US Justice Department (Doj) on Thursday announced Internet Infrastructure Violation Danatato .
The malicious software, according to Doj, infected more than 300,000 victims worldwide, contributed to fraud and extortion, and caused at least $ 50 million. Two accused, Alexander Stepanov (aka Jimbi), 39, and Artem Kalinkin (aka Onix), 34, both of Novosibirsk, Russia, are currently at large.
Stepanov is accused of conspiracy, a conspiracy to perform wire and fraud with banks, exacerbation of theft of the person, unauthorized access to a protective computer to obtain information, unauthorized violation of a protective computer, listening and using intercepted communication. Kalinkin was charged with conspiracy for unauthorized access to the computer to obtain information, obtaining unauthorized access to a computer for deception and committing an unauthorized violation of a protected computer.
A common criminal complaint and accusations show that many defendants, counting Kalinkin, have exposed their identities in real life after accidental infection of their own systems for harmful software.
“In some cases, such overconfidence was intentionally made to check, analyze or improve malware,” complaint (PDF) read. “In other cases, the infections seemed unintentional – one of the dangers of cybercrime that criminals would sometimes be mistaken by their own malware programs.”
“Unintentional infections often lead to sensitive data and data abnormalities that have been stolen from the actor’s computer and stored on Danabot servers, including data that helped identify danabot members.”
If he is found guilty, Kalinkin is expected to face a statutory maximum period of 72 years in the federal prison. Stepanov will face a five -year prison. Simultaneously with the action, law enforcement efforts that are carried out within Operation EndgameSee the Danabot Command-Control (C2) seized servers, including dozens of virtual servers held in the United States.
“Danabot malware used different methods of infection of the victims, including spam -messages containing malicious investments or hyperlinks,” the Doj said. “The victim’s computers infected with Danabot malicious software have become part of Botten (computer computer network), allowing Botnet to monitor the infected computers coordinated remotely.”
Danabot as Recently dismantled Lumma Steeler Sarsware, works according to malicious software (MAAS) (MAAS), and administrators rent access, starting from $ 500 to “several thousand dollars” per month. Tracked under Monikers Scully Spider and Storm-1044It is a multifunctional tool on the line of emotees, deception, qakbot and iCedid, which is able to act as theft and delivery vector for useful loads to the next stage, such as redemption.
Module Delphi -based Delphi -based Siphon data from victims, hiking and stealing information about devices, user viewing history, accounting data and virtual currency information. It can also provide complete remote access, magazine keys and shoot the video. It has been active in the wild since its Debut in May 2018When it started as a bank trojan.
 |
| An example of a typical Danabot infrastructure |
“Danabot was originally oriented – Note. “The popularity of malicious software has grown due to the early modular development that supports Zeus, based on Zeus, the possibilities of information theft, key registration, screen records and hidden virtual network (HVNC).
According to Black Lotus Labs and Team Cymru, Danabot is running a multi -layer communication infrastructure between the victim and the Botnet controllers, in which the C2 traffic has advanced through two server tiers before reaching the final level. At least five to six level servers were active at any time. Most victims of Danobash are concentrated around Brazil, Mexico and the United States.
“The operators demonstrated their commitment to their craft, adapted to the detection and changes in the protection of the enterprise, and with the following iterations that insulate C2 in the tiers to call for tracking,” companies, companies, companies, companies, companies, companies, companies, companies, companies, companies, companies, companies, companies – Note. “Throughout this time, they made the bot more convenient for structured customer pricing and support.”
 |
| High -level tiered architecture chart |
DOJ said Danabot administrators were ruled by the second version of Botnet, which was specifically designed to orient the victims of military, diplomatic, government and related organizations of North America and Europe. This option, which appeared in January 2021, was equipped with the possibilities for recording all the interactions that occur on the victim’s device and send data to another server.
“A common malicious software, like Danabot, harms hundreds of thousands of victims worldwide, including sensitive military, diplomatic and state structures, and causes many millions of losses,” the United States Prosecutor Bill said in California Central District.
Next, Doj attributed several private sector firms, Amazon, Crowdstrike, Eset, FlashPoint, Google, Intel 471, Lumen, PayPal, ProufPoint, Spycloud, Team Cymru and Zscale, for providing “valuable assistance”.
Some of the notable aspects of Danabot, made up of different reports, below – are given below –
- Sub-Botnet 5 Danabot received commands to download the executable file based on Delphi against Ukrainian Ministry of Defense (mod) web -post server and National Security and Defense Council (NSDC) in March 2022, shortly after Russia’s invasion
- Two Danabot Sub-Botnets, 24 and 25 years old
- Danabot operators periodically restructured their proposal since 2022 to focus on evading the defense, at least 85 different build numbers Defined to date (the latest version – 4006, which was made in March 2025)
- Infrastructure malicious program consist From several components: “bot” that infects target systems and performs data collection, “Onlineserver”, which manages rats, “clients” for processing magazines and bot management, as well as “server” that processes the generation, package and communication C2
- Donatat was used in targeted espionage attacks on government officials in the Middle East and Eastern Europe
- Danabot authors work as the only group offering malicious programs
- Danabot developers have administrator With authors of several cryptors and loaders of malware such as Matanbuchusand offered special prices for distribution
- Danatato advocate An average of 150 active C2-1 C2 servers a day, approximately 1000 daily victims in more than 40 countries, making it one of Maas’s largest platforms in 2025
Profofpoint which first identified and named Danabot In May 2018, MAAS violation was a victory for the defenders and that it would affect the cybercriminators.
“Cybercriminal violations and actions of law enforcement agencies not only impair the functionality of malware and use, but also impose the cost of threat, causing them to change their tactics, cause distrust in the criminal ecosystem, and may make criminals think about finding another career,” said Selena Larson.
“These successes in Cyber-Cyber only arise only when IT teams and security service providers share such a necessary understanding of the greatest threats to society, affecting the largest number of people around the world, which law enforcement agencies can use to clarify servers, infrastructure and criminal organizations. Actors act and act against them. “
 |
| Danabot features that advance on their support site |
Doj dissolves allegations against the QAKBOT leader
Development occurs when DOJ unlocked charges against the 48-year-old Moscow resident, Rusta Rafaylevich Galiam, for the leading efforts to develop and maintain Qakbot malicious software that was pluck During the multinational operation in August 2023. The agency also filed a complaint against civilian confiscation for more than 24 million cryptocurrency dollars, confiscated from Gallioam during the investigation.
“Galliams have developed, unfolded and controlled the malicious QAKBOT software since 2008,” DOJ said. “Since 2019, Galliams have allegedly used malicious QAKBOT software to infect thousands of victims worldwide to create a network or” Botnet “infected computers.
Doj showed that after the removal of the city of Galiamas and its co -authors continued his criminal activity Going to other tactics such as Spam -Bomba attacks to gain unauthorized access to victim networks and deploy families ransoms such as Black Basta and Cactus. The court documents accuse a group of electronic crimes of entry into these methods recently in January 2025.
“Bot -network D -Galiamov was crippled by talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malicious software accessible to criberal cyber -bandes who conduct the attacks against innocently.” Davis from the Fbarea field post.
