{
	"id": "4f16a4e8-1c47-4192-b4ed-ab55743ddea3",
	"created_at": "2026-04-06T00:06:36.105897Z",
	"updated_at": "2026-04-10T13:12:06.467068Z",
	"deleted_at": null,
	"sha1_hash": "ff5b99fdb1a1b0911d3e0cbb23cc7291631d8e63",
	"title": "DanaBot evolves beyond banking Trojan with new spam-sending capability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 370354,
	"plain_text": "DanaBot evolves beyond banking Trojan with new spam-sending\r\ncapability\r\nBy ESET Research\r\nArchived: 2026-04-05 14:02:17 UTC\r\nESET Research\r\nESET research shows that DanaBot operators have been expanding the malware’s scope and possibly cooperating\r\nwith another criminal group\r\n06 Dec 2018  •  , 5 min. read\r\nDanaBot appears to have outgrown the banking Trojan category. According to our research, its operators have\r\nrecently been experimenting with cunning email-address-harvesting and spam-sending features, capable of\r\nmisusing webmail accounts of existing victims for further malware distribution.\r\nBesides the new features, we found indicators that DanaBot operators have been cooperating with the criminals\r\nbehind GootKit, another advanced Trojan – behavior atypical of the otherwise independently operating groups.\r\nSending spam from victims’ mailboxes\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 1 of 7\n\nThe previously unreported features caught our attention when analyzing the webinjects used to target users of\r\nseveral Italian webmail services as part of DanaBot’s expansion in Europe in September 2018.\r\nAccording to our research, the JavaScript injected into the targeted webmail services’ pages can be broken down\r\ninto two main features:\r\n1. DanaBot harvests email addresses from existing victims’ mailboxes. This is achieved by injecting a\r\nmalicious script into each of the targeted webmail service’s webpages once a victim logs in, processing the\r\nvictim’s emails and sending all email addresses it finds to a C\u0026C server.\r\nFigure 1 – DanaBot harvesting email addresses\r\n2. If the targeted webmail service is based on the Open-Xchange suite – for example, the popular Italian\r\nwebmail service libero.it – DanaBot also injects a script that has the ability to use the victim’s mailbox to\r\ncovertly send spam to the harvested email addresses.\r\nThe malicious emails are sent as replies to actual emails found in the compromised mailboxes, making it seem as\r\nif the mailbox owners themselves are sending them. Further, malicious emails sent from accounts configured to\r\nsend signed messages will have valid digital signatures.\r\nInterestingly, it seems that attackers are particularly interested in email addresses containing the substring \"pec\",\r\nwhich is found in Italy-specific \"certified electronic mail\" addresses. This may indicate that DanaBot authors are\r\nfocused on targeting corporate and public administration emails that are the most likely to use this certification\r\nservice.\r\nThe emails include ZIP attachments, pre-downloaded from the attacker’s server, containing a decoy PDF file and a\r\nmalicious VBS file. Executing the VBS file leads to downloading further malware using a PowerShell command.\r\nFigure 2 – Code downloading malicious ZIP from C\u0026C server\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 2 of 7\n\nFigure 3 – Code creating an email and adding a malicious ZIP attachment\r\nFigure 4 – Example of a spam email with a malicious ZIP attachment from a recent Italy-targeted campaign\r\n(Sample source: VirusTotal)\r\nFigure 5 – Example of the ZIP attachment’s contents\r\nAt the time of writing, the malicious features described above are still limited to targeting Italy; the targeted\r\nservices are listed at the end of this blog post.\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 3 of 7\n\nLinks between DanaBot and GootKit\r\nHaving analyzed the malicious VBS file available on DanaBot’s C\u0026C server, we found that it points to a\r\ndownloader module for GootKit, an advanced and stealthy Trojan primarily used in banking fraud attacks. The\r\nmalicious VBS file seems to be generated automatically, and is different on each access.\r\nThis is the first time we have seen indicators of DanaBot distributing other malware. Until now, DanaBot has been\r\nbelieved to be operated by a single, closed group. The behavior is also new for GootKit, which has been described\r\nas a privately held tool, not sold on underground forums, and also operated by a closed group. Interestingly, we’ve\r\nrecently seen another instance of GootKit being distributed by other malware – namely by the notorious Emotet\r\nTrojan in its latest campaigns around Black Friday and Cyber Monday.\r\nApart from the presence of GootKit on servers used by DanaBot, we have found further links suggesting a\r\ncooperation between the operators of DanaBot and GootKit.\r\nFirst, ESET's telemetry was able to link GootKit activity to a C\u0026C server subnet and top-level domain (TLD) also\r\nused by DanaBot. DanaBot uses many IP addresses in the 176.119.1.0/24 subnet for C\u0026C and redirects (see IoCs).\r\nWhile DanaBot domain names change every few days, .co is their most common TLD (for example\r\negnacios[.]co, kimshome[.]co, etc.). The GootKit samples downloaded by the malicious payload on DanaBot’s\r\nC\u0026C had funetax[.]co and reltinks[.]co as their C\u0026Cs. Both resolved to 176.119.1.175 for some time.\r\nSecond, both DanaBot and GootKit domains usually share the same domain registrar for their .co domains,\r\nnamely Todaynic.com, Inc, and mostly share the same name server, dnspod.com.\r\nFinally, in the week starting Oct 29, 2018, ESET’s telemetry showed a significant decrease in the distribution of\r\nDanaBot in Poland; in the same week, there was a spike of activity of GootKit in Poland. During the spike,\r\nGootKit was spread using the same distribution method as DanaBot in its recent Polish campaigns.\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 4 of 7\n\nFigure 6 – DanaBot and GootKit activity in Poland between October 8 and November 8, 2018\r\nSimilarity with other malware families\r\nWhile analyzing DanaBot, we also noticed that part of DanaBot’s configuration has a structure we have previously\r\nseen in other malware families, for example Tinba or Zeus. This allows its developers to use similar webinject\r\nscripts or even reuse third-party scripts.\r\nInterestingly, some scripts are almost exactly the same as the scripts we have seen used by the BackSwap trojan,\r\nincluding naming conventions and the location of the script on a server.\r\nFigure 7 – Comparison of scripts used by BackSwap (left) and DanaBot (right). Differences are marked in orange\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 5 of 7\n\nConclusion\r\nOur research shows that DanaBot has a much broader scope than a typical banking Trojan, with its operators\r\nregularly adding new features, testing new distribution vectors, and possibly cooperating with other cybercriminal\r\ngangs.\r\nESET systems detect and block both DanaBot and GootKit.\r\nHashes and ESET detection names of DanaBot components and plug-ins can be found in our previous blogpost on\r\nDanaBot. Domains, IP addresses and hashes connected with the Italy-targeted campaign described in this blogpost\r\ncan be found in the IoCs section.\r\nThis research was carried out by Kaspars Osis, Tomáš Procházka and Michal Kolář.\r\nWebmail services targeted by email-address-harvesting feature\r\nAny service based on Roundcube\r\nAny service based on Horde\r\nAny service based on Open-Xchange\r\naruba.it\r\nbluewin.ch\r\nemail.it\r\ngmx.net\r\nlibero.it\r\nmail.yahoo.com\r\nmail.google.com\r\nmail.one.com\r\noutlook.live.com\r\ntecnocasa.it\r\ntim.it\r\ntiscali.it\r\nvianova.it\r\nWebmail services targeted by spam-sending feature\r\nAny service based on Open-Xchange\r\nIndicators of Compromise (IoCs)\r\nDomains used by the VBS file to download malware (GootKit at the time of writing)\r\njob.hitjob[.]it\r\nvps.hitjob[.]it\r\npph.picchio-intl[.]com\r\ndcc.fllimorettinilegnaegiardini[.]it\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 6 of 7\n\nicon.fllimorettinilegnaegiardini[.]it\r\nteam.hitweb[.]it\r\nlatest.hitweb[.]it\r\namd.cibariefoodconsulting[.]it\r\nExample domains used by the GootKit downloader module\r\nvps.cibariefoodconsulting[.]it\r\nricci.bikescout24[.]fr\r\ndrk.fm604[.]com\r\ngtdspr[.]space\r\nit.sunballast[.]de\r\nActive DanaBot C\u0026C servers (as of December 6, 2018)\r\n5.8.55[.]205\r\n31.214.157[.]12\r\n47.74.130[.]165\r\n149.154.157[.]106\r\n176.119.1[.]99\r\n176.119.1[.]100\r\n176.119.1[.]120\r\n176.119.1[.]176\r\n176.223.133[.]15\r\n185.254.121[.]44\r\n188.68.208[.]77\r\n192.71.249[.]50\r\nExample VBS file from a spam email\r\nSHA-1 ESET detection name\r\nA05A71F11D84B75E8D33B06E9E1EBFE84FAE0C76 VBS/Kryptik.KY\r\nExample of downloaded GootKit\r\nSHA-1 ESET detection name\r\n0C2389B3E0A489C8E101FFD0E3E2F00E0C461B31 Win32/Kryptik.GNNS\r\nSource: https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nhttps://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/"
	],
	"report_names": [
		"danabot-evolves-beyond-banking-trojan-new-spam"
	],
	"threat_actors": [],
	"ts_created_at": 1775433996,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff5b99fdb1a1b0911d3e0cbb23cc7291631d8e63.pdf",
		"text": "https://archive.orkl.eu/ff5b99fdb1a1b0911d3e0cbb23cc7291631d8e63.txt",
		"img": "https://archive.orkl.eu/ff5b99fdb1a1b0911d3e0cbb23cc7291631d8e63.jpg"
	}
}