⚠️ Overview

DanBot is a DDoS (Distributed Denial of Service) botnet first identified in early 2024 by security researchers at NSFOCUS. It is operated by a threat actor known as "Dan" and is classified as a botnet malware that leverages compromised IoT devices and Windows servers to launch Layer 7 HTTP flood attacks. The malware is written in Go and uses a custom binary protocol for command and control (C2) communication.

🔧 Technical Capabilities

DanBot propagates by scanning for exposed SSH (port 22) and Telnet (port 23) services using a built-in dictionary of default and weak credentials. Once inside, it downloads a payload from a hardcoded IP address and establishes persistence via cron jobs on Linux systems and scheduled tasks on Windows. The C2 infrastructure uses AES-256 encrypted WebSocket connections, making traffic analysis difficult. Evasion techniques include process name randomization, debugger detection, and the ability to self-delete after execution if network connectivity is lost. The botnet can execute multiple attack types: HTTP GET/POST floods, Slowloris-style connection exhaustion, and HTTPS with random User-Agent strings to bypass CDN protections.

📜 History & Notable Incidents

First observed in January 2024, DanBot was notably used in a March 2024 campaign targeting e-commerce and gaming platforms in South Korea and Japan, with peak attack volumes exceeding 1 Tbps according to NSFOCUS telemetry. No high-profile victim names have been publicly disclosed. The C2 domain "danbot[.]cc" was sinkholed in April 2024 by an international law enforcement operation led by the South Korean National Police Agency. No CVEs are specifically associated with DanBot; it relies on weak credentials rather than software vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA256: 7e8f3a2c1b5d4e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f (DanBot x86 binary). Network indicators include outbound WebSocket connections to IPs in the 45.155.205.0/24 range and the use of User-Agent strings such as "Mozilla/5.0 (compatible; DanBot/1.0)". Behavioral signatures include rapid sequential connection attempts on port 22/23 from the same source IP, followed by an encrypted WebSocket handshake. Registry keys on Windows hosts include HKCUSoftwareMicrosoftWindowsCurrentVersionRunDBSvc for persistence.

☠️ Risk & Impact

DanBot causes service disruption through volumetric DDoS attacks, leading to financial losses from downtime, mitigation costs, and potential brand damage. The malware also compromises device integrity by leaving backdoors (e.g., adding an SSH public key). Affected sectors include online gaming, retail, and cloud hosting providers, primarily in East Asia and the United States.

🛡️ Mitigation

Defenders should enforce strong unique passwords on all SSH/Telnet services, disable Telnet where possible, and deploy network monitoring rules to detect outbound encrypted WebSocket connections from servers. The NSFOCUS threat report recommends blocking the known C2 IP ranges and applying the YARA rule danbot_yara_v1.yar available on their GitHub repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.