Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DanaBot malware resurfaces with version 669 and rebuilt Tor C2

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The DanaBot malware has returned with a new version that is now being observed in attacks, renewing risk after a prior disruption in May. Researchers identified version 669 using Tor domains (.onion) and backconnect nodes for command and control, with activity tied to Windows infections and theft of credentials and cryptocurrency wallet data. The rebuilt infrastructure means DanaBot can again support malicious emails, SEO poisoning, and malvertising driven infections.

Related Happenings

SystemBC long-running global proxy malware operation

Malware Activity
First: 04.02.2026 18:15 Last: 04.02.2026 18:15 Sources 1

About this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...

Open Happening

MonsterV2 phishing delivery and payload capabilities

Malware Activity
First: 14.10.2025 08:28 Last: 14.10.2025 08:28 Sources 1

About this happening: **TA585** is a newly identified cybercriminal group delivering **MonsterV2** through its own phishing and malware infrastructure. **Proofpoint** says MonsterV2 was first advertise...

Open Happening

TA585 phishing, web-injection, and ClickFix campaign

Campaign
First: 14.10.2025 08:28 Last: 14.10.2025 08:28 Sources 1

About this happening: **TA585** is running a **phishing and web-injection campaign** that uses **IRS-themed lures**, **fake CAPTCHA/ClickFix pages**, **compromised websites**, and **bogus GitHub securi...

Open Happening

SystemBC operators expand into bespoke botnet and proxy resale

Threat Actor Meta
First: 19.09.2025 17:26 Last: 19.09.2025 17:26 Sources 1

About this happening: **SystemBC** has shifted from a ransomware-enabling proxy botnet into a **bespoke botnet and proxy-resale ecosystem**, increasing the supply of high-volume criminal infrastructure...

Open Happening

HiddenGh0st, Winos, and kkRAT trojanized-installer malware activity

Malware Activity
First: 15.09.2025 08:47 Last: 15.09.2025 08:47 Sources 1

About this happening: A **SEO poisoning** malware operation is using **fake software sites** to push **HiddenGh0st**, **Winos (ValleyRAT)**, and **kkRAT** onto **Chinese-speaking users**, with delivery...

Open Happening

Timeline

  1. 12.11.2025 18:34 2 articles · 6mo ago

    DanaBot version 669 observed with rebuilt Tor C2

    Technical Analysis Update

    Zscaler ThreatLabz observed a new DanaBot variant, version 669, with command-and-control infrastructure using Tor domains (.onion) and backconnect nodes, alongside cryptocurrency addresses used to receive stolen funds in BTC, ETH, LTC, and TRX. The malware was described as active again with rebuilt infrastructure after Operation Endgame disrupted DanaBot in May, and the current infection methods include malicious emails via links or attachments, SEO poisoning, and malvertising.

    Show sources
    Open in new tab