DanaBot v669 - Post-Endgame Resurgence Targets Finance & Crypto

DanaBot banking Trojan has resurfaced with version 669 following Operation Endgame actions, renewing credential theft, financial fraud and cryptocurrency wallet targeting (T1555, T1059, T1105). Zscaler ThreatLabz observed updated C2 infrastructure combining IPs (e.g., 62.60.226[.]146:443) with .onion addresses to enhance resilience (T1090.003). The loader fetches encrypted modules, injects into legitimate processes, and persists via scheduled tasks for continuous execution. Initial access relies on spear-phishing and malicious documents that trigger obfuscated attachments and PowerShell-based payload retrieval. Once established, modules support data harvesting, lateral movement, and tailored payload delivery for Windows environments. The shift to mixed clear-web/Onion C2 complicates takedown and monitoring. Business impact is high for financial institutions, fintechs, and crypto platforms: DanaBot steals banking and wallet credentials, enabling account takeovers and funds theft. Its modular design allows rapid updates by operators, challenging static detections and incident responders. Mitigation: enforce hardened email gateways and sandboxing, block script interpreters for untrusted content, monitor for outbound traffic to known C2s and Tor bootstrapping, and detect scheduled-task persistence. Apply browser isolation for finance workflows and rotate credentials exposed on compromised endpoints.