A server memory leak that allowed security researchers to quietly snoop on the recently disrupted DanaBot Russian malware-as-a-service (MaaS) operation for nearly three years has once again shown how much threat actors can sometimes give away when their own security slips.
The bug, dubbed “DanaBleed” by researchers at Zscaler who uncovered it, exposed sensitive data straight from DanaBot’s command-and-control (C2) servers and included private keys, victim details, infection statistics, malware updates, and even bits of the attackers’ infrastructure setup.
Unexpected Windfall
Unexpected windfalls like these have been surfacing with surprising regularity in recent months, with cybercrime groups tripping over their own operational missteps. Some of these OpSec failures have been inadvertent, as was the case with DanaBot. In other instances, disgruntled group members have leaked vital operational details, as happened recently with the Trickbot and Conti ransomware operation and with the Black Basta group. And in a few cases, rival crews have done the favor, like an incident in May where someone hacked into the LockBit Group’s infrastructure and leaked operations data.
For security researchers and enterprise defenders, each leak has offered a rare and valuable window into an adversary’s playbook and exposed infrastructure details, malware behavior, victim targeting, and other tactics, techniques, and procedures. It’s the kind of unexpected intelligence that can better inform defenses when properly leveraged.
“For defenders, these leaks are treasure troves,” says Ensar Seker, chief information security officer (CISO) at threat intelligence cybersecurity company SOCRadar. “When analyzed correctly, they offer unprecedented visibility into actor infrastructure, infection patterns, affiliate hierarchies, and even monetization tactics.” The data can help threat intel teams enrich indicators of compromise (IoCs), map infrastructure faster, preempt attacks, and potentially inform law enforcement disruption efforts, he says.
“Organizations should track these OpSec failures through their [cyber threat intelligence] programs,” Seker advises. “When contextualized correctly, they’re not just passive observations; they become active defensive levers, helping defenders move upstream in the kill chain and apply pressure directly on adversarial capabilities.”
DanaBot is a malware-as-a-service (MaaS) operation that’s been active since at least 2018. Groups affiliated with the DanaBot service have used the malware as a banking Trojan and for a variety of other purposes, including credential theft and remote access. Its victims have included organizations in North America, Europe, and other regions. In late May, US federal authorities in collaboration with international law enforcement agencies and private companies shut down the group’s US-based attack servers and C2 infrastructure and indicted 16 members of the group in a major disruption of its operations.
The DanaBleed Bug
According to Zscaler, DanaBot’s operators accidentally introduced the DanaBleed bug in 2022, when they rolled out a new version of the malware. The update, Zscaler said, introduced changes to DanaBot’s C2 protocol, one of which caused the server to inadvertently leak valuable snippets of process memory. Over a three-year period, the bug allowed Zscaler to collect threat actor usernames, threat actor IP addresses, C2 server details and domains, infection and data theft stats, malware updates, private encryption keys, and victim data.
The leaks revealed a striking irony, says Brett Stone-Gross, senior director of threat intelligence at Zscaler. “Criminal organizations operate much like legitimate businesses and are susceptible to the same cyberattacks they perpetrate.”
Jason Baker, managing security consultant, threat intelligence at GuidePoint Security, says the mileage that defenders can get from leaked threat actor data vary depending on the source. Internal leaks that stem from disaffected members with insider access can be more damaging for the bad guys because they can include data such as chats that provide identifying data. “This is important, because it is well-protected information which provides a unique vantage point into the behavior and foibles of cyber threat actors,” Baker says.
Internal leaks present a treasure trove of insight into adversary infrastructure and TTPs, he says. Leaked chats invariably feature some amount of discussion on technical issues around adversary tooling, such as unresponsive C2 or favored tooling, he says. Internal leaks can also yield other threat actor identifying information, such as cryptocurrency wallet addresses, IP addresses, and usernames.
Same Sloppiness
External leaks — like the DanaBot leak — often ironically are rooted in the same causes that threat actors abuse to break into victim networks: misconfigurations, unpatched systems, and improper segmentation that can be exploited to gain unauthorized access. Open directories, exposed credentials, unsecured management panels, unencrypted APIs, and accidental data exposure via hosting providers are all other opportunities for external discovery and exploration, Baker says. “External discoveries primarily present opportunities for further infrastructure discovery, which can be used to identify repeated behavior or configurations, and to develop detection logic that defenders can use to harden their networks from attack,” Baker says.
The DanaBot leak, for instance, opened up a treasure trove of useful IoCs for threat hunting and blue team operations, says Casey Ellis, founder of BugCrowd. “A vetted, known equivalent example are ransomware decryptors, which ultimately exploit flaws in attacker-written code to enable decryption without paying the ransom,” he says.
Recent leaks like the DanaBot incident highlight a growing trend of operational sloppiness among cybercrime groups, Seker adds. Whether due to rushed deployments, internal disputes, or sheer scale of operations, even seasoned MaaS actors increasingly exhibit basic OpSec failures, exposing back-end infrastructure, developer aliases, cryptographic keys, and telemetry that should never be accessible, he notes.
“These leaks often reveal a lack of maturity in their development pipelines, reusing components across variants, poor compartmentalization between C2 logic and customer data, or vulnerable web panels,” Seker says. “The more commercialized and scalable these crimeware platforms become, the harder it is for operators to maintain tight OpSec across all levels.”
