DanaBot C2 Server Memory Leak Bug

June 10, 2025, 9:10 a.m.

Description

A critical vulnerability named DanaBleed was discovered in DanaBot's C2 server, causing memory leaks from June 2022 to early 2025. This bug, introduced in version 2380, exposed sensitive information including threat actor details, server data, and victim credentials. The leak resulted from uninitialized memory in the C2 protocol update. Researchers gained insights into DanaBot's operations, infrastructure, and affiliates. In May 2025, law enforcement dismantled DanaBot's infrastructure and indicted 16 individuals in Operation Endgame. The blog details the technical analysis of the vulnerability, its impact, and the type of data exposed through the memory leak.

External References

https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
https://otx.alienvault.com/pulse/6847be376974b0634ce4d91d
Tags
vulnerability
cybercrime
danabot
malware-as-a-service
c2 server
smokeloader
operation endgame
information theft
2025-06-10
danableed
banking fraud
memory leak

Date

  • Created: June 10, 2025, 5:10 a.m.
  • Published: June 10, 2025, 5:10 a.m.
  • Modified: June 10, 2025, 9:10 a.m.

Indicators

  • ae5eaeb93764bf4ac7abafeb7082a14682c10a15d825d3b76128f63e0aa6ceb9
  • 3ce09a0cc03dcf3016c21979b10bc3bfc61a7ba3f582e2838a78f0ccd3556555
Download all indicators here!

Attack Patterns

  • DanaBot
  • SmokeLoader
  • DanaBot

Additional Informations

  • Defense
  • Finance
  • Government
  • Ukraine