Notice: This analysis was carried out and is introduced as a collaboration between Black Lotus Labs, Staff Cymru, and different companions. We stand by the assessments within the mixed evaluation introduced on this analysis.
Govt Abstract
DanaBot first emerged in 2018 as a banking trojan however has since developed right into a versatile and protracted menace. Whereas it initially targeted on monetary credential theft, it’s now used for a variety of functions together with info stealing and establishing access for observe-on exercise comparable to ransomware. Regardless of years of exercise, DanaBot remained extremely operational by means of 2025, till it was dealt a vital blow as a part of Operation Endgame II.
DanaBot maintained a mean of 150 energetic C2 servers per day, with roughly 1,000 every day victims throughout greater than 40 international locations. By C2-count, that is one in all the largest “malware-as-a-service” platforms energetic in 2025, whereas the botnet dimension was comparatively modest in phrases of daily victims. Of those, Mexico and the US persistently ranked among the many most impacted. Its success could be partly attributed to its stealth; as of this writing, solely 25 % of its C2 servers had a VirusTotal detection rating better than zero, suggesting that a good portion of its infrastructure remained undetected. That is probably on account of deciding on fewer targets than different loaders of its type, in addition to biking operations round excessive-profile occasions.
DanaBot operated with a multi-tiered structure that Black Lotus Labs and Staff Cymru assess to be separated amongst numerous customers or “associates” which have bought entry to the malware. Relying on the affiliate and their degree of entry, they had been assigned a devoted “Tier 2” server or shared one with others. At any given time, a minimum of 5 to 6 Tier 2 servers had been energetic.
Throughout Operation Endgame, Black Lotus Labs and Staff Cymru supported the broader effort to disrupt DanaBot, working intently with business friends and regulation enforcement. The latest takedown dealt a severe blow and confirmed how collaboration throughout the safety group can result in actual progress in opposition to menace actors.
Introduction
First reported by Proofpoint in 2018, DanaBot has developed right into a extremely profitable infostealer and malware supply platform. It has been noticed delivering different threats comparable to Latrodectus, which is usually linked to ransomware operations. Whereas we is not going to delve into DanaBot’s malware performance on this submit, we encourage readers to discover the various glorious writeups obtainable on that topic.
Throughout and since Operation Endgame 1, Black Lotus Labs and Staff Cymru have been collaborating behind the scenes, working intently with business friends and regulation enforcement. Each of our organizations specialize within the monitoring of menace actor infrastructure throughout the Web. By combining our efforts, and people of a number of contributing groups, we strongly consider now we have a good better affect than if we had acted alone in isolation.
Over the previous few years, the cybercrime panorama has developed, with a normal decline in “noisy” supply campaigns and overt mechanisms. Whereas a number of high-profile threats have been disrupted (or have merely pale away), others have opportunistically emerged to fill the void. As we speak, menace actors are diversifying their ways, spreading their efforts throughout a wider array of malware households and supply strategies. The rise of the “preliminary entry dealer” mannequin has additional professionalized this part of the assault lifecycle. One malware household that has endured by means of these modifications and continues to problem defenders is DanaBot.
Black Lotus Labs and Staff Cymru will give attention to DanaBot’s infrastructure, offering a view into its scale and construction primarily based on insights gained by means of our collaboration throughout Operation Endgame II.
World Telemetry Evaluation
DanaBot consists of a various multi-tiered structure consisting of almost 150 or extra energetic C2 servers at any given time. By means of intervals of better or lesser exercise, each the upstream and backend IPs have remained largely static since June 2024.
A layered communications infrastructure is used between a sufferer and the botnet controllers; the place site visitors is proxied by means of sometimes two or three tiers of C2s earlier than it reaches the ultimate tier, which consists of the panel that the menace actors function from. Emotet, IcedID, and Qakbot are just some examples of different malware households which have additionally leveraged this setup to obfuscate their C2s.
Determine 1: Excessive-level diagram of multi-tiered C2 structure. (supply: Staff Cymru).
When a sufferer is contaminated with DanaBot malware, they’ll start to speak with a number of Tier 1 (T1) C2s over TCP/443. We suspect that relying on the affiliate and the way they subscribe to the service, these T1 C2s shall be managed by one in all a number of Tier 2 (T2) C2s. These T2 C2s will usually have their very own particular person upstream Tier 3 (T3) C2s, obfuscating the structure infrastructure even additional. The T3 C2s then talk with what we count on is a possible backup server, in addition to with infrastructure that immediately ties again to our suspected DanaBot actors. We’ll dig into this extra later.
At any time since we started monitoring in late 2024, 1 / 4 to a 3rd of all energetic T1 C2s in DanaBot’s structure are positioned in a single single cloud service supplier, and talk with one in all two T2 servers and their T3s whereas remaining in that service. The remaining T1 C2s had been sometimes discovered speaking with one in all three T2s which then related to their respective T3 servers. We suspect between the “Cloud” structure and the non-”Cloud” structure; there’s a mixture of particular massive associates having their very own private T2 and a few smaller associates sharing T2s.
Under is a top level view of all the structure we uncovered for the DanaBot pipeline and administration infrastructure, however we are going to individually deal with every “part” in additional element with bigger maps.
Determine 2: Overview of DanaBot pipeline and administration infrastructure. (supply: Staff Cymru).
Bots and Tier 1 C2s
DanaBot preserveed a every day common of over 150 energetic T1 C2s by means ofout our examine. What turns into attention-grabbing is the place we see peaks and troughs. We seen a surge of virtually 50 C2s main as much as the November 2024 election within the US, adopted by a lull in exercise earlier than ramping as much as all-time highs through the December 2024 holidays. This sample suggests the DanaBot actors might use newsworthy occasions to their benefit, luring extra victims to obtain malicious software program, open a phishing e-mail and extra.
Determine 3: Whole Variety of DanaBot C2s over time
We additionally noticed that the actor(s) who use the “Cloud” C2s appear to take the better a part of their structure offline for prolonged intervals. All through April 2025, we tracked many of the “Cloud” structure because it went darkish, solely to have each the T1s and one of many T2s reappear in the direction of the tip of April into Could. The opposite T2 remained energetic throughout this era, although it had far fewer C2s speaking with it, and people connections occurred occasionally. We suspect this atypical interval was both the actor taking a break from DanaBot actions, or they had been updating their servers throughout this time.
Black Lotus Labs and Staff Cymru have seen near 400 distinct IPs appearing as DanaBot C2s to this point in 2025, nonetheless a substantial quantity given the December 2024 peak of 230. Whatever the numbers, their C2s are nicely distributed in many alternative international locations and preserve a sturdy lifecycle.
Determine 4: DanaBot C2 Distribution throughout 2025 the place darkish blue represents extra C2s
We now have noticed the typical C2 is energetic for over one month, and near 25% keep engaged for over two months. Whereas usually this wouldn’t be a profitable working mannequin as it will enable community defenders to find and simply block these IPs, DanaBot has one way or the other remained stealthy. For the C2s that had been energetic within the final month, solely 25% of the IP indicators of compromise have a rating of better than 0 in VirusTotal. Of better concern, 65% had a rating of 0 and no related malicious information that means actors who’re utilizing these DanaBot C2s are remaining very quiet and certain performing extra focused assaults.
After we investigated the bot inhabitants, Black Lotus Labs and Staff Cymru have discovered victims in over 40 international locations with Brazil, Mexico, and the US having essentially the most.
Determine 5: DanaBot Sufferer breakdown by nation the place darkish blue represents extra victims
On the low finish we see round 1,000 victims per week, ranging as excessive as 3,000 victims, all in residential IP area. It’s necessary to notice that DanaBot has the performance to transit sufferer knowledge by means of Tor as an alternative of utilizing a direct connection between the sufferer and the C2, so the true bot inhabitants is probably going bigger than what we are able to see. Apart from simply residential victims, now we have seen a number of greater worth targets contaminated together with regulation companies and universities amongst others.
It seems the actors who buy DanaBot probably use it for various functions. A handful of C2s management the overwhelming majority of the bot inhabitants, while many of the C2s have comparatively small quantities of sufferers; likely indicating some actors are utilizing DanaBot for scale and others have particular victims they’re making an attempt to contaminate. A second motive for the distinction within the variety of victims contaminated by some C2s we observe is probably related to the aforementioned utilization of Tor. Slightly below half of the C2s we observe seem to route a minimum of some portion of their sufferer populations through this technique, making sufferer enumeration extra complicated.
Though the DanaBot C2s are energetic for prolonged intervals of time, 50% of the contaminated victims solely talk with the DanaBot C2 for a single day, and 75% of infections final lower than three days. This leads us to consider that, usually, actors who’re utilizing DanaBot rapidly get the knowledge they want from the contaminated victims and transfer rapidly to downstream actions. Apart from info stealing and banking fraud, actors probably use DanaBot as a precursor to obtain different malware comparable to Latrodectus, or cross off entry to a ransomware group.
Tier 2 C2s
Black Lotus Labs and Staff Cymru tracked the every day common of 150 T1 C2s, to a choose few T2 C2s. Aside from one occasion, T1s solely speak to 1 T2, sometimes over TCP/443. We consider that is because of the infrastructure being siloed primarily based on actor and subscription packages.
A pair of potential T2s had been of curiosity as they didn’t fall into any particular pockets of exercise. One T2 server, 185.135.80.xxx, was situated in Russia and solely interacted with two recognized Russia T1 C2s, every with very small sufferer volumes. This communication occurred over TCP/23213, somewhat than the everyday TCP/443 utilized by the opposite clusters. We suspect this was the actors’ private siloed structure, which they used with their very own malware and aligns with the internet hosting they often preserve for backend administration. Nevertheless, it turned inactive on the finish of March 2025.
One other host, 45.8.147.xxx, appeared to perform as a T2 primarily based on its upstream communication with each the retired and present T3 for one in all the “Cloud” clusters, though no exercise with T1 C2s was noticed. We weren’t in a position to verify its actual objective, however one idea is that it might be associated to testing. 
Determine 6: DanaBot C2-to-Tier 2 infrastructure with related port utilization. (supply: Staff Cymru).
Tier 3 and Above
We recognized many of the upstream T3s that every T2 communicated with, all of which had been Russian IPs. The T2 to T3 communication for one of many two “Cloud” clusters was over TCP/15643, whereas the non–”Clouds” had been over TCP/443.
The unidentified T3s included the opposite “Cloud” cluster, and one T2 suspected to belong to the core DanaBot group or developer. An extra T2 was concerned in the one noticed occasion of a T1 being shared with a second T2, which confirmed considerably greater exercise. This will likely point out that the cluster used two T2s, with one appearing as a backup, each related to the identical T3.
No less than two of the recognized T3s had been noticed sending massive volumes of information to the identical server (185.175.158.xxx) on a month-to-month foundation over TCP/2048, sometimes across the similar time. This conduct sample is often related to backup server exercise. On condition that no further upstream infrastructure was recognized and all recognized T3s had been present in Russia, it’s probably that the T3s represented the ultimate tier and hosted the panels for every DanaBot cluster.
Determine 7: DanaBot Tier 2-to-Tier 3 infrastructure with related port utilization. (supply: Staff Cymru).
Administration Infrastructure
The administration infrastructure situated in Russia was noticed connecting over RDP and VNC to what seemed to be the backup server, in addition to to each the present and retired T3s related to one of many “Cloud” clusters. It probably interacted with different T3s as nicely, however visibility into connections between varied Russian suppliers is restricted.
This exercise originated from two ADMAN-AS, RU servers that appeared to function “jumpboxes” used for backend administration. A jumpbox on this context served as a relay level for operators, enabling entry to inside infrastructure and exterior providers with out connecting immediately from their very own techniques. Notably, one in all these servers, 185.175.158.xxx, related to the opposite, 185.133.40.xxx, over OpenVPN and VNC.
Along with speaking with the backup server and a number of the T3s, each jumpboxes interacted with different suspected DanaBot-related infrastructure. 185.175.158.xxx related to 2 further ADMAN-AS, RU servers: one over SSH and VNC, and the opposite over TCP/8080. The aim of those two hosts couldn’t be decided primarily based on the obtainable knowledge.
185.133.40.xxx related to a few different jumpboxes that had been used for exterior actions generally related to menace actor infrastructure, together with cryptocurrency providers and use of instruments like in style on the spot messaging providers for group chats. Jumpboxes had been observed connecting over RDP to a number that interacted with DanaBot C2s. Throughout the identical time interval, a number used for SmartApeSG backend administration was additionally seen connecting over RDP to that very same host. This overlap was notable, suggesting a single operator might have been concerned in each efforts and that the identical group was managing a number of operations. Nonetheless, it was the one sturdy hyperlink noticed and never sufficient to attract a agency conclusion.
No less than three separate operators had been decided to have related to each backend jumpboxes over OpenVPN. One IP primarily based in Novosibirsk, Russia, related to the jumpboxes from a minimum of June 2024 till just lately. Even in periods of inactivity throughout different elements of the infrastructure, this IP continued to attach often.
On the finish of February, one other IP from the identical supplier and placement (5.128.88.xxx) additionally started connecting to the jumpboxes, with some overlap in timing. This will likely have represented a separate operator or the identical particular person utilizing a unique IP.
The 2 different operators used proxies and related far much less often. One persistently used a proxy within the 5.44.168.0/24 vary belonging to SIBSET-NSK-AS, RU, altering IP addresses solely each few months. This operator related often, although far much less usually than the one beforehand described. The remaining operator was the least energetic, and all the time used IP area from ROSTELECOM-AS, RU, altering addresses after every burst of exercise. These bursts sometimes occurred each few weeks and lasted solely a day or two.
Determine 8: DanaBot backend infrastructure with related port utilization. (supply: Staff Cymru).
Conclusion
It’s clear that since rising in 2018, DanaBot has continued to evolve and persist the place many different malware households haven’t. The operators have proven their dedication to their craft, tailored to detection and modifications in enterprise protection, and with later iterations, insulating the C2s in tiers to obfuscate monitoring. All through this time, they’ve made the bot extra user-friendly with structured pricing and buyer assist. Black Lotus Labs and Staff Cymru, alongside others within the safety group, contributed perception into its layered infrastructure by means of shut collaboration with one another and with regulation enforcement. Operation Endgame is essentially the most thorough and direct motion taken in opposition to the botnet up to now, and our hope is to point out that continued consideration by the safety group together with collaborative efforts comparable to these can have an effect within the combat in opposition to cybercrime.
Please discover a listing of C2s in our GitHub. We encourage the group to watch and alert on these and any related IoCs. As a result of DanaBot’s malware was utilized by such an array of felony pursuits together with ransom teams, we advise Lumen clients to bolster defenses in opposition to phishing as an preliminary entry vector by totally monitoring community assets, making certain correct patch administration and conducting ongoing phishing and social engineering coaching for workers. We additionally advise the next:
Company Community Defenders:
- Proceed to search for assaults on weak credentials and suspicious login makes an attempt, even once they originate from residential IP addresses which bypass geofencing and ASN-based blocking.
- Shield cloud property from speaking with bots which can be making an attempt to carry out password spraying assaults and start blocking IoCs with Net Software Firewalls.
- Leveraging refined community perimeter countermeasures like Lumen Defender, that are up to date constantly to proactively cease site visitors from malicious factors from interacting with company networks.
Evaluation of the DanaBot community was carried out by Staff Cymru’s Rachelle Goddin and Black Lotus Labs’ Chris Formosa. Technical modifying by Ryan English and Josh Hopkins.
If you want to collaborate on related analysis, please contact us on LinkedIn or X @BlackLotusLabs.
This info is offered “as is” with none guarantee or situation of any type, both specific or implied. Use of this info is on the finish consumer’s personal threat.
Publish Views: 2
