A coordinated effort by cybersecurity services and analysts has successfully neutralized the dangerous Danabot malware—a tool used worldwide primarily for data theft. Crucially, the individuals responsible for developing and deploying Danabot have been identified. Polish users were the main targets, accounting for over 60% of global detections involving this malware.
Global Operation Involving U.S. and International Agencies
The disruption operation against the Danabot data-stealing trojan was led by the U.S. Department of Justice, the FBI, and the U.S. Department of Defense’s Criminal Investigations Service. These agencies cooperated closely with Germany’s Bundeskriminalamt, the Dutch National Police, and the Australian Federal Police. Key cybersecurity industry players—including ESET—were also involved.
This joint action identified those responsible for the development, sale, and administration of Danabot, as well as other related criminal activities.
Danabot’s Impact on Poland
Telemetry data collected by ESET since 2018 paints a concerning picture for Poland. The country became a top priority target for Danabot attackers, with nearly 63% of global attack detections occurring on Polish systems.
For comparison, the next highest countries were Italy (4%), Spain (3.5%), and Turkey (3%), each accounting for just a small fraction of global detections. Peru ranked fifth with 1.5%.
These statistics highlight the severity of the threat Danabot posed to Polish users and businesses.
Multifunctional Malware with Expanding Capabilities
“Besides stealing sensitive data, we observed Danabot being used to deploy additional malware, including ransomware, in some cases targeting already infected systems,” explained Tomáš Procházka, an ESET researcher involved in the malware’s analysis.
Danabot’s Operation Model: Malware-as-a-Service
Danabot’s creators operated as a structured criminal group, offering the malware to other cybercriminals under a malware-as-a-service model. Clients rented Danabot to conduct their own campaigns, managing botnets—networks of infected devices such as smartphones, routers, and IoT gadgets controlled remotely.
Capabilities and Uses
Danabot’s extensive functions included:
- Theft of credentials from browsers, email, and FTP clients
- Keylogging (recording keystrokes, including passwords)
- Screen recording
- Real-time remote control of victim machines
- Cryptocurrency wallet theft
- Uploading and executing additional malware on infected computers
Analysis by ESET confirms Danabot’s role in distributing ransomware, designed to encrypt data and demand payment from victims. It was also used for less typical attacks such as DDoS (Distributed Denial of Service) assaults—one notable attack targeted Ukraine’s Ministry of Defense.
In other cases, attackers tricked victims via fake websites promising to fix non-existent computer issues.
International Cooperation and the Importance of Awareness
“Our research confirms Danabot was a serious global threat, with a particularly alarming focus on Poland,” said Kamil Sadkowski, analyst at ESET’s antivirus lab.
“Cybercriminal operations have become highly structured, with groups employing sophisticated targeting methods and systemic business models that challenge law enforcement. This operation’s success underscores the critical role of international cooperation in fighting cybercrime. At the same time, awareness and education remain essential for protecting all users.”
Source: managerplus.pl
