New Version Danabot


Proofpoint researchers have identified an updated version of DanaBot. DanaBot is a banking / stealer first discovered by Proofpoint in May 2018. There have been at least three significant versions of this malware identified in the past, and this is the fourth update.

From May 2018 to June 2020, DanaBot has been a fixture in the cyber threat landscape. Proofpoint researchers observed multiple threat actors with at least 12 affiliated identifications (IDs) in version 2 and 38 IDs in version 3. These IDs represent the cyber criminals served by DanaBot operators. The distribution typically targeted financial institutions located predominantly in the United States, Canada, Germany, United Kingdom, Australia, Italy, Poland, Mexico and Ukraine. After June 2020, there was a sharp decline in DanaBot activity in Proofpoint’s data and public threat intelligence repositories (e.g. MalwareBazaar and #DanaBot ). It disappeared from the threat landscape without a clear reason.

As of late October 2020, Proofpoint detected a significant update of the DanaBot specimens that appeared in VirusTotal . At the time of publication, Proofpoint researchers have identified two affiliate IDs using this latest version with at least one distribution method. While it hasn’t reverted to its previous scale, DanaBot is that should be monitored.


For nearly two years, DanaBot has been one of the leading banking used in the crimeware landscape. Several criminals distributed it and used it to target financial institutions. In mid-2020, DanaBot’s activity declined and some affiliates continued their campaigns using other banking malware (e.g. Ursnif and Zloader). It is unclear whether COVID-19, competition from other specimens, development time or otherwise caused it to drop, but it appears that DanaBot is back and is trying to regain its place in the cyber threat landscape. Proofpoint believes that the number of DanaBot affiliates will grow and this malware will be distributed once again via campaigns in the coming months.


Sherrod DeGrippo, Proofpoint Senior Director of Threat Research and Detection, points out, “The return of Danabot is an interesting development and I strongly encourage security practitioners to monitor it. We expect DanaBot affiliates to increase and consequently also the campaigns that will distribute it again in the coming months. The reference to cryptocurrencies could signal that the perpetrators of the threat are preparing for future campaigns aimed at stealing wallets or logins for the most popular cryptocurrency sites, with an approach very similar to when they target traditional banking credentials. It is important that users avoid downloading free software of dubious origin, as those files could hide a host of malware, including DanaBot banking Trojans,