DanaBleed: DanaBot C2 Server Memory Leak Bug | ThreatLabz
By ThreatLabz
Published: 2025-06-09 · Archived: 2026-04-05 20:48:30 UTC
Technical Analysis
The DanaBleed memory leak began with the release of DanaBot version 2380 in June 2022 and continued until
early 2025.
Analysis of the DanaBleed vulnerability
DanaBot is written in the Delphi programming language and uses a custom binary C2 protocol. A general
overview of C2 requests prior to the June 2022 version update was the following:
1. Generate command data (e.g. key exchange, system information beacon, configuration file download,
additional payload download, new C2 information, etc.)
2. Encrypt data with a session key
3. Encrypt session key
4. Generate a basic header
5. Send header and encrypted data
In June 2022, the malware developer introduced a new C2 protocol that modified the requests to perform the steps
below:
1. Generate command data (e.g. key exchange, system information beacon, configuration file download,
additional payload download, new C2 information, etc.)
2. Ostensibly append randomly generated bytes (although they were not random)
3. Encrypt data with a session key
4. Encrypt session key
5. Send encrypted data length and data
Responses from the C2 server to the victim were generated using the same logic and likely the same underlying
code as the malware itself. This overlap allowed us to reverse engineer the vulnerability and make inferences
about how the C2 server memory leak worked.
The figure below illustrates the changes to the C2 protocol introduced in the June 2022 update:
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 1 of 7

Figure 1: Overview of C2 protocol changes introduced in DanaBot in the June 2022 update.
DanaBot’s command data was stored in a Delphi TMemoryStream. A random number, capped at a maximum
value of 1,792, was generated to determine the number of padding bytes to add to the command data buffer. While
the size of the buffer was increased, the newly allocated memory within the buffer was not initialized. At first
glance, this uninitialized memory appeared to be random, but closer inspection revealed that it contained arbitrary
fragments of the C2 server’s process memory. This oversight in memory handling created the DanaBot
vulnerability that exposed the group’s sensitive internal data.
Data exposed by the memory leak
The memory leak allowed up to 1,792 bytes per C2 server response to be exposed. The content of the leaked data
was arbitrary and depended on the code being executed and the data being manipulated in the C2 server process at
a given time. Despite this, our examination of the leaked data allowed us to extract meaningful insight into
DanaBot for nearly three years.
Some of the most intriguing leaks revealed HTML snippets associated with the C2 server's web interface. The
figure below, with highlights added, provides a sample of these leaked elements.
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 2 of 7

Figure 2: Example of leaked HTML code from DanaBot’s C2 server.
These HTML snippets can be compared to the figure below (highlights added) which includes a screenshot from a
video advertising DanaBot.
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 3 of 7

Figure 3: Screenshot from a DanaBot advertisement video with content similar to the data observed in C2 server
memory leaks.
The memory leak exposed sensitive data including: 
Threat actor usernames and IP addresses
Backend C2 server IP addresses and domains
Infection and exfiltration statistics
Malware version update information
Private cryptographic keys
Victim-related data, such as IP addresses, credentials, and exfiltrated information
The DanaBot developer maintained a changelog of updates and some of those changes were also leaked, as shown
in the figure below (highlights added).
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 4 of 7

Figure 4: Sample change log discovered in DanaBot C2 server memory leaks.
In addition to HTML snippets, the memory leak also exposed debug information, including pathnames and
logging messages. These are demonstrated in the figure below.
Figure 5: Sample debug information identified in DanaBot C2 server memory leaks.
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 5 of 7

Another frequent type of leak involved SQL statements. These leaks offered valuable insights into the C2 server's
database structure, including information such as malware MD5 hashes, version updates, and victim IP addresses.
The figure below (with highlights added) provides an example of these leaks.
Figure 6: Sample SQL statement leak by DanaBot’s C2 server.
The memory leaks also exposed private cryptographic key material, as shown in the figure below (highlight
added):
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 6 of 7

Figure 7: Sample private key material leaks.
Finally, as DanaBot primarily functioned as an information stealer, the memory leak also exposed a significant
amount of victim credentials and other exfiltrated data.
Source: https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server-memory-leak-bug
Page 7 of 7