DanBot

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
DanBot is a malicious software (malware) written in C# using .NET Framework 2.0 that provides basic remote access capabilities. It was identified as part of the arsenal used by the cyber threat group, OilRig, and has been linked to other backdoors such as Solar, Shark, Milan, and Marlin. The malware is designed to infiltrate systems through suspicious downloads, emails, or websites, often without user knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. In 2021, OilRig updated its DanBot backdoor and began deploying additional backdoors like Shark, Milan, and Marlin as per the ESET Threat Report T3 2021. The DanBot variant operated by LYCEUM, another cyber threat group, hosted multiple command and control (C2) domains, indicating its widespread use in cyber espionage. Some of the Milan backdoors analyzed also included samples that were clustered as DanBot backdoors, further confirming its broad deployment in cyber attacks. The DanBot malware shares several similarities with other backdoors used in cyber operations, particularly in terms of upload and download schemes for communicating with the C&C server. Both Solar and Shark backdoors, for instance, use URIs with simple upload ("u") and download ("d") schemes. Additionally, the downloader SC5k uses uploads and downloads subdirectories akin to other OilRig backdoors like ALMA, Shark, DanBot, and Milan. This overlap in tools and targeting highlights the interconnected nature of these cyber threats and their shared methodologies.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Milan
2
Milan is a type of malware that was part of an array of backdoors deployed by the cyber threat group OilRig in 2021. Other backdoors used by this group include Shark, DanBot, and Marlin. The Milan malware, like other backdoors used by OilRig, employs simple upload and download schemes for communicat
Shark
2
Shark is a type of malware, or malicious software, that was deployed by the cyber group OilRig. In 2021, OilRig updated its DanBot backdoor and began deploying the Shark, Milan, and Marlin backdoors, as highlighted in the T3 2021 issue of the ESET Threat Report. This harmful program can infiltrate s
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
MarlinUnspecified
2
Marlin is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Marlin can steal personal information, disrupt operations, or even hold data
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
OilRigUnspecified
2
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DanBot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Cyber Threat Group LYCEUM Takes Center Stage in Middle East Campaign
MITRE
a year ago
Who are Latest Targets of Cyber Group Lyceum | Accenture
CERT-EU
8 months ago
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
ESET
5 months ago
OilRig’s persistent attacks using cloud service-powered downloaders