A newly identified botnet is leveraging vulnerable Jenkins servers to execute large-scale DDoS attacks on Valve Source Engine game servers. This threat was highlighted by security experts at Darktrace following its detection through their honeypot system, showcasing the botnet’s unique targeting capabilities and multi-platform infection strategy.
Exploiting Jenkins for Cyber Attacks
Jenkins, a popular tool for continuous integration in software development, has been found vulnerable due to poor configuration practices. Insecure instances can expose remote code execution endpoints, which attackers exploit to deploy malicious software. In this particular campaign, cybercriminals breached a Jenkins server with weak authentication to install harmful code, a tactic that remains effective due to widespread inadequate security measures.
The threat was initially detected on March 18, 2026, when Darktrace’s CloudyPots honeypot recorded a hit from attackers targeting Jenkins. Subsequent investigations confirmed that the botnet was specifically designed to disrupt Valve Source Engine servers, including popular titles like Counter-Strike and Team Fortress 2. This aligns with Cloudflare’s observation of the gaming sector as a top target for cyber threats globally.
Cross-Platform Malware Propagation
Once a Jenkins server is compromised, the malware deploys payloads tailored for both Windows and Linux environments. On Windows systems, it retrieves a file disguised as a system update, while on Linux, a Bash command downloads the payload to the /tmp directory for execution. The Vietnamese IP used for these operations is atypical, as most malware separates delivery and control infrastructure for enhanced durability.
The botnet supports various DDoS techniques, such as UDP floods and HTTP request floods, with a special focus on the “attack_dayz” method, which exploits Source Engine Query packets to overload game servers. By inducing high server response loads, these attacks can deplete server resources with minimal bandwidth utilization.
Ensuring Malware Persistence
Upon infiltration, the malware employs strategies to conceal its presence and maintain persistence. It manipulates Jenkins environment settings to evade automatic process termination, renames itself to mimic legitimate Linux processes, and uses a double fork to silently run in the background. Additionally, it redirects logs to /dev/null and ignores termination signals, complicating removal efforts.
After activation, the malware connects to its command-and-control server, relaying system architecture details and standing by for attack commands. These include “PING” for status checks, “!stop” to cease operations, and “!update” for version upgrades.
Protective Measures for Game Server Operators
Operators of Valve Source Engine game servers should take immediate action to mitigate risks. This includes securing Jenkins endpoints, enforcing robust authentication, and monitoring network traffic for anomalies. Blocking TCP port 5444 at firewalls is advisable since it is used for command-and-control communications. Additionally, organizations should blacklist the attacker IP 103[.]177.110.202 and review all indicators of compromise promptly.
Stay connected with us through Google News, LinkedIn, and X for real-time updates. Set CSN as a preferred source on Google for more cybersecurity insights.
