Operation Endgame 2.0: DanaBusted

    Wednesday, June 4, 2025 In: Threat Research Print

    Date: 06/04/2025

    Severity: High 

    Summary

    On May 22, 2025, Our team revealed further actions tied to Operation Endgame, aimed at disrupting cybercriminal groups like those behind DanaBot. This follows the original 2024 effort that targeted malware such as SmokeLoader, IcedID, and Pikabot. DanaBot, a Delphi-based modular malware, supports functions like keystroke logging, file theft, browser injection, and second-stage payload deployment. Known for its MaaS model, DanaBot has been used in attacks against Middle Eastern and Eastern European government entities, including DDoS campaigns on Ukrainian defense infrastructure.

    Indicators of Compromise (IOC) List  

    Domains\Urls : 

    y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion

    IP Address :

    149.28.241.120

    91.243.50.68

    77.239.101.139

    77.239.99.248

    77.91.76.17

    149.28.127.237

    Hash : 

    2f8e0fc38eaf08a69653f40867dcd4cc951a10cd92b8168898b9aa45ba18a5c8

    871862d1117fd7d2df907406a3ce08555196800b0ef9901dd4c46f82b728263d

    e2c228d0bf460f25b39dd60f871f59ea5ef671b8a2f4879d09abae7a9d4d49fb

    75ff0334d46f9b7737e95ac1edcc79d956417b056154c23fad8480ec0829b079

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls : 

    domainname like "y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion" or url like "y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion" or siteurl like "y3wg3owz34ybihfulzr4blznkb6g6zf2eeuffhqrdvwdp43xszjknwad.onion"

    IP Address : 

    dstipaddress IN ("77.239.101.139","77.239.99.248","91.243.50.68","77.91.76.17","149.28.241.120","149.28.127.237") or srcipaddress IN ("77.239.101.139","77.239.99.248","91.243.50.68","77.91.76.17","149.28.241.120","149.28.127.237")

    Hash : 

    sha256hash IN ("75ff0334d46f9b7737e95ac1edcc79d956417b056154c23fad8480ec0829b079","2f8e0fc38eaf08a69653f40867dcd4cc951a10cd92b8168898b9aa45ba18a5c8","e2c228d0bf460f25b39dd60f871f59ea5ef671b8a2f4879d09abae7a9d4d49fb","871862d1117fd7d2df907406a3ce08555196800b0ef9901dd4c46f82b728263d")

    Reference:

    https://www.zscaler.com/blogs/security-research/operation-endgame-2-0-danabusted#introduction


    Tags

    MalwareDanaBotSmokeLoaderIcedIDPikabotMaaSEuropeDDoSUkraine

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.