A vulnerability in the DanaBot malware operation introduced in June 2022 update led to the identification, indictment, and dismantling of their operations in a recent law enforcement action.
DanaBot is a malware-as-a-service (MaaS) platform active from 2018 through 2025, used for banking fraud, credential theft, remote access, and distributed denial of service (DDoS) attacks.
Zscaler’s ThreatLabz researchers who discovered the vulnerability, dubbed ‘DanaBleed,’ explain that a memory leak allowed them to gain a deep peak into the malware’s internal operations and the people behind it.
Leveraging the flaw to collect valuable intelligence on the cybercriminals enabled an international law enforcement action named ‘Operation Endgame’ to take DanaBot infrastructure offline and indict 16 members of the threat group.
DanaBleed
The DanaBleed flaw was introduced in June 2022 with DataBot version 2380, which added a new command and control (C2) protocol.
A weakness in the new protocol’s logic was in the mechanism that generated the C2 server’s responses to clients, which was supposed to include randomly generated padding bytes but didn’t initialize newly allocated memory for these.
Zscaler researchers collected and analyzed a large number of C2 responses that, due to the memory leak bug, contained leftover data fragments from the server’s memory.
This exposure is analogous to the HeartBleed problem discovered in 2014, impacting the ubiquitous OpenSSL software.
As a result of DanaBleed, a broad array of private data was exposed to the researchers over time, including:
- Threat actor details (usernames, IP addresses)
- Backend infrastructure (C2 server IPs/domains)
- Victim data (IP addresses, credentials, exfiltrated info)
- Malware changelogs
- Private cryptographic keys
- SQL queries and debug logs
- HTML and web interface snippets from the C2 dashboard
For over three years, DanaBot operated in a compromised mode without its developers or clients ever realizing they were being exposed to security researchers.
This allowed targeted law enforcement action when enough data had been collected.
Although DanaBot’s core team in Russia was merely indicted and not arrested, the seizure of critical C2 servers, 650 domains, and nearly $4,000,000 in cryptocurrency has effectively neutralized the threat for now.
It is not unlikely that the threat actors attempt to return to cybercrime operations in the future, but reduced trust from the hackers’ community will be a significant obstacle for them.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
