DanaBot Malware C2 Server Flaw Exposes Threat Actor Credentials and Crypto Keys

A critical vulnerability in the DanaBot command-and-control (C2) server exposed highly sensitive information, including threat actor credentials, backend server details, and cryptographic keys.

The flaw, present from June 2022 until early 2025, resulted from a memory management bug in DanaBot’s custom binary C2 protocol, drawing comparisons to the notorious Heartbleed vulnerability of 2014.

Critical Bug in C2 Protocol

DanaBot, active since 2018 and widely recognized as a Malware-as-a-Service (MaaS) platform, operates on an affiliate model.

The platform’s developer focuses on tool development and infrastructure, while affiliates conduct attacks ranging from credential theft and banking fraud to espionage and DDoS campaigns.

Notably, DanaBot was linked to a supply chain compromise of NPM packages and cyber operations against the Ukrainian Ministry of Defense during the 2022 Russian invasion.

In May 2025, law enforcement action under Operation Endgame dismantled DanaBot’s infrastructure, indicting 16 affiliated individuals.

The newly revealed flaw dubbed “DanaBleed” originated with the release of DanaBot version 2380.

Researchers from ThreatLabz first identified the vulnerability, which allowed C2 server responses to inadvertently leak up to 1,792 bytes of process memory per communication.

The issue stemmed from the Delphi-based C2 server’s improper initialization of padding bytes in memory buffers used for response construction.

Instead of random data, memory fragments containing potentially sensitive information were appended to malware communications, exposing a treasure trove of operational and personal data every time a victim interacted with the server.

Memory Leak Exposes Threat Actor

Technical analysis shows that the vulnerability emerged as part of a protocol update intended to enhance or obfuscate the structure of C2 communications.

The revised protocol workflow introduced a mechanism to append “random” bytes to commands.

However, because the buffer expansion did not properly initialize memory, arbitrary data from the C2 server’s active process memory became part of the encrypted payload returned to victims.

Over nearly three years, this flaw provided researchers with unprecedented insight into DanaBot’s operations.

Among the exposed data were threat actor usernames, external and backend server IP addresses and domains, SQL statements, debugging logs, HTML snippets from the C2 web interface, changelogs documenting malware updates, and crucially, private cryptographic keys and victim exfil data.

Leaked SQL statements and debug paths further illuminated the C2 infrastructure and its internal database schema, while HTML and video advertisement elements authenticated the legitimate source of the leaks.

Perhaps most alarmingly, the leak repeatedly exposed private key material, severely compromising the confidentiality of communications between DanaBot operators and infected machines.

Exfiltrated victim credentials and other sensitive data added impact on both attackers and their targets.

While Operation Endgame has currently disrupted DanaBot’s infrastructure, it remains to be seen whether affiliates or the core developers will attempt to reconstitute operations using the lessons learned from this significant breach.

The discovery and exploitation of the DanaBleed vulnerability provide a blueprint for proactive threat intelligence, demonstrating the importance of continuous protocol and infrastructure analysis in defeating evolving malware ecosystems.

Security teams are urged to monitor for these IOCs, as well as to remain vigilant for any reemergence of DanaBot or similar affiliate-based cybercrime platforms leveraging comparable architectural flaws.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update