The US government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The malware, used for espionage and credential theft, infected over 300,000 systems globally, causing estimated losses of more than $50 million.
Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, both from Novosibirsk, Russia, are the ringleaders of the DanaBot conspiracy. Kalinkin is an IT engineer for Gazprom, a Russian state-owned energy giant. The FBI says a newer version of DanaBot was used to target military, diplomatic, and non-governmental organization computers in several countries.
The government alleges that the malware was sold between 2018 and June 2020, and later re-emerged in January 2021. Affiliates paid $3,000 to $4,000 a month for access to the information stealer platform, which compromised sensitive diplomatic communications, credentials, and data from targeted victims.
The US Department of Justice says it has seized servers used by the DanaBot authors and the servers that stored stolen victim data. In some cases, defendants infected their own PCs with the malware, resulting in their credential data being uploaded to stolen data repositories.
Microsoft recently disrupted another malware-as-a-service offering, Lumma Stealer, which was also sold to affiliates under tiered subscription prices. The government is working with industry partners to notify DanaBot victims and help remediate infections.
Source: https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-their-own-pcs