{
	"id": "524300aa-cc09-43e5-b19d-c5e72fc52d42",
	"created_at": "2026-04-06T00:17:41.692226Z",
	"updated_at": "2026-04-10T03:30:32.934841Z",
	"deleted_at": null,
	"sha1_hash": "bdf93ab70a4069a893e693e136b01fc0e31393bd",
	"title": "DanaBot’s New Tactics and Targets Arrive in Time for Peak Phishing and Fraud Season",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2998240,
	"plain_text": "DanaBot’s New Tactics and Targets Arrive in Time for Peak\r\nPhishing and Fraud Season\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-05 18:59:38 UTC\r\nFirst detected in May 2018,1 DanaBot is a powerful banking trojan that has historically focused heavily on\r\nfinancial services institutions in both Australia and Europe. F5 Labs has been following DanaBot since November\r\n2018, when we began publishing campaign updates. In August 2019, we included it in our Reference Guide to the\r\nMalware Family Tree (/content/f5-labs-v2/en/archive-pages/education/banking-trojans-a-reference-guide-to-the-malware-family-tree.html). DanaBot has grown quickly since it was first detected, primarily due to its modularity\r\nand distribution methods. Similar to the Zeus banking trojan, DanaBot is known for its plug-and-play modules,\r\nwhich can drastically alter tactics and priorities. DanaBot has been linked to both Zeus and Gozi, two of the\r\noriginal banking trojans, though it is not formally part of either family. Ever since DanaBot emerged on the\r\nbanking trojan scene, it has been a heavy hitter, causing significant of damage wherever it goes.\r\nLike most of the other notable banking trojans, DanaBot continues to shift tactics and evolve in order to stay\r\nrelevant. F5 malware researchers first noticed these shifting tactics in September 2019, however, it is possible they\r\nbegan even earlier.\r\nAs of September 2019, DanaBot shifted its focus solely from financial services targets to include attacks on\r\necommerce platforms and social media sites. DanaBot has not left its banking trojan roots behind but has\r\nexpanded its focus to these new targets.\r\nAlong with adding new targets, DanaBot was seen utilizing a ransomware module, which may also indicate\r\na change in priorities.\r\nTo conduct these attacks, DanaBot is using two new methods for theft.\r\nThe first method is creating fake forms on popular websites, previously seen targeted by other high-profile banking trojans using the JavaScript Tables library, where users are prompted for credit card\r\ndetails. This is executed with HTML and JavaScript that originates from an external source injected\r\nto the page.\r\nThe second method involves using a malicious iframe and abusing the p.a.c.k.e.r. framework, which\r\nis a legitimate way to compress and obfuscate code in order to create a command and control (CNC)\r\ncommunication mechanism.\r\nWe observed these new DanaBot tactics tampering with popular websites such as AliExpress and Groupon.\r\nTechnical details follow these images showing what users see.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 1 of 14\n\nTechnical Breakdown: Malicious Tables and Forms\r\nDanaBot, like other heavy hitting banking trojans such as Zeus and Gozi, is known for its web injections, the\r\nprimary way it steals credentials and money from its victims. Researchers were able to see into the DanaBot\r\nserver in order to begin analyzing some of the tailor-made webinjects. This is where they are stored (see Figure 1)\r\nbefore the selected webinject is injected into a target when the user navigates to a particular site.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 2 of 14\n\nFigure 1. Screen capture from within the malicious DanaBot server where all of the tailor-made webinjects are\r\nlocated\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 3 of 14\n\nBefore the malicious forms pop up on a user’s screen, the malicious JS tables library starts its work by checking to\r\nsee if the victim is logged into a specific website on the DanaBot target list. The user’s operating system must\r\nalready be infected with DanaBot. If so, the malware is able to check whether a user is logged into a website on\r\nthe target list by validating the login with a simple HTML element search of unique identifiers of a user.\r\nFigure 2. Code that checks to see if the HTML attribute id “sign-out” is in the page. If it is, DanaBot starts its\r\nmalicious operation.\r\nThese operations are notable because they show the time and attention put into crafting this malware. This allows\r\nfor a very targeted sniper-like attack only of users logged into specific sites. Others may have no idea DanaBot is\r\neven running on their machines.\r\nFigure 3. Code that check if “span” element that has the class attribute that contains “welcome” and “-title” exists.\r\nIf it does DanaBot creates the fake popup form.\r\nAs shown in figures 2 and 3, this simple but accurate check is an elegant solution to see if a user is logged in. The\r\nvalidation is unique to each target site. Once the code validates that this HTML element exist in the page, the next\r\nstep of the fraud malware executes.\r\nThe malware uses the Tables JavaScript library to create fake payment request forms where users input\r\ninformation. In the past, the JS Tables library was used by high profile banking trojan malware operations,\r\nincluding Zeus and Ursnif/Gozi.\r\nThis client-side logic includes some useful utility methods, including:\r\nA check to see if the email or a date is valid (day, month, year), right after the user inserts those inputs into\r\nthe fake message.\r\nA decoder method for HTML entities.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 4 of 14\n\nAn event attribute attacher whose purpose is to disable the enter key for form submit (forcing the victim to\r\nuse the fake form with the malicious event button)\r\nA replacement submit buttons with the malicious logic of the fraudsters\r\nA JavaScript tool for URL encoding/decoding\r\nA validation to see if JS objects and variables are null.\r\nFigure 4. A utility function checking the date\r\nFigure 5. The utility function for disabling the enter key via the keyboard so the malicious “click” event will\r\nreplace it\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 5 of 14\n\nFigure 6. The utility method showing a replacement of a legitimate button with a fake one the includes the\r\nfraudsters logic\r\nThe Tables JavaScript library and utility methods are used together to create fake forms where users enter\r\ninformation. F5 researchers have noticed these targeting popular ecommerce sites with a few examples shown in\r\nthis article. Before DanaBot in September 2019, this tactic had not been seen. By forcing victims to input credit\r\ncard information into these fake web forms, DanaBot is overtly collecting payment information. These forms are\r\nnot intuitive for users to escape out of. Victims often choose the path of least resistance on a website they believe\r\nis legitimate, so they enter the requested information.\r\nFigure 7. A malicious form DanaBot puts into eBay in order to capture financial information\r\nThis tactic is similar to other banking trojan tactics, where victims think they are entering credential or other\r\nsensitive information into websites they don’t know are spoofed. For these, the entire website is not spoofed, but\r\nthe addition of this form on top of a legitimate page increases the likelihood that victims will enter personal data.\r\nThese examples (eBay, AliExpress, and Groupon) are significant, not only because they show a new tactic used by\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 6 of 14\n\nDanaBot, but also because they show a shift from targeting mostly financial services institutions to popular\r\necommerce platforms, where users are accustomed to entering payment information.\r\nFigure 8. The malicious form on AliExpress, a popular ecommerce platform\r\nThis latest DanaBot campaign is also global, given that American websites such as Groupon and eBay are targets\r\n(see figures 7 and 8) as well as AliExpress (see figure 9), a popular global ecommerce platform from China. This\r\nfurther demonstrates that cybercrime is not confined to any national borders, so users must always remain vigilant,\r\nno matter where in the world they reside.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 7 of 14\n\nFigure 9: A malicious form on Groupon, a popular ecommerce platform\r\nAlong with ecommerce targets, DanaBot is expanding to social media and streaming websites. This includes\r\nTwitch, the world’s leading live steaming platform for gamers. Users can watch and chat with others online, and\r\nthere are opportunities for them to enter their credit card details to purchase Twitch Prime or to support specific\r\nchannels. As such, DanaBot takes advantage of this and uses the same web injection technique to create a\r\nmalicious table as used in these other examples.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 8 of 14\n\nFigure 10. Malicious table on Twich, stealing credit card information\r\nUsers of these platforms in particular need to remain vigilant. If forms like these pop up, they should immediately\r\nclose the window and attempt to use a clean computer to access the site. There is also an opportunity for the\r\noperators of these popular ecommerce and streaming platforms to educate users before so they don’t lose personal\r\nor critical information.\r\nTechnical Breakdown: Obfuscation and Using iFrames\r\nAlong with this new tactic used to steal users’ financial information, DanaBot was also spotted as early as\r\nSeptember 2019 abusing the p.a.c.k.e.r. framework, which is a legitimate way to compress and obfuscate code in\r\norder to create a command and control (CNC) mechanism. Using Dean Edwards’ p.a.c.k.e.r compressor as the first\r\nstep, DanaBot dynamically creates the second stage of the injection.2 These two new techniques can be used\r\ntogether in order to trick users into entering sensitive financial information which is then communicated back to a\r\nCNC server.\r\nAlong with the legitimate p.a.c.k.e.r. compresser, the JavaScript “eval” function is used. This function is known to\r\nbe vulnerable because it does not conduct any input validation and will execute anything that’s passed to it. The\r\n“evil” eval function3 takes as an argument a decompressed string, which is the output from using p.a.c.k.e.r. A\r\nscript is then created that checks to see if the victim is a logged in user of that website.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 9 of 14\n\nAfter that script is created, the malware uses a malicious iframe that sends messages and receives responses. This\r\nis done using the postMessage mechanism, which enables communication with its parent window, the website\r\nitself. The script then receives messages that are being read with the first script that was created using the eval\r\nfunction.\r\nThe full flow of this malicious activity is as follows:\r\nThe attacker uses the p.a.c.k.e.r compressor to dynamically create a function named NCCVBVGrabLoader, which\r\nchecks to see if a victim is logged in and controls the communication with the iframe (its id attribute is\r\n“pmiframe”). This is also appended by the NCCVBVGrabLoader script logic. The NCCVBVGrabLoader inputs\r\nthe response from the iframe’s (id=pmiframe), which it gets from the server in order to become a script that\r\ngenerates the next stage.\r\nThe response is crafted using the top.postmessage functionality4 that contains the eval function which triggers and\r\ncreates the logic that injects fake html to the target website. This becomes the new controller of communication\r\nwith the appended iframe.\r\nFinally, a script is run that received in this mechanism is the list of countries and the language the payment form\r\nwill be filled with.\r\nA full gif showing what the user sees when logging in and getting the malicious pop-up is shown in figure 11.\r\nFigure 11. gif showing the user experience when this malware executes\r\nDanaBot Attacker Infrastructure\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 10 of 14\n\nAfter utilizing either the new tactics discussed in previous sections or other webinject modules, the attacker is able\r\nto retrieve the victim’s sensitive information via the CNC . Both tables and the VBV mechanism that use\r\np.a.c.k.e.r, have their own CNC server with a dedicated panel.\r\nFigure 12. The login page for the vbv grabber\r\nF5 researchers were able to log in through both of these login pages (see figures 12 and 13) and see the same data\r\nthat DanaBot attackers see and use while conducting their fraudulent operations.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 11 of 14\n\nFigure 13. The Tables login page\r\nOnce logged in to the DanaBot attacker control panel, researchers were able to see the actual victim data as well\r\nas the browser BOTID. This data is blurred in figure 14 as it is sensitive information.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 12 of 14\n\nFigure 14. Actual data sent from the victim's browser to the DanaBot attacker server\r\nCompletely investigating the underlying server architecture and CNC structure of banking trojans such as\r\nDanaBot is an area of continuing research for the F5 malware team.\r\nConclusion\r\nAs with all banking trojans, DanaBot actively updates its tactics, techniques, and target list to both avoid detection\r\nand maintain continual operations to optimize the attacker’s financial reward. We are not surprised to see new\r\ntactics emerge in preparation for the peak (end-of-year) holiday phishing and fraud season. What is notable, along\r\nwith these new tactics, is the shift in targets from solely financial institutions to ecommerce and streaming\r\nservices.\r\nWhile we do not know who is maintaining this malware, the malware has been linked to Gozi and Tinba in the\r\npast, which use the same injection patterns. In addition, DanaBot has been said to be a “Zeus-like” piece of\r\nmalware. Given this progression and the successful tactics used, we predict that DanaBot will continue to be a\r\nmajor player in the banking trojan world for the rest of 2019 into 2020.\r\nAll organizations, especially the known targets identified in this article, should make their customers aware that\r\nthey are being targeted. The main purpose of these campaigns is to plant malware on their machines that is\r\ndesigned to steal credit card information, money, and gain access to sensitive information that may be sent back to\r\nthe malware authors and used for future exploitation.\r\nTo combat the impact of fraudulent transactions occurring as the result of malware-infected customer machines,\r\norganizations should implement fraud detections within their web platforms that can detect banking trojans and\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 13 of 14\n\nblock resulting fraudulent transactions. For more details on how to combat phishing attacks that lead to fraud, see\r\nF5 Labs’ 2019 Phishing and Fraud Report.\r\nSecurity Controls\r\nEnterprises should consider implementing the following security controls (/content/f5-labs-v2/en/archive-pages/education/what-are-security-controls.html) based on their specific circumstances:\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nhttps://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi"
	],
	"report_names": [
		"danabot-s-new-tactics-and-targets-arrive-in-time-for-peak-phishi"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434661,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bdf93ab70a4069a893e693e136b01fc0e31393bd.pdf",
		"text": "https://archive.orkl.eu/bdf93ab70a4069a893e693e136b01fc0e31393bd.txt",
		"img": "https://archive.orkl.eu/bdf93ab70a4069a893e693e136b01fc0e31393bd.jpg"
	}
}