{ "id": "4f2aac2f-c886-42dc-b18f-90b9dd006367", "created_at": "2026-04-06T00:11:51.291144Z", "updated_at": "2026-04-10T13:12:20.980147Z", "deleted_at": null, "sha1_hash": "e1b72689db56b13d72d573d1d3f482387d9aec7e", "title": "DanaBot shifts its targeting to Europe, adds new features", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 149680, "plain_text": "DanaBot shifts its targeting to Europe, adds new features\r\nBy ESET Research\r\nArchived: 2026-04-05 13:50:02 UTC\r\nRecently, we have spotted a surge in activity of DanaBot, a stealthy banking Trojan discovered earlier this year.\r\nThe malware, first observed in campaigns targeting Australia and later Poland, has apparently expanded further,\r\nwith campaigns popping up in Italy, Germany, Austria, and as of September 2018, Ukraine.\r\nWhat is DanaBot?\r\nDanaBot is a modular banking Trojan, first analyzed by Proofpoint in May 2018 after being discovered in\r\nmalicious email campaigns targeting users in Australia. The Trojan is written in Delphi, has a multi-stage and\r\nmulti-component architecture, with most of its functionality implemented by plug-ins. At the time of the\r\ndiscovery, the malware was said to have been under active development.\r\nNew campaigns\r\nJust two weeks after the widely-reported initial campaigns in Australia, DanaBot was detected in a campaign\r\naimed at Poland. According to our research, the campaign targeting Poland is still ongoing and is the largest and\r\nmost active campaign to date. To compromise their victims, the attackers behind the Poland-targeted campaign use\r\nemails posing as invoices from various companies, as seen in Figure 1. The campaign makes use of a combination\r\nof PowerShell and VBS scripts widely known as Brushaloader.\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 1 of 10\n\nFigure 1 - Example of a spam email used in a Poland-targeted DanaBot campaign in September 2018\r\nAt the beginning of September, ESET researchers discovered several smaller campaigns targeting banks in Italy,\r\nGermany and Austria, using the same distribution method as observed in the Polish campaign. Further to this\r\ndevelopment, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users. The\r\nsoftware and websites targeted in these new campaigns are listed at the end of this article.\r\nFigure 2 shows a spike in the DanaBot detection rate at the turn of August and again in September 2018, as seen in\r\nour telemetry data.\r\nFigure 2 – Overview of ESET product detections of DanaBot in the last two months\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 2 of 10\n\nPlug-in improvements\r\nGiven its modular architecture, DanaBot relies on plug-ins for most of its functionality.\r\nThe following plug-ins have previously been mentioned as a part of the Australia-targeted campaigns of May\r\n2018:\r\nVNC plug-in – establishes a connection to a victim’s computer and remotely controls it\r\nSniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking\r\nsites\r\nStealer plug-in – harvests passwords from a wide variety of applications (browsers, FTP clients, VPN\r\nclients, chat and email programs, poker programs etc.)\r\nTOR plug-in – installs a TOR proxy and enables access to .onion web sites\r\nAccording to our research, the attackers have introduced several changes to the DanaBot plug-ins since the\r\npreviously reported campaigns.\r\nIn August 2018, the attackers started using the TOR plug-in for updating the C\u0026C server list from\r\ny7zmcwurl6nphcve.onion. While this plug-in could potentially be used to create a covert communication channel\r\nbetween the attacker and a victim, we have no evidence of such a use to date.\r\nIn addition to that, the attackers have extended the Stealer plug-in range with a 64-bit version compiled on August\r\n25, 2018, expanding the list of software potentially targeted by DanaBot.\r\nFinally, in the beginning of September 2018, an RDP plug-in was added to DanaBot. It is based on the open-source project RDPWrap that provides Remote Desktop Protocol connections to Windows machines that normally\r\ndo not support it.\r\nThere could be several reasons why the DanaBot developers added another plug-in that enables remote access\r\nbesides the VNC plug-in: First, the RDP protocol is less likely to be blocked by firewalls. Second, RDPWrap\r\nallows several users to use the same machine concurrently, enabling attackers to perform reconnaissance\r\noperations while the unsuspecting victim is still using the machine.\r\nConclusion\r\nOur findings show that DanaBot is still in active use and development, most recently testing out “new ground” in\r\nEuropean countries. The new features introduced in these latest campaigns indicate the attackers behind DanaBot\r\ncontinue to make use of the malware’s modular architecture to increase their reach and success rate.\r\nESET systems detect and block all DanaBot components and plug-ins under detection names listed in the IoCs\r\nsection. The software and domains targeted in these recent campaigns is listed in the following sections of this\r\nblog post.\r\nThis research was carried out by Tomáš Procházka and Michal Kolář.\r\nTargeted software\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 3 of 10\n\nSoftware targeted in all European campaigns\r\n*electrum*.exe*\r\n*electron*.exe*\r\n*expanse*.exe*\r\n*bitconnect*.exe*\r\n*coin-qt-*.exe*\r\n*ethereum*.exe*\r\n*-qt.exe*\r\n*zcash*.exe*\r\n*klient*.exe*\r\n*comarchcryptoserver*.exe*\r\n*cardserver*.exe*\r\n*java*.exe*\r\n*jp2launcher*.exe*\r\nSoftware targeted in Ukrainian campaign\r\nOn September 8, 2018, DanaBot started targeting the following corporate banking software and remote access\r\ntools:\r\n*java*.exe*\r\n*jp2launcher*.exe*\r\n*srclbclient*.exe*\r\n*mtbclient*.exe*\r\n*start.corp2*.exe*\r\n*javaw.*exe*\r\n*node*.exe*\r\n*runner*.exe*\r\n*ifobsclient*.exe*\r\n*bank*.exe*\r\n*cb193w*.exe*\r\n*clibankonlineen*.exe*\r\n*clibankonlineru*.exe*\r\n*clibankonlineua*.exe*\r\n*eximclient*.exe*\r\n*srclbclient*.exe*\r\n*vegaclient*.exe*\r\n*mebiusbankxp*.exe*\r\n*pionner*.exe*\r\n*pcbank*.exe*\r\n*qiwicashier*.exe*\r\n*tiny*.exe*\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 4 of 10\n\n*upp_4*.exe*\r\n*stp*.exe*\r\n*viewpoint*.exe*\r\n*acdterminal*.exe*\r\n*chiefterminal*.exe*\r\n*cc*.exe*\r\ninal*.exe*\r\n*uniterm*.exe*\r\n*cryptoserver*.exe*\r\n*fbmain*.exe*\r\n*vncviewer*.exe*\r\n*radmin*.exe*\r\nTargeted domains\r\nNote that wildcard characters are used in the configuration, so this list only contains portals which can be reliably\r\nidentified.\r\nTargeted Italian domains\r\ncredem.it\r\nbancaeuro.it\r\ncsebo.it\r\ninbank.it\r\nbancopostaimpresaonline.poste.it\r\nbancobpm.it\r\nbancopopolare.it\r\nubibanca.com\r\nicbpi.it\r\nbnl.it\r\nbanking4you.it\r\nbancagenerali.it\r\nibbweb.tecmarket.it\r\ngruppocarige.it\r\nfinecobank.com\r\ngruppocarige.it\r\npopso.it\r\nbpergroup.net\r\ncredit-agricole.it\r\ncariparma.it\r\nchebanca.it\r\ncreval.it\r\nbancaprossima.com\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 5 of 10\n\nintesasanpaoloprivatebanking.com\r\nintesasanpaolo.com\r\nhellobank.it\r\nTargeted German domains\r\nbv-activebanking.de\r\ncommerzbank.de\r\nsparda.de\r\ncomdirect.de\r\ndeutsche-bank.de\r\nberliner-bank.de\r\nnorisbank.de\r\ntargobank.de\r\nTargeted Austrian domains\r\nsparkasse.at\r\nraiffeisen*.at\r\nbawagpsk.com\r\nTargeted Ukrainian domains\r\nDomains added on September 14, 2018:\r\nbank.eximb.com\r\noschadbank.ua\r\nclient-bank.privatbank.ua\r\nDomains added on September 17, 2018:\r\nonline.pumb.ua\r\ncreditdnepr.dp.ua\r\nTargeted webmails\r\nmail.vianova.it\r\nmail.tecnocasa.it\r\nMDaemon Webmail\r\nemail.it\r\noutlook.live.com\r\nmail.one.com\r\ntim.it\r\nmail.google\r\ntiscali.it\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 6 of 10\n\nroundcube\r\nhorde\r\nwebmail*.eu\r\nwebmail*.it\r\nTargeted cryptocurrency wallets\r\n*\\wallet.dat*\r\n*\\default_wallet*\r\nExample configuration from campaigns targeting Poland, Italy, Germany and Austria\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 7 of 10\n\nIndicators of Compromise (IoCs)\r\nServers used by DanaBot\r\nNote that “Active” stands for serving malicious content as of September 20, 2018.\r\nServer Status\r\n45.77.51.69 Active\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 8 of 10\n\nServer Status\r\n45.77.54.180 Active\r\n45.77.231.138 Active\r\n45.77.96.198 Active\r\n178.209.51.227 Active\r\n37.235.53.232 Active\r\n149.154.157.220 Active\r\n95.179.151.252 Active\r\n95.216.148.25 Inactive\r\n95.216.171.131 Inactive\r\n159.69.113.47 Inactive\r\n159.69.83.214 Inactive\r\n159.69.115.225 Inactive\r\n176.119.1.102 Inactive\r\n176.119.1.103 Active\r\n176.119.1.104 Active\r\n176.119.1.109 Inactive\r\n176.119.1.110 Active\r\n176.119.1.111 Active\r\n176.119.1.112 Active\r\n176.119.1.114 Inactive\r\n176.119.1.116 Active\r\n176.119.1.117 Inactive\r\n104.238.174.105 Active\r\n144.202.61.204 Active\r\n149.154.152.64 Active\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 9 of 10\n\nExample hashes\r\nNote that new builds of the main components are released every ~15 minutes, so hashes may not be the latest\r\navailable.\r\nComponent SHA1 Detection\r\nInfection\r\nvector in\r\nEurope\r\n782ADCF9EF6E479DEB31FCBD37918C5F74CE3CAE VBS/TrojanDownloader.Agent.PYC\r\nInfection\r\nvector in\r\nUkraine\r\n79F1408BC9F1F2AB43FA633C9EA8EA00BA8D15E8 JS/TrojanDropper.Agent.NPQ\r\nDropper 70F9F030BA20E219CF0C92CAEC9CB56596F21D50 Win32/TrojanDropper.Danabot.I\r\nDownloader AB0182423DB78212194EE773D812A5F8523D9FFD Win32/TrojanDownloader.Danabot.I\r\nMain\r\nmodule\r\n(x86)\r\nEA3651668F5D14A2F5CECC0071CEB85AD775872C Win32/Spy.Danabot.F\r\nMain\r\nmodule\r\n(x64)\r\n47DC9803B9F6D58CF06BDB49139C7CEE037655FE Win64/Spy.Danabot.C\r\nPlug-ins\r\nRDP C31B02882F5B8A9526496B06B66A5789EBD476BE Win32/Spy.Danabot.H\r\nStealer (x86) 3F893854EC2907AA45A48FEDD32EE92671C80E8D Win32/Spy.Danabot.C\r\nStealer (x64) B93455B1D7A8C57F68A83F893A4B12796B1E636C Win64/Spy.Danabot.E\r\nSniffer DBFD8553C66275694FC4B32F9DF16ADEA74145E6 Win32/Spy.Danabot.B\r\nVNC EBB1507138E28A451945CEE1D18AEDF96B5E1BB2 Win32/Spy.Danabot.D\r\nTOR 73A5B0BEE8C9FB4703A206608ED277A06AA1E384 Win32/Spy.Danabot.G\r\nSource: https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nhttps://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/" ], "report_names": [ "danabot-targeting-europe-adds-new-features" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1b72689db56b13d72d573d1d3f482387d9aec7e.pdf", "text": "https://archive.orkl.eu/e1b72689db56b13d72d573d1d3f482387d9aec7e.txt", "img": "https://archive.orkl.eu/e1b72689db56b13d72d573d1d3f482387d9aec7e.jpg" } }