Version 669 of DanaBot Blends Public IPs, Onion C2s and Crypto Payouts

Credited by Freepik

VTA-004540 – Version 669 of DanaBot Blends Public IPs, Onion C2s and Crypto Payouts

The malware known as DANABOT has made a surprising comeback in version 669 after a 6 month quiet period following May’s law-enforcement disruption of its “Operation Endgame” infrastructure. This latest variant retains its core banking-trojan functionality but introduces fresh features aimed at evading modern detection, a revamped loader, updated phishing templates and a modular payload delivery system that now better hides within legitimate-looking processes.

Version 669 reportedly supports a new “safe mode” launch path that activates only under certain environmental conditions. For example, avoiding execution in sandboxed or virtualized environments and suppressing non-critical modules until the victim has been idle for 24 hours. This kind of delay and context-awareness is a clear sign of evolution, the malware isn’t just trying to slip past defenses, it’s designed to stay undetected for longer and strike more deliberately.

For defenders, this resurgence underscores a broader trend. Well-known malware families are not disappearing when disrupted. The return of DANABOT version 669 demonstrates how persistent criminal toolkits evolve rather than fade away.

Severity:
Medium

Attack Surface:
Endpoint, Endpoint OS, Web Application, Web Browser

Tactics:
Command and Control, Credential Access, Defense Evasion, Exfiltration, Initial Access, Persistence

Techniques:
T1566.001 – Phishing
T1204.002 – User Execution
T1059 – Command and Scripting Interpreter
T1071.001 – Application Layer Protocol
T1090.003 / T1090 – Proxy / Multi-hop
T1555.003 – Credentials from Web Browsers
T1539 – Steal Web Session Cookie
T1041 – Exfiltration Over C2 Channel

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/69154a2eb3086740d2ab6bc7

References:
1. https://x.com/Threatlabz/status/1987965385036230779

SuperPRO’s Threat Countermeasures Procedures:
1.Block the published C2 IPs (62.60.226.146:443, 62.60.226.154:443, 80.64.19.39:443) and ports at perimeter and backconnect 158.94.208.102:443,158.94.208.102:8080 on firewalls/proxies.
2.Import the C2 IPs, onion endpoints and crypto wallets into TI platform and create a correlation rule.
3.Force rotation of any potentially exposed corporate financial accounts and require MFA for all finance and admin users.
4.Add crypto wallet watchlist and notify finance/legal to blockchain monitoring/watchlist services. Alert finance/legal on any inbound transactions.
– BTC: 12eTGpL8EqYowAfw7DdqmeiZ87R922wt5L
– ETH: 0xb49a8bad358c0adb639f43c035b8c06777487dd7
– LTC: LedxKBWF4MiM3x9F7zmCdaxnnu8A8SUohZ
– TRX: TY4iNhGut31cMbE3M6TU5CoCXvFJ5nP59i

Contributed by: Thivya