A new multi-platform DDoS botnet that abuses misconfigured Jenkins servers via the scriptText endpoint to conscript Windows and Linux hosts and launch high‑impact attacks against online game infrastructure worldwide.
Analysis of payloads captured in a Jenkins honeypot shows the malware combining stealthy persistence, multi‑vector DDoS capabilities, and game‑specific attack modules, underscoring the ongoing risk posed by opportunistic botnets to internet‑facing CI/CD and gaming environments.
Darktrace’s CloudyPots honeypot network recently recorded a campaign in which attackers abused an exposed Jenkins instance to deploy a DDoS botnet tailored to video game servers.
New Jenkins‑Based Botnet Targets Online Games
The activity was first observed on March 18, 2026, when a threat actor targeted a deliberately weakly protected Jenkins honeypot rather than attempting to compromise source code or build pipelines.
Jenkins is widely used as a CI server, and misconfigured administrative interfaces with weak credentials continue to be a high‑value foothold for attackers.
By chaining Jenkins abuse with multi‑platform payloads and DDoS functionality, the operators behind this campaign can rapidly convert generic internet‑facing infrastructure into game‑focused botnet nodes, with minimal need for tailored exploitation per victim.
The intrusion flow hinges on the Jenkins scriptText endpoint, which allows authenticated users to submit Groovy scripts that Jenkins executes on the underlying host.
In this campaign, the adversary authenticates with trivial credentials on the honeypot, sends a malicious URL‑encoded Groovy script as form‑data to /scriptText, and achieves direct remote code execution on the CI server.
Once decoded, the script reveals branching logic for both Windows and Linux platforms, ensuring the botnet can enroll diverse Jenkins deployments.
This pattern of abusing Jenkins’ script console or scriptText for arbitrary code execution has previously been seen in cryptomining campaigns, and its reuse here for DDoS monetization highlights how attackers recycle CI/CD abuse techniques across different criminal business models.
Post‑Exploitation: Windows and Linux Branches
On Windows systems, the malicious Groovy script delivers a staged payload and performs basic host preparation.
- Downloads w.exe from 103[.]177.110.202 and saves it as C:\Windows\Temp\update.dat before renaming it to win_sys.exe.
- Uses PowerShell’s Unblock‑File to remove security flags associated with internet‑downloaded binaries, reducing friction from OS defenses.
- Adds a firewall rule to allow inbound and outbound TCP 5444 traffic, reserving this port for command‑and‑control communications.
On Linux, the script uses a concise Bash one‑liner to fetch the bot_x64 binary from the same IP and execute it from /tmp/bot. This lightweight delivery logic minimizes forensic artifacts while rapidly bootstrapping DDoS capability on compromised CI servers.
Both the Windows and Linux payloads are delivered from and later controlled by the same IP address, 103[.]177.110.202, which belongs to the Vietnamese hosting provider Webico Company Limited (Tino brand) in Ho Chi Minh City. OSINT and malware‑sharing platforms link this IP to broader malicious activity, including detected malware samples and abuse reports.
Darktrace’s analysis indicates that 103[.]177.110.202 simultaneously serves as the malware distribution endpoint, initial access infrastructure, and C2 server for enrolled bots.
This consolidation is atypical; many mature botnets separate high‑volume infection traffic from more covert C2 infrastructure to avoid losing control when abuse complaints trigger takedowns. The all‑in‑one design suggests either an early‑stage operation or an operator willing to trade resilience for operational simplicity and rapid deployment.
Stealth, Persistence, and C2 Protocol
The Linux payload, identified by hash F79d05065a2ba7937b8781e69b5859d78d5f65f01fb291ae27d28277a5e37f9b, deploys several techniques to evade detection and survive process management.
- It sets the environment variables BUILD_ID and JENKINS_NODE_COOKIE to “dontKillMe,” preventing Jenkins from terminating long‑running jobs based on default timeouts.
- After execution, the bot deletes its original executable from disk. It renames its process to mimic legitimate kernel threads such as “ksoftirqd/0” or “kworker,” making it harder to spot in process listings.
- The malware daemonizes itself via double fork, detaches from the terminal, and redirects stdin, stdout, and stderr to /dev/null, effectively suppressing visible output and logs.
- It also installs signal handlers that ignore signals like SIGTERM, forcing defenders to resort to stronger measures such as SIGKILL or full host remediation.
Once running, the agent connects back to 103[.]177.110.202 reports the victim’s CPU architecture and enters a command loop.
The C2 protocol includes basic utility commands “PING” (responding with PONG for keep‑alive), “!stop” (exit), and “!update” (fetch a fresh binary and restart), which provide operators with simple lifecycle management and update capabilities across the botnet.
Multi‑Vector and Game‑Aware DDoS Capabilities
The botnet supports multiple DDoS routines spanning UDP, TCP, and application‑layer floods, with all attack commands accepting three parameters: target IP, target port, and attack duration. Many named attack types map to shared underlying functions, suggesting either capability inflation for customers or placeholders for future features.
Key implemented routines include:
- attack_udp / attack_udp_pps – Both rely on a simple loop using sendto() to deliver UDP packets to either fixed or random ports on the victim.
- attack_dayz – This routine reuses the UDP logic but replaces random data with a Valve Source Engine (TSource Engine Query) packet, causing game servers to respond with large status payloads. By repeatedly sending these queries, attackers can amplify the resource impact on Source Engine‑based titles such as Counter‑Strike and Team Fortress 2. The function name references “DayZ,” despite that game not using the Source engine, hinting at either operator confusion or an intention to appeal to gaming‑focused customers.
- attack_tcp_push – Establishes non‑blocking TCP sockets, optionally with TCP_NODELAY, then rapidly connects, sends 1,024 bytes of random data, and disconnects in a tight loop. This behavior drives high connection churn and packet volume, stressing stateful firewalls and application frontends.
- attack_http – Similar socket configuration, but each connection emits 64 HTTP GET requests before closing, creating an application‑layer flood without needing full browser emulation.
- attack_special – A UDP‑based routine that toggles between several protocol‑specific payloads via a mode flag.
These game‑aware vectors align with a broader trend in which DDoS operations increasingly focus on gaming platforms, streamers, and hosting providers as revenue sources, whether via paid “stresser” services, extortion, or competitive sabotage.
Cloudflare’s recent DDoS threat report notes that gaming remains among the most targeted industries globally, reflecting the high business impact of downtime and latency for real‑time services.
Darktrace notes that Jenkins is comparatively less targeted in its honeypot telemetry than more common services, yet even a small number of misconfigured instances is enough to fuel opportunistic botnet growth at internet scale.
For botnet operators, individual CI servers may be “low‑value” assets, but large numbers of such hosts, often with high‑bandwidth uplinks, significantly increase DDoS firepower.
For organizations running Jenkins or similar CI/CD tools, hardened authentication, restricted network exposure, and strict access controls around script consoles are critical to preventing these takeovers.
Gaming companies and server operators, meanwhile, should expect continued targeting by modular DDoS botnets like this one and ensure layered defenses, including upstream filtering, behavioral DDoS detection, and robust rate‑limiting for game and API endpoints.
Key Indicators of Compromise
- IP: 103[.]177[.]110[.]202 – malware delivery and C2 infrastructure associated with this campaign.
- Linux payload hash: F79d05065a2ba7937b8781e69b5859d78d5f65f01fb291ae27d28277a5e37f9b (bot_x64 sample).
FAQ
Q1: What is the core goal of this Jenkins‑based botnet campaign?
A1: The campaign’s primary goal is to conscript misconfigured Jenkins servers into a DDoS botnet focused on disrupting online game infrastructure.
Q2: Why is abusing Jenkins scriptText so effective for attackers?
A2: The scriptText endpoint allows attackers to run arbitrary Groovy code on the host when authentication is weak or misconfigured, providing direct remote code execution with minimal exploit complexity.
Q3: How does the malware evade basic detection on Linux hosts?
A3: It deletes the original binary, masquerades as kernel‑like processes, daemonizes via double fork, redirects IO to /dev/null, and ignores termination signals to reduce visibility and hinder manual cleanup.
Q4: Why are gaming servers such a popular DDoS target today?
A4: Gaming workloads are latency‑sensitive and revenue‑critical, making downtime highly impactful and attractive for extortion, competitive attacks, and paid DDoS‑for‑hire operations.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
