ESET participates in operation to disrupt the infrastructure of Danabot infostealer
While primarily developed as an infostealer, Danabot also has been used to distribute additional malware, including ransomware.
Danabot's authors promote their toolset through underground forums and offer various rental options to potential affiliates.
This ESET Research analysis covers the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates.
Poland, Italy, Spain and Turkey are historically one of the most targeted countries by Danabot.
Dubai, UAE: ESET has participated in a major infrastructure disruption of the notorious infostealer, Danabot, by the US Department of Justice, the FBI, and US Department of Defense's Defense Criminal Investigative Service. U.S. agencies were working closely with Germany's Bundeskriminalamt, the Netherlands' National Police, and the Australian Federal Police . ESET took part in the effort alongside Amazon, CrowdStrike, Flashpoint, Google, Intel471, PayPal, Proofpoint, Team Cymru and Zscaler. ESET Research, which has been tracking Danabot since 2018, contributed assistance that included providing technical analysis of the malware and its backend infrastructure, as well as identifying Danabot's C&C servers. During that period, ESET analyzed various Danabot campaigns all over the world, with Poland, Italy, Spain and Turkey historically being one of the most targeted countries. The joint takedown effort also led to the identification of individuals responsible for Danabot development, sales, administration, and more.
These law enforcement operations were conducted under Operation Endgame — an ongoing global initiative aimed at identifying, dismantling, and prosecuting cybercriminal networks. Coordinated by Europol and Eurojust, the operation successfully took down critical infrastructure used to deploy ransomware through malicious software.
'Since Danabot has been largely disrupted, we are using this opportunity to share our insights into the workings of this malware-as-a-service operation, covering the features used in the latest versions of the malware, the authors' business model, and an overview of the toolset offered to affiliates. Apart from exfiltrating sensitive data, we have observed that Danabot is also used to deliver further malware, which can include ransomware, to an already compromised system,' says ESET researcher Tomáš Procházka, who investigated Danabot.
The authors of Danabot operate as a single group, offering their tool for rental to potential affiliates, who subsequently employ it for their malicious purposes by establishing and managing their own botnets. Danabot's authors have developed a vast variety of features to assist customers with their malevolent motives. The most prominent features offered by Danabot include: the ability to steal various data from browsers, mail clients, FTP clients, and other popular software; keylogging and screen recording; real-time remote control of the victims' systems; file grabbing (commonly used for stealing cryptocurrency wallets); support for Zeus-like webinjects and form grabbing; and arbitrary payload upload and execution. Besides utilizing its stealing capabilities, ESET Research has observed a variety of payloads being distributed via Danabot over the years. Furthermore, ESET has encountered instances of Danabot being used to download ransomware onto already compromised systems.
In addition to typical cybercrime, Danabot has also been used in less conventional activities such as utilizing compromised machines for launching DDoS attacks... for example, a DDoS attack against Ukraine's Ministry of Defense soon after the Russian invasion of Ukraine.
Throughout its existence, according to ESET monitoring, Danabot has been a tool of choice for many cybercriminals and each of them has used different means of distribution. Danabot's developers even partnered with the authors of several malware cryptors and loaders, and offered special pricing for a distribution bundle to their customers, helping them with the process. Recently, out of all distribution mechanisms ESET observed, the misuse of Google Ads to display seemingly relevant, but actually malicious, websites among the sponsored links in Google search results stands out as one of the most prominent methods to lure victims into downloading Danabot. The most popular ploy is packing the malware with legitimate software and offering such a package through bogus software sites or websites falsely promising users to help them find unclaimed funds. The latest addition to these social engineering techniques are deceptive websites offering solutions for fabricated computer issues, whose only purpose is to lure victims into execution of a malicious command secretly inserted into the user's clipboard.
The typical toolset provided by Danabot's authors to their affiliates includes an administration panel application, a backconnect tool for real-time control of bots, and a proxy server application that relays the communications between the bots and the actual C&C server. Affiliates can choose from various options to generate new Danabot builds, and it's their responsibility to distribute these builds through their own campaigns.
'It remains to be seen whether Danabot can recover from the takedown. The blow will, however, surely be felt, since law enforcement managed to unmask several individuals involved in the malware's operations,' concludes Procházka.
For technical overview of Danabot and insight into its operation, check out ESET Research blogpost: 'Danabot: Analyzing a fallen empire' on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.
Media Contact
Sanjeev
Vistar Communications
PO Box 127631
Dubai, UAE
Email: sanjeev@vistarmea.com
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Khaleej Times
6 hours ago
- Khaleej Times
Body of Saudi boy swept away in Turkey river found after massive search
The body of a 9-year-old boy, who was swept away by high waters in Haldizen River in Turkey's Uzungol region three days ago, has been found, according to media reports. The recovery of the body followed a massive search operation. A statement from Trabzon Governorate said the child, Faisal, who belonged to Saudi Arabia, was found in the Haldizen River, 2.2 metres below the water's surface. The media reports added that the Embassy in Türkiye has offered its condolences to Faisal's family. It also expressed gratitude to various authorities for coordinating the search. Earlier, Saudi Arabia's embassy in Turkey, in response to social media posts about the incident, had on Wednesday stated that it was in contact with the family of the child, the Saudi Press Agency (SPA) had reported. The embassy said that since the first moments of the incident, it contacted 'the relevant Turkish authorities…that are conducting extensive searches in the area and its surroundings in order to locate the child.' Saudi Arabia
Khaleej Times
6 hours ago
- Khaleej Times
Arab ministers condemn Israel's decision to 'ban' them from visiting West Bank
The foreign ministers of five Arab countries who had planned to visit the occupied West Bank this weekend on Saturday condemned Israel's decision to block their plans. The ministers condemned "Israel's decision to ban the delegation's visit to Ramallah (on Sunday) to meet with the president of the State of Palestine, Mahmud Abbas", the Jordanian foreign ministry said. Ministers from Egypt, Jordan, Qatar, Saudi Arabia and the UAE had been expected to take part alongside Turkey and the secretary-general of the Arab League. Israel had announced late Friday that it would not cooperate, effectively blocking the visit as it controls the territory's borders and airspace. Abbas "intended to host in Ramallah a provocative meeting of foreign ministers from Arab countries to discuss the promotion of the establishment of a Palestinian state," said a statement attributed to an unidentified official. "Such a state would undoubtedly become a terrorist state in the heart of the Land of Israel. Israel will not cooperate with such moves aimed at harming it and its security." Had the visit gone ahead, the delegation's head Prince Faisal bin Farhan would have become the first Saudi foreign minister to visit the West Bank. Israel this week announced the creation of 22 new Jewish settlements in the West Bank, regarded by the United Nations as illegal under international law and one of the main obstacles to a lasting peace between Israelis and Palestinians. During a visit to one of the new settlement sites on Friday, Defence Minister Israel Katz vowed to build a "Jewish Israeli state" in the Palestinian territory. Taking aim at foreign countries that would "recognise a Palestinian state on paper", he added: "The paper will be thrown into the trash bin of history, and the State of Israel will flourish and prosper." In June, Saudi Arabia and France are to co-chair an international conference at UN headquarters meant to resurrect the two-state solution to the Israeli-Palestinian conflict. Saudi Arabia was said to have been close to recognising Israel before the start of the Gaza war, and US President Donald Trump, during a recent visit to Riyadh, called normalisation between the countries "my fervent hope and wish". But de facto ruler Crown Prince Mohammed bin Salman has said Saudi Arabia will not recognise Israel without an independent Palestinian state.
The National
a day ago
- The National
PSG v Inter Milan: Luis Enrique's exciting young team eye elusive Champions League crown
At almost every big step that Inter Milan and their head coach Simone Inzaghi have taken to the Uefa Champions League final, some reference has been made to how low-budget the Italian club feel compared to their opponents. Bayern Munich, Inzaghi reminded reporters when Inter, at the last-eight stage, removed from the German champions the chance of contesting the final in their home, the Allianz Arena, are far richer than his employers. So are Manchester City, he noted, Inter having begun their European campaign with a goalless draw against City back in September. And, of course, megabucks Paris Saint-Germain, whom Inter meet in Munich on Saturday can call on far greater resources than Inzaghi does. He is right about that. According to the last survey by Deloitte, respected auditors of football finance, Inter are indeed punching above their weight to have reached a second Champions League final within three seasons. They rank 14th in the 2025 Deloitte Money League, a study based on club revenues generated in 2023/24 – that's just behind neighbours AC Milan, the top-ranked Serie A club. Real Madrid, breaking the €1 billion mark for annual earnings, are top, City second, and PSG third, with revenues of over €800m, more than twice that of Inter. PSG's position in elite football's economic hierarchy, like City's, marks a rapid rise, and like City – remade by investment from Abu Dhabi in the period since 2008 – their ascent owes greatly to the impulse provided by backing from the Gulf. Since Qatar Sports Investments took a majority shareholding in what was then a financially fragile French club and set about elevating Paris into a major force on football's grand stage, they have turned into heavyweights. But unlike City, who beat Inter in the European Cup final in 2023, they have yet to mark that growth with the most desired of trophies. Should PSG achieve a maiden Champions League success in Munich, they will have completed a circle. Back in 2011, when their Qatari investors and strategists took control they looked above all to the city of Milan for guidance on championship calibre. They had Leonardo, the former Brazilian footballer and previously a head coach at both AC Milan and Inter, as their director of football. The first coach the new bosses appointed would be Carlo Ancelotti, then boasting a series of medals from AC Milan. They brought in two Thiagos to lend expertise to the playing squad. Thiago Silva, signed from Milan to command the defence and Thiago Motta, the midfielder recruited from Inter, would form the spine of the team for many years. Coaches have come and gone at quite a rate since Ancelotti, but in the PSG team that lines up against Inter on Saturday, you can still make out the past stripes of Inter and Milan. In goal will be Gianluigi Donnarumma, without whose excellence a tense last-16 tie against Liverpool may not have been resolved in PSG's favour. He joined four years ago from AC Milan. At right-back, although filling many roles outside of that narrow definition, will be the player who has assumed much of the leadership once given to PSG by their Thiagos – the outstanding Achraf Hakimi. Hakimi, whose career bestrides every one of the four Champions League finalists of this year and last - he started at Real Madrid, moved to Borussia Dortmund then to Inter – has left a huge imprint on the run to the final: eight goal-contributions, including goals in the quarter-final against Aston Villa and the semi against Arsenal, from his 16 Champions League appearances. Those are startling statistics for a full-back. Some of that attacking appetite can be attributed to the formative season Hakimi spent at Inter in 2020/21, thriving in a 3-4-3 formation. Inter then sold Hakimi to PSG, aged just 22, for a shade over €70m. That's a startling amount for a full-back. And it's one of the deals that has made PSG the club who, in the 13 years of their so-called 'Qatar era' have paid more than any other club into Inter's treasury in total transfer fees. Inzaghi may envy the Parisiens their wealth and backers in Doha, but Inter have also benefited greatly from PSG's activity in the marketplace. Hakimi has been a terrific buy. He was described this week by his former coach with the Morocco national team, Herve Renard, as 'the best right-back in the world'. If Inter's Denzel Dumfries, a worthy inheritor of Hakimi's wing-back role, might want to challenge that status, Hakimi's importance to the dynamic PSG style, and to the second decade of the 'Qatar era' can hardly be understated. When he and Donnarumma moved to Paris in the summer of 2021, they represented a long line of doing business with Serie A clubs but also an investment in youth. Both were in their early 20s but already worldly. The simultaneous arrivals at the club of Lionel Messi, then in his mid-30s and Sergio Ramos, even older, may have kept up an old PSG habit of bringing in superstar names, but the tide was turning. PSG are no longer so starry, but perhaps better for that. The squad who travel to Bavaria for Saturday's final will include no players of the cachet of Messi, or Neymar, or Zlatan Ibrahimovic or David Beckham, all of whom have drawn the limelight at the Parc des Princes during the Qatar era, and they are no longer the club of Kylian Mbappe, who left for Madrid last year – but they look closer than any previous version of PSG to achieving the Champions League dream. 'The star now is the team,' the club president Nasser Al Khelaifi says of a side that, post Mbappe, thrills to a trio of other young French forwards like Ousmane Dembele, Bradley Barcola and the prodigious teenager Desire Doue. It's a side that needs no ageing Sergio Ramos to give panache to the back line when the tireless Hakimi can do that with no apparent symptoms of fatigue. The current PSG may still scour Italian football with a bulging chequebook, but in Khvicha Kvaratskhelia, signed from Napoli for around €70m in January, they have a long-term investment. The Georgian winger, as watchable a dribbler as the €222m Neymar was at at his peak, is 24, the right fit for a PSG who registered the youngest line-up – average age 23 – of any team to have reached the knockout phase of this season's Champions League. Inter are designed in a different way. In their quarter-final tie against Bayern, Inzaghi fielded the oldest XI in this season's competition – a shade over 31. Among his achievements has been to extend the career spans of players acquired at low transfer fees because they were well into their 30s. Men like defender Francesco Acerbi and midfielder Henrikh Mhkitaryan are in their upper 30s now but still influential and valued for their gumption. 'We do not have the funds of clubs like Bayern, City or PSG,' said Inzaghi. 'But we can match all of those with our heart and organisation.' Luis Enrique, the PSG head coach, acknowledges that this final easily looks like a story of youth against experience. But he has built a PSG with momentum, drive and focus. 'We're a young team, yes,' says Luis Enrique, 'but we're also mature and we know how to resolve problems.'
