{
	"id": "95727620-da86-4f41-941c-cefe155af240",
	"created_at": "2026-04-06T00:17:26.887548Z",
	"updated_at": "2026-04-10T03:21:16.289493Z",
	"deleted_at": null,
	"sha1_hash": "4d05ea39ba9d32d7da4e0d640ad0074d42337a29",
	"title": "DanaBleed: DanaBot C2 Server Memory Leak Bug | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2152710,
	"plain_text": "DanaBleed: DanaBot C2 Server Memory Leak Bug | ThreatLabz\r\nBy ThreatLabz\r\nPublished: 2025-06-09 · Archived: 2026-04-05 20:48:30 UTC\r\nTechnical Analysis\r\nThe DanaBleed memory leak began with the release of DanaBot version 2380 in June 2022 and continued until\r\nearly 2025.\r\nAnalysis of the DanaBleed vulnerability\r\nDanaBot is written in the Delphi programming language and uses a custom binary C2 protocol. A general\r\noverview of C2 requests prior to the June 2022 version update was the following:\r\n1. Generate command data (e.g. key exchange, system information beacon, configuration file download,\r\nadditional payload download, new C2 information, etc.)\r\n2. Encrypt data with a session key\r\n3. Encrypt session key\r\n4. Generate a basic header\r\n5. Send header and encrypted data\r\nIn June 2022, the malware developer introduced a new C2 protocol that modified the requests to perform the steps\r\nbelow:\r\n1. Generate command data (e.g. key exchange, system information beacon, configuration file download,\r\nadditional payload download, new C2 information, etc.)\r\n2. Ostensibly append randomly generated bytes (although they were not random)\r\n3. Encrypt data with a session key\r\n4. Encrypt session key\r\n5. Send encrypted data length and data\r\nResponses from the C2 server to the victim were generated using the same logic and likely the same underlying\r\ncode as the malware itself. This overlap allowed us to reverse engineer the vulnerability and make inferences\r\nabout how the C2 server memory leak worked.\r\nThe figure below illustrates the changes to the C2 protocol introduced in the June 2022 update:\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 1 of 7\n\nFigure 1: Overview of C2 protocol changes introduced in DanaBot in the June 2022 update.\r\nDanaBot’s command data was stored in a Delphi TMemoryStream. A random number, capped at a maximum\r\nvalue of 1,792, was generated to determine the number of padding bytes to add to the command data buffer. While\r\nthe size of the buffer was increased, the newly allocated memory within the buffer was not initialized. At first\r\nglance, this uninitialized memory appeared to be random, but closer inspection revealed that it contained arbitrary\r\nfragments of the C2 server’s process memory. This oversight in memory handling created the DanaBot\r\nvulnerability that exposed the group’s sensitive internal data.\r\nData exposed by the memory leak\r\nThe memory leak allowed up to 1,792 bytes per C2 server response to be exposed. The content of the leaked data\r\nwas arbitrary and depended on the code being executed and the data being manipulated in the C2 server process at\r\na given time. Despite this, our examination of the leaked data allowed us to extract meaningful insight into\r\nDanaBot for nearly three years.\r\nSome of the most intriguing leaks revealed HTML snippets associated with the C2 server's web interface. The\r\nfigure below, with highlights added, provides a sample of these leaked elements.\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 2 of 7\n\nFigure 2: Example of leaked HTML code from DanaBot’s C2 server.\r\nThese HTML snippets can be compared to the figure below (highlights added) which includes a screenshot from a\r\nvideo advertising DanaBot.\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 3 of 7\n\nFigure 3: Screenshot from a DanaBot advertisement video with content similar to the data observed in C2 server\r\nmemory leaks.\r\nThe memory leak exposed sensitive data including: \r\nThreat actor usernames and IP addresses\r\nBackend C2 server IP addresses and domains\r\nInfection and exfiltration statistics\r\nMalware version update information\r\nPrivate cryptographic keys\r\nVictim-related data, such as IP addresses, credentials, and exfiltrated information\r\nThe DanaBot developer maintained a changelog of updates and some of those changes were also leaked, as shown\r\nin the figure below (highlights added).\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 4 of 7\n\nFigure 4: Sample change log discovered in DanaBot C2 server memory leaks.\r\nIn addition to HTML snippets, the memory leak also exposed debug information, including pathnames and\r\nlogging messages. These are demonstrated in the figure below.\r\nFigure 5: Sample debug information identified in DanaBot C2 server memory leaks.\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 5 of 7\n\nAnother frequent type of leak involved SQL statements. These leaks offered valuable insights into the C2 server's\r\ndatabase structure, including information such as malware MD5 hashes, version updates, and victim IP addresses.\r\nThe figure below (with highlights added) provides an example of these leaks.\r\nFigure 6: Sample SQL statement leak by DanaBot’s C2 server.\r\nThe memory leaks also exposed private cryptographic key material, as shown in the figure below (highlight\r\nadded):\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 6 of 7\n\nFigure 7: Sample private key material leaks.\r\nFinally, as DanaBot primarily functioned as an information stealer, the memory leak also exposed a significant\r\namount of victim credentials and other exfiltrated data.\r\nSource: https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nhttps://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug"
	],
	"report_names": [
		"danableed-danabot-c2-server-memory-leak-bug"
	],
	"threat_actors": [],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4d05ea39ba9d32d7da4e0d640ad0074d42337a29.pdf",
		"text": "https://archive.orkl.eu/4d05ea39ba9d32d7da4e0d640ad0074d42337a29.txt",
		"img": "https://archive.orkl.eu/4d05ea39ba9d32d7da4e0d640ad0074d42337a29.jpg"
	}
}