Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
Home/Threats/New DDoS Malware Exploits Jenkins CVE-2024-23897 to Attack Game Servers
Threats

New DDoS Malware Exploits Jenkins CVE-2024-23897 to Attack Game Servers

Key Takeaways A new DDoS botnet is exploiting vulnerable Jenkins servers to launch attacks against Valve Source Engine game infrastructure. The malware, identified by Darktrace, targets popular games...

Emy Elsamnoudy
Emy Elsamnoudy
May 1, 2026 4 Min Read
52 0

Key Takeaways

  • A new DDoS botnet is exploiting vulnerable Jenkins servers to launch attacks against Valve Source Engine game infrastructure.
  • The malware, identified by Darktrace, targets popular games like Counter-Strike and Team Fortress 2.
  • It leverages a critical Jenkins vulnerability (CVE-2024-23897) or weak credentials to gain initial access.
  • The botnet employs various DDoS methods, including a potent amplification attack targeting Source Engine query packets.
  • Defenders should immediately secure Jenkins instances, enforce strong authentication, and block known malicious IPs and C2 ports.

New DDoS Botnet Leverages Jenkins Vulnerabilities to Target Game Servers

A recently discovered distributed denial-of-service (DDoS) botnet is actively compromising exposed Jenkins servers to mount significant attacks against Valve Source Engine gaming infrastructure. Cybersecurity experts at Darktrace have detailed this emergent threat, which exploits vulnerable Jenkins instances to establish a powerful network for its malicious operations. Darktrace’s comprehensive analysis highlights the unique targeting of video game servers combined with a sophisticated, multi-operating system infection strategy.

Table Of Content

  • Key Takeaways
  • New DDoS Botnet Leverages Jenkins Vulnerabilities to Target Game Servers
  • Botnet Discovery and Target Profile
  • Infection Mechanism and Persistence
  • What You Should Do

Jenkins, a widely adopted continuous integration platform, automates software development processes like testing and code builds. Misconfigured Jenkins installations can inadvertently expose remote code execution endpoints, which attackers can then exploit. In this campaign, threat actors have been observed compromising Jenkins instances through weak passwords or exploiting vulnerabilities such as CVE-2024-23897, allowing them to deliver malicious payloads onto target machines. This straightforward yet effective attack vector capitalizes on the persistent issue of organizations failing to secure Jenkins with robust authentication mechanisms.

Botnet Discovery and Target Profile

Darktrace analysts first detected this threat on March 18, 2026, when a threat actor engaged one of the company’s “CloudyPots” honeypot systems. Subsequent investigation by Darktrace’s Threat Research team confirmed the botnet’s explicit design to target Valve Source Engine game servers, specifically those hosting titles like Counter-Strike and Team Fortress 2. This discovery aligns with a broader industry trend of increasing cyberattacks against the gaming sector, which Cloudflare has identified as the fourth most targeted industry globally.

Upon compromising a Jenkins server, the malware deploys distinct payloads for both Windows and Linux environments. On Windows, a malicious executable is downloaded from a remote IP address and saved under a filename designed to mimic a legitimate system update. For Linux systems, a Bash command fetches the payload into the /tmp directory and executes it. The command-and-control (C2) and delivery infrastructure for this botnet are hosted by a Vietnamese provider, which is an atypical setup as most malware operations separate these functions for enhanced resilience.

The botnet supports an array of DDoS attack methodologies, including UDP floods, TCP push attacks, and HTTP request floods. Notably, one technique, dubbed “attack_dayz,” involves sending TSource Engine Query packets. This method forces Valve Source Engine servers to return substantial volumes of data. By initiating small requests that provoke large responses, attackers can exhaust server resources with minimal bandwidth, posing a significant amplification threat to game server operators.

Infection Mechanism and Persistence

Once the malware establishes itself on a Linux system, it immediately implements measures to ensure stealth and resistance to termination. It manipulates Jenkins environment variables, setting “dontKillMe” to prevent Jenkins from automatically shutting down the malicious process after its typical timeout period. This subtle yet effective maneuver allows the malware to persist on compromised servers without immediate detection.

The malware then deletes its original executable and renames itself to masquerade as a legitimate Linux kernel process, such as “ksoftirqd/0” or “kworker,” both common on standard Linux installations. It employs a double-forking technique to run as a silent background daemon, redirecting all input, output, and error streams to /dev/null to avoid leaving forensic traces. Furthermore, it intercepts and ignores common termination signals like SIGTERM, making it challenging to halt the process using standard commands.

After becoming active, the malware connects to its C2 server, reports the compromised system’s architecture, and enters a waiting loop for attack instructions. It responds to three primary utility commands: “PING” for keep-alive checks, “!stop” to exit, and “!update” to download and restart a newer version from the C2 server.

What You Should Do

  • Secure Jenkins Instances: Immediately identify and secure all publicly accessible Jenkins endpoints. Implement strong, unique passwords and multi-factor authentication (MFA) where possible.
  • Patch Vulnerabilities: Ensure all Jenkins instances are updated to the latest version, patching critical vulnerabilities like CVE-2024-23897.
  • Monitor Outbound Traffic: Continuously monitor outbound network traffic from Jenkins servers for unusual connections or high-volume data egress, which could indicate C2 communication or DDoS activity.
  • Firewall Rules: Block TCP port 5444 at the firewall level, as this port is utilized for C2 communication by the malware.
  • Block Malicious IP: Block the confirmed attacker IP address 103[.]177.110.202 at your network perimeter.
  • Review IoCs: Integrate and review all published Indicators of Compromise (IoCs) from Darktrace’s report into your security monitoring and incident response systems without delay.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Ubuntu Website and Canonical Web Services Struck by DDoS Attack

Next Post

New Phishing Tactics Abuse CAPTCHA and ClickFix to Steal Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us