Cybersecurity firm Zscaler revealed some interesting details about the take down of the DanaBot malware operation, which was made possible thanks to a flaw introduced in DanaBot version 2380, released in June 2022.
The vulnerability, dubbed ‘DanaBleed’ by Zscaler’s ThreatLabz researchers, stemmed from a memory leak in the malware's updated command-and-control (C2) protocol. Due to improper initialization of memory used to generate server responses, the C2 servers inadvertently leaked sensitive fragments of data.
DanaBot, was a malware-as-a-service (MaaS) platform active from 2018 to 2025, widely used by cybercriminals for banking fraud, credential theft, remote access, and DDoS attacks. The operation was taken offline as part of an international law enforcement action dubbed ‘Operation Endgame’, which resulted in the indictment of 16 individuals connected to the threat group.
According to Zscaler, the DanaBleed flaw, which has been compared to the infamous HeartBleed vulnerability (CVE-2014-0160) in OpenSSL, gave the researchers an insight into the malware’s internal workings, operators, infrastructure, and their victims.
Over three years, researchers gathered data from the flawed C2 responses, including threat actor usernames and IP addresses, backend infrastructure details, malware changelogs, cryptographic keys, and HTML snippets from DanaBot's control dashboard.
The intelligence was eventually handed over to law enforcement authorities, resulting in coordinated actions that seized 650 malicious domains, shut down key infrastructure, and confiscated nearly $4 million in cryptocurrency.
