The U.S. Department of Justice (DoJ) on Thursday announced the disruption of the online infrastructure associated with DanaBot (aka DanaTools) and unsealed charges against 16 individuals for their alleged involvement in the development and deployment of the malware, which it said was controlled by a Russia-based cybercrime organization. The malware, the DoJ said, infected more than 300,000 victim computers around the world, facilitated fraud and ransomware, and caused at least $50 million in damages. Two of the defendants, Aleksandr Stepanov (aka JimmBee), 39, and Artem Aleksandrovich Kalinkin (aka Onix), 34, both from Novosibirsk, Russia, are currently at large. Stepanov has been charged with conspiracy, conspiracy to commit wire fraud and bank fraud, aggravated identity theft, unauthorized access to a protected computer to obtain information, unauthorized impairment of a protected computer, wiretapping, and use of an intercepted communication. Kalinkin has been charged with conspiracy to gain unauthorized access to a computer to obtain information, to gain unauthorized access to a computer to defraud, and to commit unauthorized impairment of a protected computer. The unsealed criminal complaint and indictment show that many of the defendants, counting Kalinkin, exposed their real-life identities after accidentally infecting their own systems with the malware. "In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware," the complaint [PDF] read. "In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake." "The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on the DanaBot servers, including data that helped identify members of the DanaBot organization." If convicted, Kalinkin is expected to face a statutory maximum sentence of 72 years in federal prison. Stepanov would face a jail term of five years. Concurrent with the action, the law enforcement effort, carried out as part of Operation Endgame, saw DanaBot's command-and-control (C2) servers seized, including dozens of virtual servers hosted in the United States. "DanaBot malware used a variety of methods to infect victim computers, including spam email messages containing malicious attachments or hyperlinks," the DoJ said. "Victim computers infected with DanaBot malware became part of a botnet (a network of compromised computers), enabling the operators and users of the botnet to remotely control the infected computers in a coordinated manner." DanaBot, like the recently dismantled Lumma Stealer malware, operates under a malware-as-a-service (MaaS) scheme, with the administrators leasing out access starting from $500 to "several thousand dollars" a month. Tracked under the monikers Scully Spider and Storm-1044, is a multi-functional tool along the lines of Emotet, TrickBot, QakBot, and IcedID that's capable of acting as a stealer and a delivery vector for next-stage payloads, such as ransomware. The Delphi-based modular malware is equipped to siphon data from victim computers, hijack banking sessions, and steal device information, user browsing histories, stored account credentials, and virtual currency wallet information. It can also provide full remote access, log keystrokes, and capture videos. It's been active in the wild since its debut in May 2018, when it started off as a banking trojan. Example of typical Danabot infrastructure "DanaBot initially targeted victims in Ukraine, Poland, Italy, Germany, Austria, and Australia prior to expanding its targeting posture to include U.S.- and Canada-based financial institutions in October 2018," CrowdStrike said. "The malware's popularity grew due to its early modular development supporting Zeus-based web injects, information stealer capabilities, keystroke logging, screen recording, and hidden virtual network computing (HVNC) functionality." According to Black Lotus Labs and Team Cymru, DanaBot employs a layered communications infrastructure between a victim and the botnet controllers, wherein the C2 traffic is proxied through two or three server tiers before it reaches the final level. At least five to six tier-2 servers were active at any given time. A majority of DanaBot victims are concentrated around Brazil, Mexico, and the United States. "The operators have shown their commitment to their craft, adapted to detection and changes in enterprise defense, and with later iterations, insulating the C2s in tiers to obfuscate tracking," the companies said. "Throughout this time, they have made the bot more user-friendly with structured pricing and customer support." High-level diagram of multi-tiered C2 architecture The DoJ said DanaBot administrators operated a second version of the botnet that was specially designed to target victim computers in military, diplomatic, government, and related entities in North America and Europe. This variant, emerging in January 2021, came fitted with capabilities to record all interactions happening on a victim device and send the data to a different server. "Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses," said United States Attorney Bill Essayli for the Central District of California. The DoJ further credited several private sector firms, Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler, for providing "valuable assistance." Some of the noteworthy aspects of DanaBot, compiled from various reports, are below - DanaBot's sub-botnet 5 received commands to download a Delphi-based executable leveraged to conduct HTTP-based distributed denial-of-service (DDoS) attacks against the Ukrainian Ministry of Defence (MOD) webmail server and the National Security and Defense Council (NSDC) of Ukraine in March 2022, shortly after Russia's invasion of the country Two DanaBot sub-botnets, 24 and 25, were specifically used for espionage purposes likely with an aim to further intelligence-gathering activities on behalf of Russian government interests DanaBot operators have periodically restructured their offering since 2022 to focus on defense evasion, with at least 85 distinct build numbers identified to date (The most recent version is 4006, which was compiled in March 2025) The malware's infrastructure consists of multiple components: A "bot" that infects target systems and performs data collection, an "OnlineServer" that manages the RAT functionalities, a "client" for processing collected logs and bot management, and a "server" that handles bot generation, packing, and C2 communication DanaBot has been used in targeted espionage attacks against government officials in the Middle East and Eastern Europe The authors of DanaBot operate as a single group, offering the malware for rent to potential affiliates, who subsequently use it for their own malicious purposes by establishing and managing their own botnets using private servers DanaBot's developers have partnered with the authors of several malware cryptors and loaders, such as Matanbuchus, and offered special pricing for distribution bundles DanaBot maintained an average of 150 active tier-1 C2 servers per day, with approximately 1,000 daily victims across more than 40 countries, making it one of the largest MaaS platforms active in 2025 Proofpoint, which first identified and named DanaBot in May 2018, said the disruption of the MaaS operation is a win for defenders and that it will have an impact on the cybercriminal threat landscape. "Cybercriminal disruptions and law enforcement actions not only impair malware functionality and use but also impose a cost to threat actors by forcing them to change their tactics, cause mistrust in the criminal ecosystem, and potentially make criminals think about finding a different career," Selena Larson, a staff threat researcher at Proofpoint, said. "These successes against cyber criminals only come about when business IT teams and security service providers share much-needed insight into the biggest threats to society, affecting the greatest number of people around the world, which law enforcement can use to track down the servers, infrastructure, and criminal organizations behind the attacks. Private and public sector collaboration is crucial to knowing how actors operate and taking action against them." DanaBot's features as promoted on its support site DoJ Unseals Charges Against QakBot Leader The development comes as the DoJ unsealed charges against a 48-year-old Moscow resident, Rustam Rafailevich Gallyamo, for leading efforts to develop and maintain the QakBot malware, which was disrupted in a multinational operation in August 2023. The agency also filed a civil forfeiture complaint against over $24 million in cryptocurrency seized from Gallyamov over the course of the investigation. "Gallyamov developed, deployed, and controlled the Qakbot malware beginning in 2008," the DoJ said. "From 2019 onward, Gallyamov allegedly used the Qakbot malware to infect thousands of victim computers around the world in order to establish a network, or 'botnet,' of infected computers." The DoJ revealed that, following the takedown, Gallyamov and his co-conspirators continued their criminal activities by switching to other tactics like "spam bomb" attacks in order to gain unauthorized access to victim networks and deploy ransomware families like Black Basta and CACTUS. Court documents accuse the e-crime group of engaging in these methods as recently as January 2025. "Mr. Gallyamov's bot network was crippled by the talented men and women of the FBI and our international partners in 2023, but he brazenly continued to deploy alternative methods to make his malware available to criminal cyber gangs conducting ransomware attacks against innocent victims globally," said Assistant Director in Charge Akil Davis of the FBI's Los Angeles Field Office. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.