On March 18, 2026, cybersecurity firm Darktrace reported a new attack campaign detected through its CloudyPots honeypot network. The focus of the intrusions was a misconfigured Jenkins server, a widely-utilized tool for developers. Instead of seeking sensitive source code, the attackers capitalized on their access to establish a distributed denial-of-service (DDoS) botnet targeting gaming infrastructure.
According to Darktrace’s Threat Research team, this attempt aimed specifically at the servers hosting popular video games, enhancing the urgency of the situation. The intruder initially exploited the scriptText endpoint of the Jenkins server, enabling the execution of commands through a Groovy script. This led to Remote Code Execution (RCE), granting the attackers extensive control over the server.
Analysis of the malicious script was conducted using CyberChef, a utility designed for data decryption and analysis. This investigation uncovered a systematic approach to infect both Windows and Linux devices. On Windows systems, the script initiated a download of an executable file designated as w.exe from the IP address 103.177.110.202. This file, subsequently concealed in the Temp folder as update.dat, was renamed to win_sys.exe, with TCP port 5444 opened for receiving commands from the attackers. Meanwhile, Linux systems were targeted using a Bash one-liner, which placed a binary named bot_x64.exe in the /tmp directory.
Notably, all malicious traffic traced back to a single IP address registered to Webico, a Vietnamese provider based in Ho Chi Minh City. Typically, cybercriminals employ multiple servers to obscure their activities, but in this case, the attackers utilized a single IP for all stages of their operation. This choice exemplifies a trade-off between convenience and operational security.
Upon gaining access to a Linux system, the malware exhibited a low profile to avoid detection. It utilized an environment variable termed dontKillMe to prevent Jenkins from terminating it for prolonged activity. The malware then deleted its original file and renamed itself to appear innocuous, disguising as processes such as ksoftirqd/0 or kworker to evade scrutiny.
The primary objective of the botnet was to disrupt servers running the Valve Source Engine, the backbone for popular games like Team Fortress 2 and Counter-Strike. Among the attack methods was an approach referred to as attack_dayz, which attempts to overwhelm the server with excessive data requests, causing it to cease operations. The botnet was also equipped with a specialized attack mode that targeted specific ports, including 27015, 53 (DNS), and 123 (NTP).
This campaign highlights the severe implications of misconfigurations in server setups. Simple oversights can transform an ordinary office server into a conduit for disrupting online gaming services. The report from Darktrace underscores the persistent threat cyber attackers pose to the gaming industry, emphasizing the urgency for server administrators to implement robust security measures.
In the context of the MITRE ATT&CK framework, this incident illustrates the use of tactics such as initial access, persistence, and command and control. The findings serve as a reminder for business owners to remain vigilant and proactive in safeguarding against such evolving cyber threats.