonly associated\r\nwith threat actor infrastructure, including cryptocurrency services and use of tools like Tox and Telegram. One of\r\nthese jumpboxes was observed connecting over RDP to a host that interacted with DanaBot C2s. During the same\r\ntime period, a host used for SmartApeSG backend management was also seen connecting over RDP to that same\r\nhost. This overlap was notable, suggesting a single operator may have been involved in both efforts and that the\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 7 of 9\n\nsame group was managing multiple operations. Still, it was the only strong link observed and not enough to draw\r\na firm conclusion.\r\nAt least three separate operators were determined to have connected to both backend jumpboxes over OpenVPN.\r\nOne IP based in Novosibirsk, Russia (5.128.128.xxx) frequently connected to the jumpboxes from at least June\r\n2024 until recently. Even during periods of inactivity across other parts of the infrastructure, this IP continued to\r\nconnect occasionally.\r\nAt the end of February, another IP from the same provider and location (5.128.88.xxx) also began connecting to\r\nthe jumpboxes, with some overlap in timing. This may have represented a separate operator or the same individual\r\nusing a different IP.\r\nThe two other operators used proxies and connected far less frequently. One consistently used a proxy in the\r\n5.44.168.0/24 range belonging to SIBSET-NSK-AS, RU, changing IP addresses only every few months. This\r\noperator connected frequently, though far less often than the one previously described. The remaining operator\r\nwas the least active, and always used IP space from ROSTELECOM-AS, RU, changing addresses after each burst\r\nof activity. These bursts typically occurred every few weeks and lasted only a day or two.\r\nFigure 8: DanaBot backend infrastructure with associated port usage.\r\nConclusion\r\nIt is clear that since emerging in 2018, DanaBot has continued to evolve and persist where many other malware\r\nfamilies have not. The operators have shown their commitment to their craft, adapted to detection and changes in\r\nenterprise defense, and with later iterations, insulating the C2s in tiers to obfuscate tracking. Throughout this time,\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 8 of 9\n\nthey have made the bot more user-friendly with structured pricing and customer support. Black Lotus Labs and\r\nTeam Cymru, alongside others in the security community, contributed insight into its layered infrastructure\r\nthrough close collaboration with each other and with law enforcement. Operation Endgame II is the most thorough\r\nand direct action taken against the botnet to date, and our hope is to show that continued attention by the security\r\ncommunity along with collaborative efforts such as these can have an impact in the fight against cybercrime.\r\nA list of C2s is available in the Black Lotus Labs GitHub. We encourage the community to monitor and alert on\r\nthese and any similar IoCs. Because DanaBot’s malware was used by such an array of criminal interests including\r\nransom groups, we advise readers to bolster defenses against phishing as an initial access vector by fully\r\nmonitoring network resources, ensuring proper patch management and conducting ongoing phishing and social\r\nengineering training for employees. We also advise the following:\r\nCorporate Network Defenders: \r\nContinue to look for attacks on weak credentials and suspicious login attempts, even when they originate\r\nfrom residential IP addresses which bypass geofencing and ASN-based blocking. \r\nProtect cloud assets from communicating with bots that are attempting to perform password spraying\r\nattacks and begin blocking IoCs with Web Application Firewalls.\r\nLeveraging sophisticated network perimeter countermeasures, which are updated continuously to\r\nproactively stop traffic from malicious points from interacting with corporate networks. \r\nSource: https://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nhttps://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.team-cymru.com/post/inside-danabots-infrastructure-in-support-of-operation-endgame-ii"
	],
	"report_names": [
		"inside-danabots-infrastructure-in-support-of-operation-endgame-ii"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/548053804e7d45fe6b1e3e39b616d4edc3754380.pdf",
		"text": "https://archive.orkl.eu/548053804e7d45fe6b1e3e39b616d4edc3754380.txt",
		"img": "https://archive.orkl.eu/548053804e7d45fe6b1e3e39b616d4edc3754380.jpg"
	}
}