Prior to the recent takedown effort targeting the DanaBot botnet, cybersecurity researchers exploited a vulnerability in the threat’s command and control (C&C) servers to obtain valuable information.
The DanaBot malware-as-a-service platform has been around since 2018. Its operators have sold access to other cybercriminals, who leveraged it for stealing information, and in some cases DDoS attacks.
The DanaBot botnet, which ensnared over 300,000 devices and caused more than $50 million in damages, was targeted in an international law enforcement operation in May. Hundreds of servers and domains were seized and over a dozen individuals were charged.
Following the law enforcement operation, it came to light that DanaBot C&C servers were impacted by a vulnerability that caused a memory leak. The flaw, which existed between June 2022 and early 2025, has been dubbed DanaBleed by security firm Zscaler due to its similarity with the notorious Heartbleed vulnerability.
DanaBleed is related to the custom binary C&C protocol used by DanaBot. A change introduced in June 2022 caused the C&C server to leak process memory snippets in responses to infected devices.
“The memory leak allowed up to 1,792 bytes per C&C server response to be exposed. The content of the leaked data was arbitrary and depended on the code being executed and the data being manipulated in the C&C server process at a given time,” Zscaler explained.
Despite these limitations, the security firm’s researchers managed to obtain what they described as “meaningful insights into DanaBot” from the memory leaks collected over a period of nearly three years.
The researchers extracted valuable insights into DanaBot infrastructure and processes, as well as the threat actors behind the botnet.
The leaked data included threat actor usernames and IP addresses, backend C&C server IPs and domains, malware infection and exfiltration statistics, malware version updates, and private cryptographic keys. The leaks also contained victim data, such as IPs, credentials, and exfiltrated data.
“The leaked information revealed everything from backend server data, debugging logs, SQL statements, and cryptographic key material to sensitive victim data and elements of the C2 server’s web interface,” Zscaler said.
DanaBot was severely disrupted by the recent law enforcement action, but Zscaler believes it’s too soon to determine the long-term impact on the botnet.
Related: Mirai Botnets Exploiting Wazuh Security Platform Vulnerability
Related: Chinese Espionage Crews Circle SentinelOne in Year-Long Reconnaissance Campaign
Related: Destructive ‘PathWiper’ Targeting Ukraine’s Critical Infrastructure
