{
	"id": "75d093fa-0039-411e-b0f3-297e8a7ad01c",
	"created_at": "2026-04-06T01:30:51.350457Z",
	"updated_at": "2026-04-10T03:21:18.866673Z",
	"deleted_at": null,
	"sha1_hash": "87f690d612dfae00174d062504bbaad16c741e42",
	"title": "DanaBot Launches DDoS Attack | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 492941,
	"plain_text": "DanaBot Launches DDoS Attack | ThreatLabz\r\nBy Dennis Schwarz, Brett Stone-Gross\r\nPublished: 2022-03-02 · Archived: 2026-04-06 01:01:09 UTC\r\nMarch 7, 2022 Update\r\nDanaBot affiliate ID 5 has stopped DDoSing the Ukrainian Ministry of Defense’s webmail server and started\r\nDDoSing a hardcoded IP address, 138.68.177[.]158. According to Passive DNS data, this IP address has recently\r\nbeen associated with invaders-rf[.]com. This site claims to be (Google translated):\r\n“...an information resource of the Office of the National Security and Defense Council of Ukraine, which provides\r\ninformation about prisoners of war of the Russian Armed Forces who have invaded the territory of Ukraine since\r\nFebruary 24, 2022. The portal will be available to Russian citizens, including soldiers' families or acquaintances,\r\nto obtain information on the condition and whereabouts of prisoners.”\r\nGiven the threat actor’s previous targeting, this seems like the likely target. The DDoS attack payload was written\r\nand distributed similarly to the Ukrainian Ministry of Defense DDoS payload on March 2, 2022:\r\nKey Points\r\nA threat actor using DanaBot has launched a Distributed Denial of Service (DDoS) attack against the\r\nUkrainian Ministry of Defense’s webmail server.\r\nThe DDoS attack was launched by leveraging DanaBot to deliver a second-stage malware payload using\r\nthe download and execute command.\r\nIt is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag\r\noperation.\r\nDanaBot, first discovered in 2018, is a malware-as-a-service platform where threat actors, known as affiliates are\r\nidentified by affiliate IDs. These affiliates purchase access to the platform from another threat actor who develops\r\nthe malware and command and control (C2) panel, sets up and maintains the shared C2 infrastructure, and\r\nprovides sales and customer support. Affiliates then distribute and use the malware as they see fit--mostly to steal\r\ncredentials and commit banking fraud.\r\nOn Wednesday March 2, 2022, in the midst of the 2022 Russian invasion of Ukraine, the threat actor identified by\r\nthe affiliate ID 5 launched an HTTP-based Distributed Denial of Service (DDoS) attack against the Ukrainian\r\nMinistry of Defense’s webmail server with the URL hxxps://post.mil.gov[.]ua as shown in Figure 1:\r\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 1 of 6\n\nFigure 1: Hardcoded DDoS Target Attacked by DanaBot With Affiliate ID 5\r\nAt the time of publication, the webmail server is still online and reachable as shown in Figure 2.\r\nFigure 1: Ukrainian Ministry of Defense’s Webmail Server Targeted by DanaBot Affiliate ID 5\r\nThe DDoS attack was launched using DanaBot's download and execute (command 2048 / subcommand 9) to\r\ndeliver a new executable with the SHA-256 hash:\r\nb61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700\r\nSimilar to DanaBot, the downloaded DDoS executable is written in the Delphi programming language. Its sole\r\nfunctionality is to implement a bare-bones HTTP-based DDoS attack on a hardcoded target. The executable is\r\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 2 of 6\n\nvery similar to the one used in another DanaBot DDoS attack that was documented in November 2021. In that\r\nattack, the DanaBot affiliate ID 4 launched a DDoS attack against a Russian language electronics forum.\r\nConclusion\r\nWhile the timing and targeting certainly suggest this new attack is related to the 2022 Russian invasion of\r\nUkraine, it is unclear whether this is an act of individual hacktivism, something state-sponsored, or possibly a\r\nfalse flag operation. If the threat actor’s motive is to attack Ukraine, it is quite likely that in addition to the DDoS\r\nattack, the actor is using DanaBot’s more typical functionality such as credential theft and document theft against\r\nany relevant victims as well.\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 3 of 6\n\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 4 of 6\n\nIndicators of Compromise\r\nIOC Notes\r\n7ea65c1cb2687be42f427571e3223e425d602d043c39f690d0c3c42309aff513\r\nSHA256 hash for the\r\naffiliate ID 5 DanaBot\r\nloader component\r\n192.236.161[.]4\r\nDanaBot affiliate ID 5 C2\r\nserver\r\n23.106.122[.]14\r\nDanaBot affiliate ID 5 C2\r\nserver\r\n5.9.224[.]217\r\nDanaBot affiliate ID 5 C2\r\nserver\r\nockiwumgv77jgrppj4na362q4z6flsm3uno5td423jj4lj2f2meqt6ad[.]onion\r\nDanaBot affiliate ID 5 C2\r\nserver\r\nb61cd7dc3af4b5b56412d62f37985e8a4e23c64b1908e39510bc8e264ebad700\r\nSHA256 hash for the DDoS\r\nattack tool targeting the\r\nUkrainian Ministry of\r\nDefense\r\nfd217dde8d03cfb9179f5ad783665bb67c47a92278971e28c3d399e7ac6f0a54 SHA256 hash for the DDoS\r\nattack tool\r\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 5 of 6\n\ntargeting invaders-rf\\.com\r\nc732d57f5b3354c368e54a16b193457d6f06b707c0388c5643677a9de13e04db\r\nSHA256 hash for the DDoS\r\nattack tool\r\ntargeting invaders-rf\\.com\r\n9706a9d8aacea34071f6f1691dc3c1af3d01868fc17deb83a4b8f33e2342a9d3\r\nSHA256 hash for the DDoS\r\nattack tool\r\ntargeting invaders-rf\\.com\r\nAbout ThreatLabz\r\nThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats\r\nand ensuring that the thousands of organizations using the global Zscaler platform are always protected. In\r\naddition to malware research and behavioral analysis, team members are involved in the research and\r\ndevelopment of new prototype modules for advanced threat protection on the Zscaler platform, and regularly\r\nconduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance\r\nstandards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its\r\nportal, research.zscaler.com. \r\nSource: https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nhttps://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense"
	],
	"report_names": [
		"danabot-launches-ddos-attack-against-ukrainian-ministry-defense"
	],
	"threat_actors": [],
	"ts_created_at": 1775439051,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/87f690d612dfae00174d062504bbaad16c741e42.pdf",
		"text": "https://archive.orkl.eu/87f690d612dfae00174d062504bbaad16c741e42.txt",
		"img": "https://archive.orkl.eu/87f690d612dfae00174d062504bbaad16c741e42.jpg"
	}
}