Operation Endgame 2.0

216.73.216.233

· Published 23/05/2025 09:59 · Modified 23/05/2025 13:06

Essential information

Published: 23/05/2025 09:59
Modified: 23/05/2025 13:06
Tags: 2025-05-23 cactus danabot darkgate ddos espionage globeimposter hijackloader keylogger lumma malware-as-a-service operation endgame smokeloader targeted attacks
Related entities: 9 observables, 1 intrusion sets (apt), 16 techniques (mitre), 7 malware, 3 others

Description

International law enforcement agencies have taken additional actions in Operation Endgame, targeting cybercriminal organizations, particularly those behind DanaBot. DanaBot is a powerful modular malware family written in Delphi, capable of keylogging, capturing screenshots, recording desktop videos, exfiltrating files, injecting content into web browsers, and deploying second-stage malware. It operates as a Malware-as-a-Service platform, enabling various attacks. DanaBot has been used in targeted attacks against government officials in the Middle East and Eastern Europe, and for DDoS attacks against Ukrainian servers. The malware implements a custom binary protocol encrypted with RSA and AES, and uses hardcoded C2 servers with Tor as a backup communication channel. Over 50 nicknames have been associated with DanaBot affiliates.

External references

https://otx.alienvault.com/pulse/683046e8073360953a9307d2