DanaBot malware resurfaces with version 669 and rebuilt Tor C2
Malware Activity
Summary
Hide ▲
Show ▼
The DanaBot malware has returned with a new version that is now being observed in attacks, renewing risk after a prior disruption in May. Researchers identified version 669 using Tor domains (.onion) and backconnect nodes for command and control, with activity tied to Windows infections and theft of credentials and cryptocurrency wallet data. The rebuilt infrastructure means DanaBot can again support malicious emails, SEO poisoning, and malvertising driven infections.
Related Happenings
SocGholish malware downloader hijacking WordPress sites
Malware Activity
H score57
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
**SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
SocGholish malware downloader hijacking WordPress sites
Malware ActivityAbout this happening: **SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
SystemBC long-running global proxy malware operation
Malware Activity
H score40
First: 04.02.2026 18:15
Last: 04.02.2026 18:15
Sources 1
About this happening:
**SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
SystemBC long-running global proxy malware operation
Malware ActivityAbout this happening: **SystemBC** is a long-running **proxy malware** operation that turns compromised hosts into **SOCKS5 relays** and is repeatedly used to support **ransomware activity**. New repor...
MonsterV2 phishing delivery and payload capabilities
Malware Activity
H score30
First: 14.10.2025 08:28
Last: 14.10.2025 08:28
Sources 1
About this happening:
**TA585** is a newly identified cybercriminal group delivering **MonsterV2** through its own phishing and malware infrastructure. **Proofpoint** says MonsterV2 was first advertise...
MonsterV2 phishing delivery and payload capabilities
Malware ActivityAbout this happening: **TA585** is a newly identified cybercriminal group delivering **MonsterV2** through its own phishing and malware infrastructure. **Proofpoint** says MonsterV2 was first advertise...
TA585 phishing, web-injection, and ClickFix campaign
Campaign
H score38
First: 14.10.2025 08:28
Last: 14.10.2025 08:28
Sources 1
About this happening:
**TA585** is running a **phishing and web-injection campaign** that uses **IRS-themed lures**, **fake CAPTCHA/ClickFix pages**, **compromised websites**, and **bogus GitHub securi...
TA585 phishing, web-injection, and ClickFix campaign
CampaignAbout this happening: **TA585** is running a **phishing and web-injection campaign** that uses **IRS-themed lures**, **fake CAPTCHA/ClickFix pages**, **compromised websites**, and **bogus GitHub securi...
SystemBC operators expand into bespoke botnet and proxy resale
Threat Actor Meta
H score29
First: 19.09.2025 17:26
Last: 19.09.2025 17:26
Sources 1
About this happening:
**SystemBC** has shifted from a ransomware-enabling proxy botnet into a **bespoke botnet and proxy-resale ecosystem**, increasing the supply of high-volume criminal infrastructure...
SystemBC operators expand into bespoke botnet and proxy resale
Threat Actor MetaAbout this happening: **SystemBC** has shifted from a ransomware-enabling proxy botnet into a **bespoke botnet and proxy-resale ecosystem**, increasing the supply of high-volume criminal infrastructure...
Timeline
-
12.11.2025 18:34 2 articles · 7mo ago
DanaBot version 669 observed with rebuilt Tor C2
Technical Analysis UpdateZscaler ThreatLabz observed a new DanaBot variant, version 669, with command-and-control infrastructure using Tor domains (.onion) and backconnect nodes, alongside cryptocurrency addresses used to receive stolen funds in BTC, ETH, LTC, and TRX. The malware was described as active again with rebuilt infrastructure after Operation Endgame disrupted DanaBot in May, and the current infection methods include malicious emails via links or attachments, SEO poisoning, and malvertising.
Show sources
- DanaBot malware is back to infecting Windows after 6-month break — www.bleepingcomputer.com — 12.11.2025 18:34
- DanaBot malware is back to infecting Windows after 6-month break — www.bleepingcomputer.com — 12.11.2025 18:34