[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fg14eN99N0Ux9yDnNY2l0ErFzY9QXA2v6lQ6fcZGcgkw":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"4496bc96-a2a5-413f-9fdc-6232ee4eeafa","Hackers Use Jenkins Access to Deploy DDoS Botnet Against Gaming Servers","hackers-use-jenkins-access-to-deploy-ddos-botnet-against-gaming-servers-02b5da","A new campaign shows misconfigured Jenkins servers abused to deploy a DDoS botnet targeting gaming systems, with Valve Corporation infrastructure in focus.","Security researchers at Darktrace detected a campaign on March 18, 2026 exploiting misconfigured Jenkins servers via the scriptText endpoint to deploy a DDoS botnet targeting gaming servers, particularly those running Valve's Source Engine. The attackers used Groovy scripts to achieve Remote Code Execution, dropping malware (w.exe on Windows, bot_x64 on Linux) that communicates via a single IP address (103.177.110.202) in Vietnam. The botnet employs evasion techniques and game-specific DoS attacks like attack_dayz to crash gaming infrastructure.","Attackers abuse misconfigured Jenkins servers to deploy DDoS botnet targeting gaming infrastructure.","Security Cyber AttacksHackers Use Jenkins Access to Deploy DDoS Botnet Against Gaming Servers A new campaign shows misconfigured Jenkins servers abused to deploy a DDoS botnet targeting gaming systems, with Valve Corporation infrastructure in focus. byDeeba AhmedMay 1, 20263 minute read Cybersecurity firm Darktrace has been tracking a new campaign detected by its CloudyPots honeypot network on 18 March 2026. The activity involved attempts to access a misconfigured Jenkins server, a common developer tool. However, rather than targeting source code, the attackers used the access to build a DDoS botnet aimed at gaming infrastructure. “On March 18, 2026, a threat actor seemingly attempted to target Darktrace’s Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet. Further analysis by Darktrace’s Threat Research team revealed the botnet was intended to specifically target video game servers,” the blog post reads. Attack Details The attack leveraged the scriptText endpoint, which helps users send commands directly to the server. Abusing this feature allowed hackers to run a Groovy script (for giving the server instructions). This step helped them gain Remote Code Execution (RCE) power. Researchers also used CyberChef, a tool for unscrambling hidden data, to read this script. This led them to identify a notorious plan to infect both Windows and Linux computers. Probing further, researchers found that on Windows devices, the script fetched an executable file named w.exe from this IP: 103.177.110.202. This file was hidden inside the Temp folder as update.dat and later renamed win_sys.exe. Finally, TCP port 5444 was opened to receive instructions from the hackers. Linux systems were targeted with a Bash one-liner that dropped a binary called bot_x64.exe into the \u002Ftmp directory. Script decoded using CyberChef (Source: Darktrace) Interestingly, all these traffic points back to a single IP address owned by Webico, a Vietnamese provider under the Tino brand in Ho Chi Minh City. Usually, hackers use different servers for different tasks so they don’t get caught as easily, but these attackers used this one IP for initial access, delivery, and commands. Putting everything on one IP helped attackers trade safety for simplicity. Hiding in Plain Sight After gaining access to a Linux system, the malware stays somewhat low-key initially t to evade detection. It uses an environment variable called dontKillMe so that Jenkins doesn’t shut it down for running too long. The next step is the bot deleting its original file and renaming itself something like ksoftirqd\u002F0 or kworker to become a normal part of the system. If you are clueless about where to look, it’ll remain invisible. Now comes the main goal of the botnet, which is to crash servers running the Valve Source Engine. For your information, this engine hosts popular games like Team Fortress 2 and Counter Strike. One of the methods used to crash it is called attack_dayz, which sends a Source Engine Query to trick the server into replying with so much data that it eventually stops responding. The bot also has an attack_special mode designed to hit specific ports like 27015, 53 (DNS), and 123 (NTP). This particular campaign shows how dangerous a simple misconfiguration can be, so that even a boring office server can ruin a gamer’s weekend if it isn’t secured properly. “The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place,” Darktrace’s report concludes. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts BotnetCyber AttackCybersecurityDarktraceDDOSMalwareRCE Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Zero-day Flaws Exposed EV Chargers to Shutdowns and Data Theft NCC Group experts share details of how they exploited critical zero-day vulnerabilities in Phoenix Contact EV chargers (electric… byDeeba Ahmed Security Evolved Version of Mirai DDoS Botnet Goes Up for Rent This is indeed shocking that now malicious cyber-criminals are providing DDoS hire services to fellow hackers and ambitious… byWaqas Read More Android Malware Security Millions of Android Powered TVs and Streaming Devices Infected by Kimwolf Botnet Synthient discovers over 2 million Android TV boxes and smart TVs hijacked by the Kimwolf botnet. Learn how hackers are using home devices to launch DDoS attacks and how you can protect your home network. byDeeba Ahmed Read More Security Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately. byDeeba Ahmed","https:\u002F\u002Fhackread.com\u002Fhackers-jenkins-ddos-botnet-gaming-servers\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-jenkins-ddos-botnet-gaming-servers.jpg","2026-05-01T17:21:29+00:00","2026-05-01T18:00:13.521733+00:00",8,[18,21,23,26,28,30],{"name":19,"type":20},"Valve Corporation","vendor",{"name":22,"type":20},"Darktrace",{"name":24,"type":25},"Jenkins","product",{"name":27,"type":25},"Valve Source Engine",{"name":29,"type":25},"CyberChef",{"name":31,"type":32},"Groovy scripting","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,46],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":45},{"id":33,"icon":35,"name":36,"slug":37},{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52,56,59,62,65],{"type":53,"value":54,"context":55},"ip","103.177.110.202","Command and control server; malware delivery; located in Vietnam (Webico\u002FTino provider)",{"type":37,"value":57,"context":58},"w.exe","Windows payload dropped from 103.177.110.202; renamed to win_sys.exe and hidden as update.dat in Temp folder",{"type":37,"value":60,"context":61},"bot_x64.exe","Linux payload binary dropped to \u002Ftmp directory for DDoS botnet",{"type":37,"value":63,"context":64},"ksoftirqd\u002F0","Process name masquerade used by botnet to evade detection on Linux systems",{"type":37,"value":66,"context":64},"kworker"]