Saturday, June 14, 2025
HomeMalwareDanaBot Banking Trojan Emerges Again With New Features Steals Banking Credentials

DanaBot Banking Trojan Emerges Again With New Features Steals Banking Credentials

Published on

SIEM as a Service

Follow Us on Google News

DanaBot Banking Trojan was discovered earlier this year by Proofpoint, targeting users in Australia through continuous malicious email campaigns, later it expands to Poland, Italy, Germany, Austria.

It is a banking Trojan developed in Delphi language, it has a multi-stage and multi-component architecture, most of their functionalities depends on the plugins added to it. The threat actors behind DanaBot Banking Malware continuously adding new features to it.

New Campaign – DanaBot Banking Trojan

With this new active ongoing campaign DanaBot targeting users in Poland, according to ESET research, this “new campaign is the largest and most active campaign to date.”

- Advertisement - Google News

The malicious email campaign contains invoices posing to be from various companies, the campaign uses a combination of PowerShell and VBS scripts, following are the plugins found with the new campaign.

VNC plug-in – To establish a remote connection.

Sniffer plug-in – to injects malicious scripts to victim browser, usually while visiting internet banking sites.

Stealer plug-in – harvests credentials (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.).

TOR plug-in – installs a TOR proxy and enables access to .onion websites.

With the previous August campaign, the DanaBot developers added TOR plug-in to create a covert communication channel and with this new September campaign the threat actors behind DanaBot VNC plug-in that enables remote access to the victim’s machine.

Researchers said starting September smaller campaigns targeting banks in Italy, Germany, and Austria, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users. According to the telemetry data, Danabot detection ratio spiked between the month of August and September.
DanaBot Banking Trojan

ESET published a detailed list of Targeted domains, Targeted software, Targeted cryptocurrency wallets, configuration script, IoCs, hashes and plugins used.

Related Read

Malware Abuse Google Ads to Injecting Coinhive Cryptocurrency Miner

Chinese Threat Actors Rocke Launching Sophisticated Crypto-mining Malware to Mine Monero Cryptocurrency

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...

New Secure Boot Vulnerability Allows Attackers to Install Malware in PC and Server Boot Processes

Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible...