ZeroFox Intelligence Flash Report - New DanaBot Malware Variant Emerges After Takedown

ZeroFox Intelligence Flash Report - New DanaBot Malware Variant Emerges After Takedown

Product Serial: F-2025-11-14a

TLP:CLEAR

In this Flash report, ZeroFox researchers report on the re-emergence of DanaBot malware, 6 months after Operation Endgame-a U.S. led, international law enforcement effort to disrupt cybercriminal networks.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

• On November 10, 2025, security researchers observed a new variant of DanaBot malware—six months after a law enforcement operation removed 300 servers and 650 domains that were used as part of the DanaBot network infrastructure.
• Unlike previous iterations of DanaBot, the new variant reportedly harnesses standard IP-based command and control (C2) domains and dark web addresses to facilitate delivery of other modules and configuration files, enabling enhanced persistence and continuous execution.
• The re-emergence of DanaBot indicates that disrupted cybercrime networks are very likely to reorganize under recognizable branding to reignite their criminal enterprises as long as financial incentives persist.