Trojan:Win32/Dapato is a persistent trojan historically associated with massive spam botnets, designed to quietly commandeer endpoint resources to distribute millions of unsolicited pharmaceutical or malicious emails.
What is Dapato?
For the end-user, a Dapato infection might only be noticeable due to degraded network performance. For network administrators, Dapato represents a significant reputational risk. If an endpoint is infected with Dapato, it is actively participating in a global spam botnet, which will quickly result in the organization's public IP addresses being blacklisted by global anti-spam organizations (like Spamhaus).
Infection Vectors & Threat Hunting
Dapato is typically distributed via exploit kits or as a secondary payload dropped by other trojans. Upon execution, it drops a randomized executable into the Windows directory and establishes persistence via the Registry Run keys. Dapato frequently injects its spamming engine into legitimate system processes (like svchost.exe or explorer.exe). It communicates with its C2 server to receive templates for the spam emails and lists of target email addresses. It then utilizes its own built-in SMTP engine to bypass local email clients and fire the spam directly out to the internet.
Forensic Analysis & Impact
Threat hunters will observe a massive, continuous spike in outbound traffic on TCP port 25 (SMTP) originating from unexpected processes. EDR platforms frequently detect Dapato based on 'Suspicious SMTP Activity' or 'Process Injection'. The impact is network congestion, IP blacklisting, and potential legal or compliance issues due to the unauthorized distribution of spam.
Observed techniques used by this family, mapped to the MITRE ATT&CK framework:
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_DAPATO {
meta:
description = "Detects Dapato (trojan_generic)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "dapato" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Dapato Activity
id: bc7627fa5378eae32f04c58c59a88015
status: experimental
description: Detects generic indicators of the dapato malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*dapato*"
condition: selection
level: mediumOrdered checklist for responders. Adapt to your environment and engage professional support for active incidents.
Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/dapato.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.