{
	"id": "2c33b797-26c1-4232-b6ee-44a6b76cdcf9",
	"created_at": "2026-04-06T00:07:06.492703Z",
	"updated_at": "2026-04-10T03:21:16.043527Z",
	"deleted_at": null,
	"sha1_hash": "7e14a273a799012814132e0023b4e2d619726540",
	"title": "Danabot's Travels, A Global Perspective | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75079,
	"plain_text": "Danabot's Travels, A Global Perspective | NETSCOUT\r\nArchived: 2026-04-05 13:51:56 UTC\r\nExecutive Summary\r\nFirst discovered in May of 2018, Danabot is a Delphi written banking trojan that has been under active\r\ndevelopment throughout the year. This malware's early success can be attributed to its modular structure and\r\nmature distribution system. Throughout the year, NETSCOUT Threat Intelligence has observed the growth in\r\ndistribution and global coverage of Danabot.\r\nNOTE: NetScout AED/APS enterprise security products detect, and block activity related to Danabot using our\r\nATLAS Intelligence Feed (AIF).\r\nKey Findings\r\nDanabot is an actively supported banking trojan steadily approaching the sophistication of mature\r\ncrimeware families such as Dridex and Trickbot.\r\nDanabot leverages a centralized command and control infrastructure that allows third party actors as\r\naffiliates. This is a proven model that we have seen work well with other banking trojans like the mature\r\nfamilies noted previously.\r\nDanabot’s affiliate program has gradually expanded to target numerous\r\ngeographical regions including: Australia, Austria, Canada, Germany, Italy, Poland and the United States.\r\nOverview of Danabot\r\nDanabot is a modular banking trojan that utilizes several DLL files to aid in credential theft using various\r\nmechanisms, most notably web injects. In addition to credential theft and information stealing\r\noperations, Danabot supports remote access from an infected system to malicious actors through the VNC and\r\nRDP modules distributed from the command and control server. Danabot is typically distributed by spam email\r\nthrough malicious documents or Hancitor malware. Once the initial Danabot payload (loader) is executed it will\r\nreach out to the C2 to download additional DLL modules which can perform credential theft or remote access\r\ntasks.  \r\nCommand and Control Centralization\r\nDanabot uses a centralized command and control (C2) infrastructure which appears to be copied across various\r\nservers. All malware samples connect to the same set of C2 IP addresses which are presumably managed by one\r\nentity as opposed to each Danabot actor managing their own C2 infrastructure. We observed this centralization\r\nbecoming a trend among mature information stealing and banking type malware families. When an infected\r\nmachine connected to the Danabot C2 it provides information about its affiliate ID allowing the C2 to provide the\r\nmachine the correct payloads, configuration files, and web injects. Samples with the same affiliate ID can have\r\nhttps://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nPage 1 of 5\n\ndifferent hardcoded C2 IPs, however in our observations each affiliate ID will get the same data despite which C2\r\nit connects to. This means that the data for each affiliate ID is hosted on every Danabot C2 server. Our research\r\nidentified the same webinject targets and configuration files being used for multiple affiliate IDs. This overlap\r\nsuggests the affiliates of Danabot may be separate third-party entities who may have the same targets.  \r\nNew Affiliate IDs\r\nAs of December 14th, we identified 12 different affiliate IDs targeting various regions and sectors globally. This\r\nincluded 3 additional affiliates (10, 14, 15) added since the last public reporting in September by Proofpoint. The\r\nfollowing sections break down these affiliate IDs into clusters to showcase regional targeting. Appendix\r\nA represents the primary websites targeted by Danabot.\r\nAffiliate 10\r\nAlthough we observed numerous malware samples coded with the affiliate ID “10”, we have been unable to\r\nrecover live C2 communications to retrieve infects and confirmation files. This could mean the affiliate ID is no\r\nlonger being serviced by the Danabot operators.\r\nAffiliate 14\r\nAffiliate ID “14” first surfaced in early November and we observed it in more than 50 malware samples. The C2\r\ncommunication for this affiliate ID contained the following configuration, consistent with other campaigns we are\r\ntracking:\r\nBitVideo\r\nKeyBit\r\nPostWFilter\r\nBitFilesZ\r\nNo webinjects were captured during our observations of affiliate ID ”14” traffic. However, the configuration files\r\noffer the capability to steal cryptocurrency wallets, files, and account credentials.\r\nAffiliate 15\r\nAffiliate ID “15” started appearing in late November and is the most recent affiliate discovered. We managed to\r\ncollect configuration files and webinjects from the C2 servers. These files and infects contained different names\r\ncompared to those of previous affiliate IDs. The injects retrieved primarily targeted Polish banking institutions,\r\nbut also one U.S. financial organization.  \r\nCurrent Affiliate ID Distribution by Region\r\nDanabot Distribution Map\r\nAffiliate ID Targeted Countries First Seen\r\nhttps://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nPage 2 of 5\n\n3 AustriaItaly September 06, 2018\r\n4 Australia September 24, 2018\r\n5 None September 18, 2018\r\n8 CanadaUnited States September 11, 2018\r\n9 AustriaGermanyItalyPolandUnited States September 15, 2018\r\n10 None October 29, 2018\r\n11 None September 26, 2018\r\n12 Australia September 29, 2018\r\n13 Germany September 29, 2018\r\n14 None November 08, 2018\r\n15 PolandUnited States November 21, 2018\r\n20 None September 29, 2018\r\nAffiliate ID Timeline\r\nDanabot Timeline\r\nConclusion\r\nDanabot is an active banking trojan that has adopted a centralized command and control infrastructure to provide\r\nits services for third party actors. We continue to see this malware operation expanding its global coverage around\r\nthe globe. Based on the overlap in targeting between various affiliate IDs, Danabot appears to have multiple third\r\nparties using their platform. The modular nature of Danabot, the centralized infrastructure, and increasing number\r\nof affiliate IDs suggest this operation is streamlined, well-managed, and likely to grow beyond the seven countries\r\ncurrently impacted.  \r\nAppendix A: Domains/URLs Targeted by Danabot\r\nThis is a list of URLs observed in captured web injects and configuration files\r\n.it\r\nunicredit.it\r\nbancagenerali.it\r\nhttps://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nPage 3 of 5\n\nbanking4you.it\r\ncredit-agricole.it\r\nunipolbanca.it\r\ncredem.it\r\ninbank.it\r\nrelaxbanking.it\r\nTim.it\r\ncredem.it\r\nbancaeuro.it\r\n.pl\r\ningbank.pl\r\nneobank24.pl\r\ncentrum24.pl\r\ningbusinessonline.pl\r\naliorbank.pl\r\nideabank.pl\r\npocztowy24biznes.pl\r\nbosbank24.pl\r\ncredit-agricole.pl\r\nsgcib.pl\r\ncui.pl\r\nbgzbnpparibas.pl\r\nipko.pl\r\nebusinessbank.db-pbc.pl\r\ne25.pl\r\ne-skok.pl\r\nt-mobilebankowe.pl\r\n.at\r\nsparkasse.at\r\nraiffeisen.at\r\n.com/.net\r\nraiffeisenpolbank.com\r\nchebanca.net\r\nIntesasanpaolo.com\r\nbittrex.com\r\nbitbay.net\r\npoloniex.com\r\ncitidirect.com\r\nubibanca.com\r\n.au\r\ncommbank.com.au\r\n.de\r\nhttps://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nPage 4 of 5\n\ndeutsche-bank.de\r\nsparda.de\r\ncommerzbank.de\r\ncomdirect.de\r\nberliner-bank.de\r\nnorisbank.de\r\ntargobank.de\r\n.ch\r\nbluewin.ch\r\nSource: https://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nhttps://asert.arbornetworks.com/danabots-travels-a-global-perspective/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asert.arbornetworks.com/danabots-travels-a-global-perspective/"
	],
	"report_names": [
		"danabots-travels-a-global-perspective"
	],
	"threat_actors": [],
	"ts_created_at": 1775434026,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e14a273a799012814132e0023b4e2d619726540.pdf",
		"text": "https://archive.orkl.eu/7e14a273a799012814132e0023b4e2d619726540.txt",
		"img": "https://archive.orkl.eu/7e14a273a799012814132e0023b4e2d619726540.jpg"
	}
}