{
	"id": "db98bcc1-3bd9-4622-9e3a-50cd60e93132",
	"created_at": "2026-04-06T00:15:12.045972Z",
	"updated_at": "2026-04-10T03:30:57.667266Z",
	"deleted_at": null,
	"sha1_hash": "875bdafd61b4c78925f76a04eed080e523944055",
	"title": "Danabot: Analyzing a fallen empire",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1994849,
	"plain_text": "Danabot: Analyzing a fallen empire\r\nBy Tomáš Procházka\r\nArchived: 2026-04-05 13:27:58 UTC\r\nAs announced by the US Department of Justice – the FBI and US DoD’s Defense Criminal Investigative Service\r\n(DCIS) have managed to disrupt the infrastructure of the notorious infostealer, Danabot. ESET is one of the many\r\ncybersecurity companies to participate in this long-term endeavor, becoming involved back in 2018. Our\r\ncontribution included providing technical analyses of the malware and its backend infrastructure, as well as\r\nidentifying Danabot’s C\u0026C servers. The joint takedown effort also led to the identification of individuals\r\nresponsible for Danabot development, sales, administration, and more. ESET took part in the effort alongside with\r\nAmazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru, Zscaler, Germany’s\r\nBundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police.\r\nThese law enforcement operations were conducted under Operation Endgame – an ongoing global initiative aimed\r\nat identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the\r\noperation successfully took down critical infrastructure used to deploy ransomware through malicious software.\r\nSince Danabot has largely been disrupted, we will use this opportunity to share our insights into the workings of\r\nthis malware-as-a-service (MaaS) operation, covering the features used in the latest versions of the malware, the\r\nauthors’ business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data,\r\nwe have observed that Danabot is also used to deliver further malware – including ransomware – to an already\r\ncompromised system.\r\nKey points of the blogpost:\r\nESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that\r\nresulted in a major disruption of the malware’s infrastructure.\r\nWhile primarily developed as an infostealer and banking trojan, Danabot also has been used to\r\ndistribute additional malware, including ransomware.\r\nDanabot’s authors promote their toolset through underground forums and offer various rental\r\noptions to potential affiliates.\r\nThe typical toolset provided by Danabot’s authors to their affiliates includes an administration\r\npanel application, a backconnect tool for real-time control of bots, and a proxy server application\r\nthat relays the communication between the bots and the actual C\u0026C server.\r\nAffiliates can choose from various options to generate new Danabot builds, and it’s their\r\nresponsibility to distribute these builds through their own campaigns.\r\nBackground\r\nDanabot, which belongs to a group of infostealer and/or banking malware families coded in the Delphi\r\nprogramming language, gained prominence in 2018 by being used in a spam campaign targeting Australian users.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 1 of 20\n\nSince then, Danabot has expanded to other markets through various campaigns, undergone several major updates\r\nof its internals and backend infrastructure, and experienced both peaks and downturns in popularity among\r\ncybercriminals.\r\nThroughout our monitoring since 2018, ESET has tracked and analyzed a substantial number of distinct samples\r\nand identified more than 1,000 unique C\u0026C servers. During that period, ESET analyzed various Danabot\r\ncampaigns all over the world, with Poland historically being one of the most targeted countries, as seen in Figure\r\n1.\r\nFigure 1. Worldwide Danabot detections as seen in ESET telemetry since 2018\r\nIn addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing\r\ncompromised machines for launching DDoS attacks. For example, a DDoS attack against Ukraine’s Ministry of\r\nDefense was spotted by Zscaler soon after the Russian invasion of Ukraine. A very similar DDoS module to the\r\none used in that attack was also used by a Danabot operator to target a Russian site dedicated to Arduino\r\ndevelopment. These actions were probably motivated by the affiliate’s own ambitions and political motivations.\r\nDanabot group introduction\r\nThe authors of Danabot operate as a single group, offering their tool for rent to potential affiliates, who\r\nsubsequently employ it for their own malicious purposes by establishing and managing their own botnets. The\r\nauthors have even set up a support page on the Tor network with detailed information about the capabilities of\r\ntheir tool, as depicted in Figure 2.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 2 of 20\n\nFigure 2. Danabot’s features as promoted on its support site\r\nTo acquire new customers, Danabot is frequently promoted in underground forums by the user JimmBee, who acts\r\nas one of the main developers and administrators of the Danabot malware and its toolset. Another noteworthy\r\nperson from the Danabot group is a user known in underground forums as Onix, who coadministers the Danabot\r\ninfrastructure and is also responsible for sales operations.\r\nFeature overview\r\nDanabot’s authors have developed a vast variety of features to assist customers with their malevolent objectives.\r\nThe most prominent features offered by Danabot include:\r\nthe ability to steal various data from browsers, mail clients, FTP clients, and other popular software,\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 3 of 20\n\nkeylogging and screen recording,\r\nreal-time remote control of the victims’ systems,\r\na FileGrabber command, commonly used for stealing cryptocurrency wallets,\r\nsupport for Zeus-like webinjects and form grabbing, and\r\narbitrary payload upload and execution.\r\nBesides utilizing its stealing capabilities, we have observed a variety of payloads being distributed through\r\nDanabot over the years, such as:\r\nSystemBC,\r\nRescoms,\r\nUrsnif,\r\nSmokeloader,\r\nZloader,\r\nLumma Stealer,\r\nRecordBreaker,\r\nLatrodectus, and\r\nNetSupportManager remote administration tool.\r\nFurthermore, we have encountered instances of Danabot being used to download ransomware onto already\r\ncompromised systems. We can name LockBit, Buran, Crisis, and a NonRansomware variant being pushed on\r\nseveral occasions.\r\nDanabot’s ability to download and execute arbitrary payloads is not the only feature used to distribute additional\r\nmalware. Danabot was also spotted being used as a tool to hand off control of the botnet to a ransomware operator,\r\nas reported by Microsoft Threat Intelligence in late 2023.\r\nDistribution methods\r\nThroughout its existence, according to our monitoring, Danabot has been a tool of choice for many cybercriminals\r\nand each of them has used different means of distribution. Danabot’s developers even partnered with the authors\r\nof several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers,\r\nhelping them with the process. Matanbuchus is an example of such a promoted loader.\r\nOver the years, we have seen all sorts of distribution methods being used by Danabot affiliates, including:\r\nnumerous variants of email spam campaigns,\r\nother malware such as Smokeloader, DarkGate, and Matanbuchus, and\r\nmisuse of Google Ads.\r\nRecently, out of all distribution mechanisms we saw, the misuse of Google Ads to display seemingly relevant, but\r\nactually malicious, websites among the sponsored links in Google search results stands out as one of the most\r\nprominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with\r\nlegitimate software and offering such a package through bogus software sites (Figure 3) or websites falsely\r\npromising users to help them find unclaimed funds (Figure 4).\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 4 of 20\n\nFigure 3. Fake Advanced IP Scanner website leading to Danabot compromise\r\nFigure 4. Fake unclaimed money search site\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 5 of 20\n\nThe latest addition to these social engineering techniques: deceptive websites offering solutions for fabricated\r\ncomputer issues, whose only purpose is to lure the victim into execution of a malicious command secretly inserted\r\ninto the user’s clipboard. An example of such a website leading to downloading of Danabot in Figure 5.\r\nFigure 5. Website luring the victim into execution of malicious command stored in the user’s\r\nclipboard\r\nInfrastructure\r\nOverview\r\nInitially, Danabot’s authors relied on a single centralized server to manage all bots’ connections and all affiliates’\r\ndata, such as command configurations and data collected from their victims. This centralized approach certainly\r\nhad a negative impact on that server’s performance and was more prone to possible disruptions. This is probably\r\none of the reasons why we saw a shift in the business and infrastructure models in newer versions. In addition to\r\nrenting places on their own infrastructure, Danabot’s authors now offer installation of a private server, as\r\nadvertised on their support site, to be operated by the affiliate (Figure 6).\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 6 of 20\n\nFigure 6. Basic offering on Danabot’s support site\r\nThe rental options, as offered through an underground forum in July 2023, are illustrated in Figure 7.\r\nFigure 7. Price list for potential Danabot customers\r\nIt is worth mentioning that, based on our tracking, the rental of an account on the shared infrastructure controlled\r\nby Danabot’s authors seems to be the most popular choice for threat actors.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 7 of 20\n\nWhen affiliates purchase a rental of one of the options, they are given tools and credentials to connect to the C\u0026C\r\nserver and manage their own botnet through an administration panel. In the following sections, we cover the\r\ndifferent parts of the typical toolset.\r\nC\u0026C server application\r\nThe standalone server application comes in the form of a DLL file and acts as the brain of the botnet. It is installed\r\non a Windows server and uses a MySQL database for data management. Bots connect to this server to transmit\r\nstolen data and receive commands issued by affiliates. Affiliates connect to this server via the administration panel\r\napplication to manage their botnet. This C\u0026C server application is available for local installation only for affiliates\r\npaying for the higher tier personal server option. Affiliates who choose to operate their botnets on Danabot’s\r\ninfrastructure instead are given connection details to the C\u0026C server already set up there, and do not need to host\r\ntheir own C\u0026C server.\r\nAdministration panel\r\nThe administration panel, displayed in Figure 8, is in the form of a GUI application, and represents the most\r\nimportant tool from the botnet operator’s perspective. It allows the affiliate to connect to the C\u0026C server and\r\nperform tasks such as:\r\nmanage bots and retrieve statistics of the botnet,\r\nissue various commands and advanced configuration for bots,\r\nconveniently view and export data gathered from victims,\r\nmanage the notification system and set up alerts on events triggered by bots,\r\ngenerate new Danabot builds, and\r\nset up a chain of proxy servers for communication between the bots and the C\u0026C server.\r\nWe provide more details and examples of the most interesting capabilities of the administration panel in the\r\nupcoming sections.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 8 of 20\n\nFigure 8. Administration panel overview\r\nBackconnect tool\r\nAnother important tool for administration is the standalone utility that enables botnet operators to remotely\r\nconnect to and control their online bots. Available actions for remote control, as seen in the tool, are illustrated in\r\nFigure 9. Probably the most interesting features for cybercriminals are the ability to see and control the victim’s\r\ncomputer via a remote desktop connection and to perform reconnaissance of the file system using the built-in file\r\nmanager.\r\nFigure 9. Features of the backconnect utility\r\nProxy server application\r\nBots typically do not connect to the main C\u0026C server directly, but rather use a chain of proxies to relay the traffic\r\nand hide the location of the real backend C\u0026C. To facilitate this strategy, Danabot’s authors provide a proxy\r\nserver application, available for both Windows and Linux systems. Figure 10 shows the usage message from the\r\nLinux version of this simple proxy server application. Besides using proxies, bots can be configured to\r\ncommunicate with the server through the Tor network in case all proxy chains become unavailable. An optional\r\ndownloadable Tor module is then used for such communication.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 9 of 20\n\nFigure 10. Usage message from the Linux version of the proxy server application\r\nAffiliates also frequently utilize this proxy server application as an intermediary between their administration\r\npanel and the C\u0026C server to further enhance their anonymity. When everything is put together, the typical\r\ninfrastructure may look as shown in Figure 11.\r\nFigure 11. Example of typical Danabot infrastructure\r\nInternals\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 10 of 20\n\nCommunication\r\nDanabot employs its own proprietary C\u0026C communication protocol with its data encrypted using AES-256.\r\nGenerated AES session keys, unique for every message, are then further encrypted using RSA key pairs, securing\r\nthe whole communication. It’s worth mentioning that there have been several updates to the communication\r\nprotocol and the packet structure over time.\r\nThe current packet data structure of the typical command, before it is encrypted, looks as shown in Table 1 . We\r\nwould like to point out that most of the fields are only used during the first request in the communication loop to\r\nauthenticate the bot, and are left unset in the subsequent commands.\r\nTable 1. Packet structure used in Danabot communication\r\nOffset Size (bytes) Description\r\n0x00 0x04 Size of the packet.\r\n0x04 0x08 Random value.\r\n0x0C 0x08 Sum of the two values above.\r\n0x14 0x04\r\nAccount ID used to differentiate affiliates in the previous versions. This field\r\ncontains a random value in newer versions.\r\n0x18 0x04 Command.\r\n0x1C 0x04 Subcommand.\r\n0x20 0x04 Danabot version.\r\n0x24 0x04 IsUserAdmin flag.\r\n0x28 0x04 Process integrity level.\r\n0x2C 0x04 OS architecture x86/x64.\r\n0x30 0x04 Encoded Windows version.\r\n0x34 0x04 Time zone bias as a DWORD value.\r\n0x38 0x04 Unknown bytes; set to 0 in the current versions.\r\n0x3C 0x04 Tor active flag.\r\n0x40 0x04 Unknown bytes; set to 0 in the current versions.\r\n0x44 0x18 Padding null bytes.\r\n0x5C 0x21 Bot ID Delphi string (a string preceded by a length byte).\r\n0x7D 0x21 Build ID hardcoded Delphi string.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 11 of 20\n\nOffset Size (bytes) Description\r\n0x9E 0x21 MD5 checksum of concatenated Account ID, Bot ID, and Build ID strings.\r\n0xBF 0x29\r\nCommand dependent string used in some commands complemented by its CRC-32\r\nand a string size.\r\n0xE8 0xDF Padding null bytes.\r\nThe newest versions of Danabot also add, to further disguise its communication, a random amount of seemingly\r\njunk bytes to the end of the packet structure before it is encrypted. It’s worth mentioning that Danabot authors do\r\nnot always follow the best coding practices and the addition of this random number of bytes was done by resizing\r\nof the original memory buffer allocated to hold the packet structure instead of clearing or initializing this newly\r\nacquired space. This led to unintentionally including surrounding memory regions of the process into the data\r\npacket being sent from the bot to the server and, more importantly, vice versa. These appended memory regions\r\ncaptured and decrypted from the server-to-bot communication sometimes contained interesting information from\r\nthe server’s process memory and gave researchers valuable insight into Danabot’s infrastructure and its users. This\r\nbug was introduced in 2022 and was fixed in the latest versions of Danabot in February 2025.\r\nFurther details about the communication and its encryption were already covered by various researchers, and we\r\nwon’t dive into it more in this blogpost.\r\nBuilds\r\nBotnet operators have multiple options for generating new Danabot builds to distribute to their victims. To the best\r\nof our knowledge, while the operator may configure the build process and desired output through the\r\nadministration panel application, the build process itself is performed on the Danabot authors’ servers. After\r\ngenerating the selected build, the operator receives download links for the builds and becomes responsible for\r\ntheir distribution in a campaign.\r\nFigure 12 shows an example of a build configuration window and available options, such as the C\u0026C server list to\r\nbe configured in the final binary file, various obfuscation methods, build bitness, etc.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 12 of 20\n\nFigure 12. Build options menu from the Administration panel application\r\nDanabot currently offers four basic payload types, described in Table 2.\r\nTable 2. Variants of available builds\r\nPayload\r\ntype\r\nDescription\r\nMain.dll\r\nGenerates a sole main component in the form of a DLL to be distributed and\r\nloaded via rundll32.exe or regsvr32.exe.\r\nMain.exe\r\nGenerates a loader in the form of an EXE that may contain the abovementioned\r\nmain component DLL or download it from one of the configured C\u0026C servers.\r\nDrop.exe\r\nGenerates a dropper with an embedded main component DLL to be dropped to\r\ndisk.\r\nDrop.msi\r\nGenerates an MSI package with an embedded main component DLL to be\r\nloaded.\r\nCommands configuration\r\nA botnet operator can issue an advanced configuration to the bots through the administration panel. Bots are then\r\nordered to perform various commands according to the instructions received. Figure 13 shows an example of such\r\na command configuration.\r\nFigure 13. Dynamic configuration options for the FileGrabber command\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 13 of 20\n\nTable 3 lists the available commands that can be issued. Each task has its own specific options to further\r\naccommodate the operator’s needs.\r\nTable 3. Available commands\r\nCommand Description\r\nVideo Record a video of the selected application or website.\r\nKeyLogger Capture keystrokes from the selected application.\r\nPostFilter Grab information from certain websites’ forms.\r\nWebInject Allow Zeus-like webinjects on certain loaded websites to alter their function.\r\nRedirect Allow redirection of certain URLs.\r\nBlock Block access to configured URLs.\r\nScreens Take screenshots of a selected application or website at certain intervals.\r\nAlerts\r\nAllow notifications to be sent to a selected Jabber account on a configurable\r\nevent.\r\nUninstall Uninstall the bot from the system.\r\nUAC Provide support for privilege escalation.\r\nFileGrabber\r\nAllow certain files to be uploaded to the C\u0026C if found on the victim’s hard\r\ndisk.\r\nTorActive\r\nEnable loading of a Tor module and allow connection via the Tor network if all\r\nC\u0026C servers are inaccessible.\r\nStealer Enable/disable the stealer functionality and set its update interval.\r\nTimeOut Set interval for the bot to contact its C\u0026C server.\r\nInstall Configure the bot’s installation on the system and its persistence.\r\nExclusion\r\nSet exclusions in Windows Defender or Windows Firewall for a selected\r\nprocess.\r\nConfigSave Save the bot’s configuration before its termination.\r\nHideProcess Hide the bot’s process.\r\nCoreProtect Allow the main component to be injected into an additional process.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 14 of 20\n\nAdditional payloads\r\nDanabot also provides the capability to download and execute further executable files. This feature allows the\r\nbotnet operator to configure the installation of additional malware to the compromised system, as mentioned\r\nearlier. Figure 14 shows available options for this feature in the administration panel application.\r\nFigure 14. Options for an additional payload configuration\r\nConclusion\r\nDanabot is a large-scale MaaS operation distributing a wide array of tools for the malware affiliates’ disposal. Our\r\ninvestigation of this infostealer, which started in 2018, resulted in the analysis of Danabot’s toolset provided in\r\nthis blogpost. The efforts of the authorities and several cybersecurity companies, ESET included, led to the\r\ndisruption of the malware’s infrastructure. It remains to be seen whether Danabot can recover from the takedown.\r\nThe blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in\r\nthe malware’s operations.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 15 of 20\n\nSHA-1 Filename Detection Description\r\n6D361CD9ADBF1630AF7B\r\n323584168E0CBD9315FB\r\nN/A Win32/Spy.Danabot.X\r\nLoader of the main\r\ncomponent (version\r\n4006).\r\nA7475753CB865AEC8DC4\r\nA6CEA27F2AA594EE25E8\r\nN/A Win32/Spy.Danabot.O\r\nMain component\r\n(version 4006).\r\n787EAB54714F76099EC3\r\n50E029154ADFD5EDF079\r\nN/A Win32/Spy.Danabot.AC\r\nDropper component\r\n(version 3272).\r\n17B78AD12B1AE1C037C5\r\nD39DBE7AA0E7DE4EC809\r\n1c0e7316.\r\nexe\r\nMSIL/Kryptik.AMBV\r\nLockbit payload (variant\r\nBlack) distributed by\r\nDanabot.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n212.18.104[.]245 N/A\r\nGLOBAL\r\nCONNECTIVITY\r\nSOLUTIONS LLP\r\n2025‑03‑25\r\nDanabot proxy C\u0026C\r\nserver\r\n212.18.104[.]246 N/A\r\nGLOBAL\r\nCONNECTIVITY\r\nSOLUTIONS LLP\r\n2025‑03‑25\r\nDanabot proxy C\u0026C\r\nserver\r\n34.16.215[.]110 N/A Google LLC 2024‑10‑10\r\nDanabot proxy C\u0026C\r\nserver\r\n34.65.116[.]208 N/A Google LLC 2024‑10‑10\r\nDanabot proxy C\u0026C\r\nserver\r\n34.168.100[.]35 N/A Google LLC 2024‑11‑27\r\nDanabot proxy C\u0026C\r\nserver\r\nN/A\r\nadvanced-ip-scanned.com\r\nN/A 2023‑08‑21\r\nDeceptive website\r\nused in Danabot\r\ndistribution\r\nN/A gfind.org N/A 2022‑06‑15\r\nDeceptive website\r\nused in Danabot\r\ndistribution\r\nN/A mic-tests.com N/A 2024‑12‑07 Deceptive website\r\nused in Danabot\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 16 of 20\n\nIP Domain Hosting provider First seen Details\r\ndistribution\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nDanabot operators use VPS in their\r\ninfrastructure.\r\nT1583.004 Acquire Infrastructure: Server\r\nDanabot operators acquire multiple\r\nservers for C\u0026C communication.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nDanabot authors have developed custom\r\nmalware tools.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nDanabot operators upload other malware\r\nto their infrastructure for further\r\nspreading.\r\nT1583.008\r\nAcquire Infrastructure:\r\nMalvertising\r\nMalvertising is a popular method of\r\nDanabot distribution.\r\nInitial Access T1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nPhishing is a common method used for\r\ndistribution.\r\nExecution\r\nT1106 Native API\r\nDynamic Windows API resolution is\r\nused by Danabot.\r\nT1204.001\r\nUser Execution: Malicious\r\nLink\r\nLuring users into downloading Danabot\r\nvia a malicious link is a popular\r\ndistribution choice.\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nDanabot is often distributed as a file to\r\nbe opened by the user.\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control\r\nMechanism: Bypass User\r\nAccount Control\r\nSeveral methods are used by Danabot to\r\nbypass User Account Control.\r\nDefense\r\nEvasion T1027.007\r\nObfuscated Files or\r\nInformation: Dynamic API\r\nResolution\r\nDanabot uses hashing for dynamic API\r\nresolution.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 17 of 20\n\nTactic ID Name Description\r\nT1055.001\r\nProcess Injection: Dynamic-link Library InjectionDanabot has the ability to inject itself\r\ninto other processes.\r\nT1218.007\r\nSystem Binary Proxy\r\nExecution: Msiexec\r\nAn MSI package is one of the possible\r\ndistribution methods.\r\nT1218.010\r\nSystem Binary Proxy\r\nExecution: Regsvr32\r\nregsvr32.exe can be used to execute the\r\nmain Danabot module.\r\nT1218.011\r\nSystem Binary Proxy\r\nExecution: Rundll32\r\nrundll32.exe can be used to execute the\r\nmain Danabot module.\r\nT1656 Impersonation\r\nDanabot uses impersonation in its\r\nphishing campaigns.\r\nCredential\r\nAccess\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from Web\r\nBrowsers\r\nDanabot has the ability to steal various\r\ndata from browsers.\r\nT1539 Steal Web Session Cookie Danabot can steal cookies.\r\nDiscovery\r\nT1010\r\nApplication Window\r\nDiscovery\r\nDanabot can be configured to steal data\r\nbased on the active window.\r\nT1217\r\nBrowser Information\r\nDiscovery\r\nData, such as browsing history, can be\r\ngathered by Danabot.\r\nT1083 File and Directory Discovery\r\nDanabot can be configured to gather\r\ncertain files from the compromised file\r\nsystem.\r\nT1057 Process Discovery\r\nDanabot can enumerate running\r\nprocesses on a compromised system.\r\nLateral\r\nMovement\r\nT1021.001\r\nRemote Services: Remote\r\nDesktop Protocol\r\nDanabot operators can use the remote\r\ndesktop module to access compromised\r\nsystems.\r\nT1021.005 Remote Services: VNC\r\nVNC is one of the supported features for\r\ncontrolling a compromised system.\r\nCollection T1056.001 Input Capture: Keylogging Keylogging is one of Danabot’s features.\r\nT1560.002\r\nArchive Collected Data:\r\nArchive via Library\r\nDanabot can use zlib and ZIP to\r\ncompress collected data.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 18 of 20\n\nTactic ID Name Description\r\nT1560.003\r\nArchive Collected Data:\r\nArchive via Custom Method\r\nCollected data is further encrypted using\r\nAES and RSA cyphers.\r\nT1119 Automated Collection\r\nDanabot can be configured to collect\r\nvarious data automatically.\r\nT1185 Browser Session Hijacking\r\nDanabot can perform AitB attacks via\r\nwebinjects.\r\nT1115 Clipboard Data\r\nDanabot can collect information stored\r\nin the clipboard.\r\nT1005 Data from Local System\r\nDanabot can be configured to search for\r\nsensitive data on a local file system.\r\nT1113 Screen Capture\r\nDanabot can be configured to capture\r\nscreenshots of applications and web\r\npages.\r\nT1125 Video Capture\r\nDanabot can capture video from the\r\ncompromised system.\r\nCommand and\r\nControl\r\nT1132.001\r\nData Encoding: Standard\r\nEncoding\r\nTraffic between bot and C\u0026C server is\r\ncompressed using ZIP and zlib.\r\nT1001.001 Data Obfuscation: Junk Data\r\nJunk bytes are added to data to be sent\r\nbetween bot and C\u0026C server.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nAES-256 is used as one of the\r\nencryption methods of C\u0026C\r\ncommunication.\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nRSA is used as one of the encryption\r\nmethods of C\u0026C communication.\r\nT1008 Fallback Channels\r\nThe Tor module can be used as a\r\nfallback channel in case all regular C\u0026C\r\nservers are not responding.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nDanabot uses its own custom TCP\r\nprotocol for communication.\r\nT1571 Non-Standard Port Danabot can communicate on any port.\r\nT1090.003 Proxy: Multi-hop Proxy\r\nA chain of proxy servers is used to hide\r\nthe location of the real C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 19 of 20\n\nTactic ID Name Description\r\nT1219 Remote Access Software Danabot has support for remote access.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nDanabot can be configured to gather\r\nvarious data from a compromised\r\nsystem.\r\nT1030 Data Transfer Size Limits\r\nDanabot can be configured to avoid\r\nsending large files from a compromised\r\nsystem.\r\nT1041 Exfiltration Over C2 Channel\r\nGathered data is exfiltrated through\r\nstandard C\u0026C communication.\r\nImpact T1498 Network Denial of Service\r\nDanabot employed a module to perform\r\nvarious DDoS attacks.\r\nSource: https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nhttps://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/en/eset-research/danabot-analyzing-fallen-empire/"
	],
	"report_names": [
		"danabot-analyzing-fallen-empire"
	],
	"threat_actors": [
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/875bdafd61b4c78925f76a04eed080e523944055.pdf",
		"text": "https://archive.orkl.eu/875bdafd61b4c78925f76a04eed080e523944055.txt",
		"img": "https://archive.orkl.eu/875bdafd61b4c78925f76a04eed080e523944055.jpg"
	}
}