A newly identified botnet malware family, dubbed “Udados,” has emerged as a significant threat to the Technology and Telecommunications sectors, orchestrating high-volume HTTP flood Distributed Denial-of-Service (DDoS) attacks.
According to ANY.RUN sandbox analysis, the botnet leverages infected hosts to execute sustained denial-of-service campaigns designed to disrupt business continuity by overwhelming target servers with legitimate-looking traffic.
The Udados malware operates by establishing communication with a Command and Control (C2) server to receive attack instructions.
Infected hosts send structured JSON data to the C2, including detailed system metadata: user ID (Uid), task execution status (St), bot version (Bv), and privilege level (Priv). This telemetry allows the operator to manage the botnet’s resources effectively.
Upon check-in, the C2 server responds with specific attack commands. The primary directive observed is !httppost, which triggers the DDoS module. This command includes parameters for the attack duration (e.g., 888 seconds), the number of concurrent threads (e.g., 88), and a Base64-encoded payload containing random data.
The use of HTTP POST requests allows the attack traffic to blend seamlessly with legitimate web traffic, making detection and mitigation significantly more challenging for network defenders.
Infrastructure and Network Indicators
The botnet’s infrastructure is hosted within Autonomous System AS214943, also known as RAILNET. This network has recently gained a reputation as a haven for malicious activity; recent intelligence reports indicate that RAILNET has hosted infrastructure for over 30 distinct malware families in late 2025, including major threats like Remcos and Amadey.
The specific C2 server identified in this campaign is located at IP address 178.16.54[.]87.
The malware communicates via the URI /uda/ph.php, which serves as a critical indicator for network monitoring. Defenders can detect potential infections by inspecting outbound HTTP traffic for this specific path and the characteristic JSON parameters (uid, st, msg, tid) in the request body.
Organizations are advised to act fast and block traffic to the identified C2 infrastructure and monitor for the following indicators:
| Type | Value |
|---|---|
| SHA256 | 7e2350cda89ffedc7bd060962533ff1591424cd2aa19cd0bef219ebd576566bb |
| SHA256 | 770d78f34395c72191c8b865c08b08908dff6ac572ade06396d175530b0403b8 |
| IPv4 | 178.16.54[.]87 (Hosted on RAILNET) |
| Domain | ryxuz[.]com |
| URI Path | /uda/ph.php |
Network administrators should also inspect short-term spikes in outbound HTTP traffic from individual hosts, as this behavior often precedes the high-volume flood orchestrated by the C2.
Identify cyber threats early to act fast With Interactive Sandbox => Try Now
