216.73.217.22

Inside DanaBot's Infrastructure: In Support of Operation Endgame II

· Published 23/05/2025 18:49 · Modified 23/05/2025 19:07

Export JSON

Essential information

Published
23/05/2025 18:49
Modified
23/05/2025 19:07
Tags
2025-05-23 banking trojan c2 infrastructure danabot infostealer malware-as-a-service stealth tactics
Related entities
65 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware

Description

, a versatile and persistent threat since 2018, has evolved from a to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to its success. Operated likely from Russia, 's infrastructure includes Tier 1, Tier 2, and Tier 3 C2 servers. The botnet's size peaked during high-profile events, with Mexico and the US among the most impacted countries. Despite its longevity, only 25% of its C2 servers had detectable malicious signatures. Operation Endgame II, a collaborative effort between security firms and law enforcement, dealt a significant blow to 's operations.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (65)

  • 98.159.108.138
  • 98.159.108.137
  • 95.217.65.166
  • 94.232.249.215
  • 94.131.115.254
  • 94.131.109.182
  • 92.246.136.182
  • 91.242.163.44
  • 91.242.163.37
  • 91.242.163.235
  • 89.23.105.6
  • 89.116.64.46
  • 86.54.42.5
  • 85.209.153.112
  • 82.24.200.28
  • 85.209.134.250
  • 77.73.129.134
  • 81.19.137.119
  • 77.238.249.183
  • 5.34.179.197
  • 5.34.179.193
  • 47.254.81.3
  • 47.254.159.244
  • 47.253.151.139
  • 45.61.136.204
  • 45.61.136.240
  • 45.61.136.125
  • 45.137.116.57
  • 31.192.232.25
  • 45.134.174.235
  • 23.137.105.90
  • 23.137.105.251
  • 23.137.105.250
  • 23.137.105.249
  • 207.2.121.127
  • 196.251.116.36
  • 195.123.233.68
  • 194.116.216.91
  • 193.233.232.101
  • 185.245.106.72
  • 185.224.0.250
  • 185.196.9.52
  • 185.121.235.211
  • 185.177.59.56
  • 179.43.176.43
  • 179.43.176.42
  • 178.156.170.132
  • 162.33.179.34
  • 157.180.65.252
  • 157.180.74.97
  • 144.172.100.208
  • 156.253.227.5
  • 139.60.163.90
  • 135.181.242.179
  • 107.173.160.166
  • 135.181.170.163
  • 5.149.255.208
  • 46.105.141.51
  • 45.145.7.97
  • 23.137.105.248
  • 199.119.138.187
  • 185.196.10.20
  • 185.223.93.118
  • 179.43.176.41
  • 172.86.75.229

Intrusion sets (APT) (1)

  • Danabot
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 04:14 · Modified 21/12/2025 14:25

Techniques (MITRE) (13)

Malware (1)

  • DanaBot
    Family
    Published 03/11/2025 14:28 · Modified 03/11/2025 14:28

External references