The U.S. Division of Justice (DoJ) on Thursday introduced the disruption of the net infrastructure related to DanaBot (aka DanaTools) and unsealed costs in opposition to 16 people for his or her alleged involvement within the improvement and deployment of the malware, which it mentioned was managed by a Russia-based cybercrime group.
The malware, the DoJ mentioned, contaminated greater than 300,000 sufferer computer systems world wide, facilitated fraud and ransomware, and prompted at the least $50 million in damages. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, each from Novosibirsk, Russia, are at present at massive.
Stepanov has been charged with conspiracy, conspiracy to commit wire fraud and financial institution fraud, aggravated identification theft, unauthorized entry to a protected pc to acquire info, unauthorized impairment of a protected pc, wiretapping, and use of an intercepted communication. Kalinkin has been charged with conspiracy to realize unauthorized entry to a pc to acquire info, to realize unauthorized entry to a pc to defraud, and to commit unauthorized impairment of a protected pc.
The unsealed felony criticism and indictment present that lots of the defendants, counting Kalinkin, uncovered their real-life identities after by chance infecting their very own programs with the malware.
“In some circumstances, such self-infections seemed to be intentionally completed as a way to check, analyze, or enhance the malware,” the criticism [PDF] learn. “In different circumstances, the infections appeared to be inadvertent – one of many hazards of committing cybercrime is that criminals will typically infect themselves with their very own malware by mistake.”
“The inadvertent infections usually resulted in delicate and compromising knowledge being stolen from the actor’s pc by the malware and saved on the DanaBot servers, together with knowledge that helped establish members of the DanaBot group.”
If convicted, Kalinkin is anticipated to face a statutory most sentence of 72 years in federal jail. Stepanov would face a jail time period of 5 years. Concurrent with the motion, the regulation enforcement effort, carried out as a part of Operation Endgame, noticed DanaBot’s command-and-control (C2) servers seized, together with dozens of digital servers hosted in america.
“DanaBot malware used quite a lot of strategies to contaminate sufferer computer systems, together with spam e-mail messages containing malicious attachments or hyperlinks,” the DoJ mentioned. “Sufferer computer systems contaminated with DanaBot malware turned a part of a botnet (a community of compromised computer systems), enabling the operators and customers of the botnet to remotely management the contaminated computer systems in a coordinated method.”
DanaBot, just like the lately dismantled Lumma Stealer malware, operates underneath a malware-as-a-service (MaaS) scheme, with the directors leasing out entry ranging from $500 to “a number of thousand {dollars}” a month. Tracked underneath the monikers Scully Spider and Storm-1044, is a multi-functional instrument alongside the traces of Emotet, TrickBot, QakBot, and IcedID that is able to appearing as a stealer and a supply vector for next-stage payloads, comparable to ransomware.
The Delphi-based modular malware is supplied to siphon knowledge from sufferer computer systems, hijack banking classes, and steal machine info, consumer looking histories, saved account credentials, and digital foreign money pockets info. It could additionally present full distant entry, log keystrokes, and seize movies. It has been energetic within the wild since its debut in Could 2018, when it began off as a banking trojan.
Instance of typical Danabot infrastructure
“DanaBot initially focused victims in Ukraine, Poland, Italy, Germany, Austria, and Australia previous to increasing its focusing on posture to incorporate U.S.- and Canada-based monetary establishments in October 2018,” CrowdStrike mentioned. “The malware’s reputation grew resulting from its early modular improvement supporting Zeus-based internet injects, info stealer capabilities, keystroke logging, display recording, and hidden digital community computing (HVNC) performance.”
In line with Black Lotus Labs and Crew Cymru, DanaBot employs a layered communications infrastructure between a sufferer and the botnet controllers, whereby the C2 site visitors is proxied by two or three server tiers earlier than it reaches the ultimate degree. A minimum of 5 to 6 tier-2 servers had been energetic at any given time. A majority of DanaBot victims are concentrated round Brazil, Mexico, and america.
“The operators have proven their dedication to their craft, tailored to detection and adjustments in enterprise protection, and with later iterations, insulating the C2s in tiers to obfuscate monitoring,” the businesses mentioned. “All through this time, they’ve made the bot extra user-friendly with structured pricing and buyer assist.”
Excessive-level diagram of multi-tiered C2 structure
The DoJ mentioned DanaBot directors operated a second model of the botnet that was specifically designed to focus on sufferer computer systems in army, diplomatic, authorities, and associated entities in North America and Europe. This variant, rising in January 2021, got here fitted with capabilities to document all interactions occurring on a sufferer machine and ship the info to a unique server.
“Pervasive malware like DanaBot harms a whole bunch of 1000’s of victims world wide, together with delicate army, diplomatic, and authorities entities, and causes many tens of millions of {dollars} in losses,” mentioned United States Lawyer Invoice Essayli for the Central District of California.
The DoJ additional credited a number of non-public sector corporations, Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Crew Cymru, and Zscaler, for offering “worthwhile help.”
A few of the noteworthy elements of DanaBot, compiled from numerous stories, are beneath –
DanaBot’s sub-botnet 5 acquired instructions to obtain a Delphi-based executable leveraged to conduct HTTP-based distributed denial-of-service (DDoS) assaults in opposition to the Ukrainian Ministry of Defence (MOD) webmail server and the Nationwide Safety and Protection Council (NSDC) of Ukraine in March 2022, shortly after Russia’s invasion of the nation
Two DanaBot sub-botnets, 24 and 25, had been particularly used for espionage functions possible with an purpose to additional intelligence-gathering actions on behalf of Russian authorities pursuits
DanaBot operators have periodically restructured their providing since 2022 to deal with protection evasion, with at the least 85 distinct construct numbers recognized to this point (The newest model is 4006, which was compiled in March 2025)
The malware’s infrastructure consists of a number of parts: A “bot” that infects goal programs and performs knowledge assortment, an “OnlineServer” that manages the RAT functionalities, a “shopper” for processing collected logs and bot administration, and a “server” that handles bot era, packing, and C2 communication
DanaBot has been utilized in focused espionage assaults in opposition to authorities officers within the Center East and Japanese Europe
The authors of DanaBot function as a single group, providing the malware for lease to potential associates, who subsequently use it for their very own malicious functions by establishing and managing their very own botnets utilizing non-public servers
DanaBot’s builders have partnered with the authors of a number of malware cryptors and loaders, comparable to Matanbuchus, and provided particular pricing for distribution bundles
DanaBot maintained a median of 150 energetic tier-1 C2 servers per day, with roughly 1,000 each day victims throughout greater than 40 nations, making it one of many largest MaaS platforms energetic in 2025
Proofpoint, which first recognized and named DanaBot in Could 2018, mentioned the disruption of the MaaS operation is a win for defenders and that it’s going to have an effect on the cybercriminal risk panorama.
“Cybercriminal disruptions and regulation enforcement actions not solely impair malware performance and use but in addition impose a value to risk actors by forcing them to vary their techniques, trigger distrust within the felony ecosystem, and doubtlessly make criminals take into consideration discovering a unique profession,” Selena Larson, a workers risk researcher at Proofpoint, mentioned.
“These successes in opposition to cyber criminals solely come about when enterprise IT groups and safety service suppliers share much-needed perception into the most important threats to society, affecting the best variety of individuals world wide, which regulation enforcement can use to trace down the servers, infrastructure, and felony organizations behind the assaults. Non-public and public sector collaboration is essential to realizing how actors function and taking motion in opposition to them.”
DanaBot’s options as promoted on its assist web site
DoJ Unseals Prices In opposition to QakBot Chief
The event comes because the DoJ unsealed costs in opposition to a 48-year-old Moscow resident, Rustam Rafailevich Gallyamo, for main efforts to develop and preserve the QakBot malware, which was disrupted in a multinational operation in August 2023. The company additionally filed a civil forfeiture criticism in opposition to over $24 million in cryptocurrency seized from Gallyamov over the course of the investigation.
“Gallyamov developed, deployed, and managed the Qakbot malware starting in 2008,” the DoJ mentioned. “From 2019 onward, Gallyamov allegedly used the Qakbot malware to contaminate 1000’s of sufferer computer systems world wide as a way to set up a community, or ‘botnet,’ of contaminated computer systems.”
The DoJ revealed that, following the takedown, Gallyamov and his co-conspirators continued their felony actions by switching to different techniques like “spam bomb” assaults as a way to achieve unauthorized entry to sufferer networks and deploy ransomware households like Black Basta and CACTUS. Courtroom paperwork accuse the e-crime group of participating in these strategies as lately as January 2025.
“Mr. Gallyamov’s bot community was crippled by the proficient women and men of the FBI and our worldwide companions in 2023, however he openly continued to deploy various strategies to make his malware accessible to felony cyber gangs conducting ransomware assaults in opposition to harmless victims globally,” mentioned Assistant Director in Cost Akil Davis of the FBI’s Los Angeles Subject Workplace.
Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.
