DanaBleed: DanaBot C2 Server Memory Leak Bug

A few years ago while at Zscaler I wrote a blog post about a memory leak bug in Danabot's C2 server. It was a really interesting way to get a behind scenes look at a large malware-as-a-service offering and its users.

We left the post unpublished and on standby for when and if the bug was ever fixed. In early 2025 the developer fixed the bug. A few months later Danabot's Maas was taken down by law enforcement.

Given those two events, the ThreatLabz team decided to dust off and update the old blog post: DanaBleed: DanaBot C2 Server Memory Leak Bug.

DanaBot Down

Even though I wasn't there for the final years, they say it's really about the friends you made Delphi malware you reversed along the way:

16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

 I made a few friends too:

• Danabot: Analyzing a fallen empire
• A Brief History of DanaBot, Longtime Ecrime Juggernaut Disrupted by Operation Endgame
• Operation Endgame 2.0: DanaBusted

Technical Analysis of DanaBot Obfuscation Techniques

https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques

Peeking into PrivateLoader

https://www.zscaler.com/blogs/security-research/peeking-privateloader

DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense

https://www.zscaler.com/blogs/security-research/danabot-launches-ddos-attack-against-ukrainian-ministry-defense

Return of Emotet: Malware Analysis

https://www.zscaler.com/blogs/security-research/return-emotet-malware-analysis

Spike in DanaBot Malware Activity

https://www.zscaler.com/blogs/security-research/spike-danabot-malware-activity