New DanaBot malvertising campaign delivers Cactus ransomware

New DanaBot malvertising campaign delivers Cactus ransomware

A new malvertising campaign orchestrated by a ransomware operator known as Storm-0216 has been using the DanaBot malware to deploy the Cactus ransomware.

“Microsoft has detected Danabot (Storm-1044) infections leading to hands-on-keyboard activity by ransomware operator Storm-0216 (Twisted Spider, UNC2198), culminating in the deployment of Cactus ransomware,” Microsoft said.

DanaBot, tracked by Microsoft as Storm-1044, is a malware-as-a-service platform that threat actors use to steal usernames, passwords, session cookies, account numbers, and other personally identifiable information (PII).

“Storm-0216 has historically received handoffs from Qakbot operators but has since pivoted to leveraging different malware for initial access, likely a consequence of the Qakbot infrastructure takedown,” the threat research team noted.

First spotted in November 2023, the new DanaBot campaign leverages a private version of the info-stealing malware instead of the malware-as-a-service offering.

The malware collects user credentials and other data, which is then sent to the threat actor, followed by lateral movement via RDP sign-in attempts.

The development comes following a warning from cybersecurity firm Arctic Wolf that the Cactus ransomware gang is exploiting three vulnerabilities in Qlik Sense business analytics servers for initial access to corporate networks.

The three vulnerabilities are:

CVE-2023-41265 - An HTTP tunneling issue due to improper validation of HTTP headers. A remote user can send a specially crafted HTTP request over a tunneled connection and gain elevated privileges on the system

CVE-2023-41266 - A path traversal vulnerability due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system

CVE-2023-48365 - An HTTP interpretation issue due to improper validation of HTTP requests caused by an incomplete fix for #VU80193 (CVE-2023-41265). A remote authenticated user can elevate their privileges within the application by tunneling HTTP requests.


Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025
Popular Posts
Featured vulnerabilities
Inclusion of Functionality from Untrusted Control Sphere in nhairs Python JSON Logger
High Patched | 03 Jul, 2025
Multiple vulnerabilities in FileBrowser
Low Not Patched | 03 Jul, 2025
Information disclosure in FileBrowser
Low Patched | 03 Jul, 2025
Weak password requirements in FileBrowser
Medium Patched | 03 Jul, 2025
Command Injection in FileBrowser
Low Patched | 03 Jul, 2025