ESET, DOJ, and Global Law Enforcement Disrupt Danabot Malware Network

In a coordinated international effort, cybersecurity firm ESET, the U.S. Department of Justice, the FBI, and global law enforcement agencies have successfully disrupted the infrastructure behind Danabot, one of the most persistent and adaptable infostealers of the last decade. The malware, long used for credential theft, keylogging, and ransomware delivery, has operated as a malware-as-a-service (MaaS) platform since at least 2018—enabling cybercriminals to rent its capabilities and operate custom campaigns.

The takedown was supported by intelligence and infrastructure analysis from ESET, which contributed insights into Danabot’s backend operations, affiliate toolsets, and command-and-control (C&C) servers. The operation also involved law enforcement from Germany, the Netherlands, Australia, and corporate partners including Google, Amazon, CrowdStrike, and Proofpoint. The campaign targeted not only Danabot’s technical backbone, but also key individuals involved in its development, administration, and distribution.

A Sophisticated Threat at Global Scale

Danabot is not a commodity malware. Its sophistication lies in its modular architecture and the range of capabilities it offers affiliates: from browser and FTP credential theft to remote access, Zeus-style web injection, and ransomware payload delivery. Danabot campaigns have historically targeted users in Poland, Italy, Spain, and Turkey, but its reach extended globally via deceptive ad campaigns, infected software bundles, and clipboard manipulation attacks.

ESET researchers have observed Danabot being distributed through Google Ads, bogus support sites, and malicious software bundles—highlighting the threat’s adaptive distribution model. The malware also played a role in geopolitical events, including a DDoS attack on Ukraine’s Ministry of Defense following the Russian invasion, showcasing its potential beyond standard financial cybercrime.

Why This Disruption Matters

The takedown of Danabot is significant for several reasons. First, it disrupts an active, monetized malware ecosystem that has operated for years across multiple continents and threat vectors. Second, it sends a message to MaaS operators that coordinated efforts between governments and private-sector cybersecurity partners are maturing and increasingly effective. And third, it underscores the evolving role of security vendors—not just in threat research, but in direct support of international law enforcement.

The operation also comes at a time when infostealers are among the most prevalent and damaging threats to enterprises. With GenAI accelerating developer productivity and increasing the value of stolen credentials, malware like Danabot poses a growing risk to software supply chains, user trust, and organizational resilience.

Dismantling large-scale malware infrastructure like Danabot’s isn’t just a win for cybersecurity—it’s a critical step in defending the integrity of modern internet infrastructure. Whether Danabot resurfaces or not, the precedent of coordinated dismantling efforts offers hope for more systematic disruption of similar threats in the future.

Learn how AI Agents can supercharge your company’s profits and productivity at TMC’s AI Agent Event in Sept 29-30, 2025 in DC.

If you liked this post, you’ll love one of the the leading global business communications and technology events since 1999, the ITEXPO #TECHSUPERSHOW, Feb 10-12, 2026 Fort Lauderdale, Florida.

Don’t forget the collocated MSP Expo – just for managed service providers!

Aside from his role as CEO of TMC and chairman of ITEXPO #TECHSUPERSHOW Feb 10-12, 2026, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). He handles capital/debt raises as well as M&A. RT Advisors is not owned by Four Points.

The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.

The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.

Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing


 

Loading
Share via
Copy link
Powered by Social Snap