Security research teams Black Lotus Labs and Team Cymru, working in tandem with law enforcement and industry partners, have crippled the notorious DanaBot malware operation.
Through “Operation Endgame II,” authorities succeeded in dismantling the botnet’s resilient infrastructure by taking down 150 active command-and-control (C2) servers effectively disrupting over 1,000 daily malicious campaigns targeting victims in more than 40 countries.
DanaBot’s Evolution
Emerging in 2018, DanaBot initially presented itself as a banking trojan focused on financial credential theft.
However, it quickly evolved into a sophisticated malware-as-a-service (MaaS) platform, allowing affiliates to leverage its versatile codebase for a broad spectrum of cybercrime activities, including credential harvesting, information stealing, and facilitating ransomware deployments.
Its adaptive architecture and ability to evade detection made it one of 2025’s most persistent and challenging botnets for defenders to track and neutralize.
DanaBot was notable for its multi-tiered C2 infrastructure, which typically comprised 150 active servers at any given point and registered about 1,000 fresh infections daily, peaking at over 3,000 during high-profile global events.
Most activity was detected in the United States and Mexico, with botnet victims often routed through residential IPs to further obscure detection.
The research teams observed that only 25% of DanaBot’s C2 nodes appeared in threat intelligence repositories like VirusTotal, pointing to a highly effective operational stealth.
Multi-Layered C2 Complexity
According to Team Cymru Report, the technical sophistication of DanaBot’s infrastructure was a formidable hurdle for defenders.
At its core, the malware used a multi-tiered communication pathway infected endpoints (bots) would connect through one or more Tier 1 (T1) C2 nodes, which then relayed commands to Tier 2 (T2) servers.
Each affiliate or user of DanaBot could be assigned a dedicated T2 server or share resources, ensuring flexibility and compartmentalization.
Above these, Tier 3 (T3) nodes, typically located in Russia, acted as the operational backbone, with all traffic ultimately managed via a cluster of jumpbox servers and backup nodes that provided redundancy and further obfuscated the command chain.
Throughout 2024 and 2025, the research teams identified nearly 400 distinct IPs functioning as DanaBot C2s.
The infrastructure deliberately leveraged both cloud-hosted and residential-based servers to complicate tracking and mitigation efforts.
The architecture was also dynamically adjusted based on major events, such as ramping up attacks ahead of the 2024 US election and the December holiday season.
Operation Endgame’s forensic analysis revealed that DanaBot’s business model was tailored for both scale and specialization.
Some affiliates used the platform for mass campaigns, while others targeted high-value victims, including law firms and academic institutions.
The botnet’s use of Tor and rotating proxy services enabled operators to hide the true scale of infections and made attribution challenging.
Even as 50% of infections lasted less than a day, the damage inflicted was substantial, with compromised machines used as launch points for additional malware, credential theft, or sold to ransomware actors.
Of particular interest to investigators was the Russian origin of the core management infrastructure. Connections traced back to IPs in Novosibirsk, Russia, and multiple proxy networks, with activity coordinated via encrypted sessions (RDP, VNC, OpenVPN) to backend servers.
At least three operators, including some who frequently changed proxy addresses, were identified as central to the operation.
The success of Operation Endgame underscores the critical importance of cross-sector collaboration in cybersecurity.
By pooling their resources and expertise, the participating teams mapped DanaBot’s labyrinthine infrastructure, coordinated the global takedown, and supplied actionable threat intelligence to partners worldwide.
Their joint efforts not only neutralized the DanaBot threat for now but also served as a template for future operations against similarly decentralized and robust malware ecosystems.
As DanaBot demonstrated, criminal actors will rapidly innovate to bypass traditional controls, making proactive intelligence sharing and adaptive defense strategies essential in the ongoing battle against cybercrime.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
