{
	"id": "e4256142-36a7-49d4-b3a0-d981230d082a",
	"created_at": "2026-04-06T00:18:35.567315Z",
	"updated_at": "2026-04-10T03:21:26.111434Z",
	"deleted_at": null,
	"sha1_hash": "f3ec3a60604a0961e88a5591a337f77b59d82594",
	"title": "DanaBot Activity | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 413319,
	"plain_text": "DanaBot Activity | ThreatLabz\r\nBy Dennis Schwarz\r\nPublished: 2021-11-05 · Archived: 2026-04-05 21:05:05 UTC\r\nKey Points\r\nTwo large software supply chain attacks distributed the DanaBot malware.\r\nDanaBot is a malware-as-a-service platform discovered in 2018 that focuses on credential theft and\r\nbanking fraud.\r\nDanaBot’s popularity has waned in recent years, but these campaigns may signal a return of the malware\r\nand its affiliates to the threat landscape.\r\nIntroduction\r\nThe DanaBot malware had a spike in new activity recently, including being distributed via two large software\r\nsupply chain attacks and being used in a Distributed Denial of Service (DDoS) attack on a Russian language\r\nelectronics forum.\r\nDanaBot, first discovered by Proofpoint in May 2018, is a malware-as-a-service platform where threat actors,\r\nknown as “affiliates” and identified by “affiliate IDs”, purchase access to the platform from another threat actor\r\nwho develops the malware and command and control (C2) panel, sets up and maintains the shared C2\r\ninfrastructure, and provides sales and customer support. Affiliates then distribute and use the malware as they see\r\nfit--mostly to steal credentials and commit banking fraud.\r\nWhile it was a prominent banking malware for a number of years and despite a new major update being spotted at\r\nthe end of 2020 (as documented by Proofpoint, ESET, and LEXFO), DanaBot has been relatively quiet in the\r\nrecent threat landscape.\r\nLarge Software Supply Chain Attack (October 22, 2021)\r\nAs reported by the Cybersecurity and Infrastructure Security Agency (CISA), GitHub, the developer, and others\r\nthe NPM JavaScript package for “UAParser.js” was compromised on Friday, October 22, 2021 and used to\r\ndistribute a cryptocurrency miner and DanaBot. UAParser.js is a “JavaScript library to detect Browser, Engine,\r\nOS, CPU, and Device type/model from User-Agent data with relatively small footprint.” Based on its NPM stats,\r\nit has 7 million weekly downloads.\r\nThe DanaBot malware was downloaded from:\r\nhxxps://citationsherbe\\.at/sdd.dll\r\nThe packed/crypted loader component has a SHA-256 hash of:\r\n2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 1 of 7\n\nThe loader downloads a main component which has a SHA-256 of:\r\n77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292\r\nThe main component was configured with the following configuration:\r\nFigure 1: DanaBot malware configuration used in supply chain attack\r\nThe malware was also configured with a backup TOR C2:\r\nbjij7tqwaipwbeig5ubq4xjb6fy7s3lknhkjojo4vdngmqm6namdczad\\.onion\r\nAs highlighted in Figure 1 above, the affiliate ID for this sample was 40. Based on Zscaler ThreatLabz tracking,\r\nthis is a new affiliate to the DanaBot ecosystem. At the time of the incident, the affiliate had only configured the\r\nmalware’s credential stealing component to be active--the person-in-the-browser and webinject bank fraud\r\ncomponent was not activated. \r\nWhile the post-infection intentions of the threat actor aren’t known, given the focus on credentials, the size of the\r\nattack, and the crimeware landscape being dominated by initial access brokers selling access to ransomware\r\naffiliates, this outcome can’t be ruled out.\r\nSecond Large Software Supply Chain Attack (November 4, 2021)\r\nAs reported by Twitter, GitHub, and others, another NPM package was compromised and used to distribute\r\nDanaBot. The package is called “COA” and it “is a parser for command line options that aim to get maximum\r\nprofit from formalization your program API”. Based on NPM stats, it had almost 9 million weekly downloads.\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 2 of 7\n\nThe attack took place on  Thursday, November 4, 2021 and it was by the same DanaBot affiliate ID 40 threat actor\r\nas in the October 22, 2021 attack on “UAParser.js”.\r\nThe DanaBot loader component used in this campaign was distributed from:\r\nhxxps://pastorcryptograph\\.at/3/sdd.dll\r\nIt has a SHA-256 hash of:\r\n26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf\r\nand was used to download a DanaBot main component with the SHA-256 hash of:\r\ne7c9951f26973c3915ffadced059e629390c2bb55b247e2a1a95effbd7d29204\r\nSimilar to the first incident, the threat actor had only configured the malware’s credential stealing component to be\r\nactive.\r\nDDoS Attack on Russian Language Electronics Forum\r\nDanaBot affiliate ID 4 was also active last week. While this affiliate isn’t new, there hasn’t been a change to their\r\ncomponent configurations for some time. On Wednesday October 20, 2021, the affiliate configured its DanaBot\r\nvictims to download and execute a new executable with a SHA-256 hash of:\r\n8b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce\r\nThe downloaded executable is written in the Delphi programming language and its only functionality is to\r\nimplement a bare-bones HTTP-based DDoS attack on a hardcoded IP address and host. The template used to\r\ngenerate the HTTP requests is shown in Figure 2:\r\nFigure 2: HTTP request template used in DDoS attack\r\nAs highlighted in the “Host” header in Figure 2 above, the attack targets a Russian language forum focused on the\r\ndiscussion of electronics. The “User-Agent” header, hardcoded target, and simple functionality seems to imply\r\nthat the payload was designed to settle a personal grudge instead of indicating a larger change in the threat actor’s\r\ntactics, techniques, and procedures (TTPs).\r\nConclusion\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 3 of 7\n\nWhile the popularity and activity of DanaBot has declined in recent years, the UAParser.js and COA software\r\nsupply chain attacks shows that the malware is still an active threat. It is currently unclear whether these attacks\r\nwere a one-off opportunity for a threat actor or whether this and other activity signals the return of DanaBot and\r\nits affiliates.\r\nCloud Sandbox Detection\r\nMITRE ATT\u0026CK TTP Mapping\r\nTactic Technique\r\nT1586 Compromise Accounts\r\nT1195 Supply Chain Compromise\r\nT1204 User Execution\r\nT1555 Credentials from Password Stores\r\nT1003 OS Credential Dumping\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 4 of 7\n\nT1539 Steal Web Session Cookie\r\nT1115 Clipboard Data\r\nT1573 Encrypted Channel\r\nT1008 Fallback Channels\r\nT1041 Exfiltration Over C2 Channel\r\nIndicators of Compromise\r\n \r\nIOC Notes\r\nhxxps://citationsherbe\\.at/sdd.dll\r\nOctober 22, 2021 affiliate ID\r\n40 distribution URL\r\n2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd\r\nOctober 22, 2021 affiliate ID\r\n40 loader component\r\n77ff83cc49d6c1b71c474a17eeaefad0f0a71df0a938190bf9a9a7e22531c292\r\nOctober 22, 2021 affiliate ID\r\n40 main component\r\n185.158.250.216:443\r\nOctober 22, 2021 affiliate ID\r\n40 configured C2\r\n194.76.225.46:443\r\nOctober 22, 2021 affiliate ID\r\n40 configured C2\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 5 of 7\n\n45.11.180.153:443\r\nOctober 22, 2021 affiliate ID\r\n40 configured C2\r\n194.76.225.61:443\r\nOctober 22, 2021 affiliate ID\r\n40 configured C2\r\nbjij7tqwaipwbeig5ubq4xjb6fy7s3lknhkjojo4vdngmqm6namdczad\\.onion\r\nOctober 22, 2021 affiliate ID\r\n40 configured backup C2\r\nhxxps://pastorcryptograph\\.at/3/sdd.dll\r\nNovember 4, 2021 affiliate\r\nID 40 distribution URL\r\n26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf\r\nNovember 4, 2021 affiliate\r\nID 40 loader component\r\ne7c9951f26973c3915ffadced059e629390c2bb55b247e2a1a95effbd7d29204\r\nNovember 4, 2021 affiliate\r\nID 40 main component\r\n185.117.90.36:443\r\nNovember 4, 2021 affiliate\r\nID 40 configured C2\r\n193.42.36.59:443\r\nNovember 4, 2021 affiliate\r\nID 40 configured C2\r\n193.56.146.53:443\r\nNovember 4, 2021 affiliate\r\nID 40 configured C2\r\n185.106.123.228:443\r\nNovember 4, 2021 affiliate\r\nID 40 configured C2\r\nf4d12a885f3f53e63ac1a34cc563db0efb6d2d1d570317f7c63f0e6b5bf260b2\r\nRecent Affiliate ID 4 loader\r\ncomponent\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 6 of 7\n\nad0ccba36cef1de383182f866478abcd8b91f8e060d03e170987431974dc861e\r\nRecent Affiliate ID 4 main\r\ncomponent\r\n192.119.110.73:443 Affiliate ID 4 configured C2\r\n192.236.147.159:443 Affiliate ID 4 configured C2\r\n192.210.222.88:443 Affiliate ID 4 configured C2\r\ngcwr4vcf72vpcrgevcziwb7axooa3n47l57dsiwxvzvcdlt7exsvk5yd.onion\r\nAffiliate ID 4 configured\r\nbackup C2\r\nSource: https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nhttps://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity"
	],
	"report_names": [
		"spike-danabot-malware-activity"
	],
	"threat_actors": [],
	"ts_created_at": 1775434715,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3ec3a60604a0961e88a5591a337f77b59d82594.pdf",
		"text": "https://archive.orkl.eu/f3ec3a60604a0961e88a5591a337f77b59d82594.txt",
		"img": "https://archive.orkl.eu/f3ec3a60604a0961e88a5591a337f77b59d82594.jpg"
	}
}