Malware Activity
DanaBot Resurfaces with New Infrastructure and Crypto Channels After Operation Endgame Takedown
Six (6) months after its takedown in Operation Endgame, the DanaBot malware has reemerged with version 669, featuring a rebuilt command-and-control (C2) infrastructure leveraging Tor domains and “backconnect” nodes. Researchers at Zscaler ThreatLabz report that threat actors are now using multiple cryptocurrency wallets in BTC, ETH, LTC, and TRX to collect stolen funds. Originally discovered by Proofpoint as a Delphi-based banking trojan operating under a malware-as-a-service (MaaS) model, DanaBot has evolved into a modular infostealer and loader capable of harvesting credentials and crypto wallet data from browsers. Despite law enforcement’s global disruption in May, the malware’s operators have rebuilt the network, spotlighting the resilience of cybercriminals when key actors remain operational. DanaBot continues to spread via phishing emails, SEO poisoning, and malvertising campaigns that can lead to ransomware infections. CTIX analysts advise organizations to follow Zscaler's guidance to apply updated indicators of compromise (IoCs) and enhance endpoint defenses to mitigate renewed DanaBot activity.
Threat Actor Activity
NHS Supplier Synnovis Wraps Up Investigation into 2024 Qilin Ransomware Attack that Left One Patient Dead
Synnovis has concluded its complex 18-month investigation into the June 2024 ransomware attack by the Qilin cybercrime group, which severely disrupted pathology services across London and is believed to have contributed to at least one (1) patient's death. The attack resulted in the exposure of sensitive data, including NHS numbers, names, dates of birth, and possibly intimate medical conditions such as cancer and sexually transmitted infections. CaseMatrix estimates that data from over 900,000 NHS patients was compromised, although Synnovis has not confirmed this figure. The investigation faced challenges due to the fragmented and unstructured nature of the stolen data, requiring specialized platforms and processes to piece together the information. Synnovis has begun notifying affected NHS organizations, which are responsible for informing individual patients under UK data protection laws. The company warned that patient notifications may take time and advised checking healthcare providers' websites for updates. Synnovis and its NHS Trust partners decided not to pay a ransom, reflecting their commitment to ethical principles and the rejection of funding future cybercriminal activities. The Qilin gang, suspected to be of Russian origin, typically uses double-extortion tactics, exfiltrating data before encrypting systems and threatening to publish stolen material if ransoms are not paid. The group told The Register that its attack on Synnovis was deliberate, stating that "all of our attacks are not accidental" and that they target companies affiliated with political elites of certain countries. Synnovis has replaced all affected infrastructure, but the exact method of the attackers' initial entry remains undetermined.
Vulnerabilities
CISA Orders Urgent Patching of Cisco ASA and Firepower Zero-Days Amid Ongoing ArcaneDoor Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 25-03, mandating all U.S. Federal Civilian Executive Branch (FCEB) agencies to immediately patch two (2) actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices, tracked as CVE-2025-20362 and CVE-2025-20333. These flaws, when chained, allow unauthenticated remote attackers to gain full control of vulnerable devices. Initially patched in September, Cisco confirmed the bugs had been exploited as zero-days in the ArcaneDoor campaign, which has targeted government networks since late 2023. Despite prior warnings, CISA found that some agencies incorrectly believed their systems were fully updated, leaving thousands of devices still exposed (over 30,000 globally, according to Shadowserver). CISA emphasized that agencies must verify they’ve applied the correct software versions and patch all ASA and Firepower devices, not just those exposed to the Internet. The directive aligns with broader federal mitigation efforts, which also include emergency patching for Samsung and WatchGuard Firebox vulnerabilities exploited in recent zero-day campaigns. Although the mandate only applies to FCEB agencies, CTIX analysts urge any affected administrators to ensure their Cisco devices are protected from this exploit.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
