A specialized DDoS botnet has been discovered exploiting exposed Jenkins servers to launch high-intensity attacks against Valve Source Engine game infrastructure. The threat, uncovered by Darktrace in late March 2026, specifically targets the servers behind popular titles like Counter-Strike and Team Fortress 2. +1
This campaign highlights a growing trend: cybercriminals are no longer just targeting banks and governments; they are industrializing attacks against the gaming sector, which now ranks as the fourth most targeted industry globally.
Initial Access: Exploiting “Weak” Jenkins Doors
The attackers gain a foothold by scanning the internet for Jenkins—a popular tool for automating software builds—that is poorly configured.
- The Vulnerability: Attackers target the
scriptTextendpoint, which allows them to execute Groovy scripts remotely. - The Entry: In many cases, the malware simply guesses a weak administrative password.
- Multi-Platform Payloads: Once inside, the malware automatically detects if it’s on Windows or Linux and drops a customized payload. On Linux, it pulls a file named
bot_x64into the/tmpdirectory; on Windows, it disguises the malware as a system update (win_sys.exe).
The “Attack_DayZ” Technique: Amplification at Work
What makes this botnet particularly dangerous for gamers is its use of TSource Engine Query packets.
In an attack method named attack_dayz (named after the game DayZ, though it actually targets the Valve Source Engine), the malware sends small, 64-byte requests to a game server. The server, programmed to respond with detailed info about players and rules, returns a massive volume of data.
By flooding a target with these tiny requests, the attacker can force the game server to exhaust its own bandwidth and CPU resources—effectively knocking thousands of players offline with very little effort from the hacker.
Stealth and Survival: “dontKillMe”
The malware is designed to be a “ghost” in the system. After infecting a Linux host, it performs several stealth maneuvers:
- Bypassing Timeouts: It sets the Jenkins environment variable to
dontKillMe. This prevents Jenkins from automatically shutting down the “long-running” malicious script. - Process Masquerading: The malware deletes its own executable and renames itself to
ksoftirqd/0orkworker. These are legitimate Linux kernel processes, making the malware look like a standard part of the operating system. - Hiding the Trail: It uses a “double fork” method to run as a background daemon and redirects all logs to
/dev/null, leaving no trace of its activity in the system logs.
How to Defend Your Infrastructure
If your organization uses Jenkins or you operate game servers, take these steps immediately:
- Secure Jenkins: Never leave a Jenkins dashboard exposed to the public internet without strong, multi-factor authentication (MFA). Disable the
scriptTextendpoint if it is not required. - Block Port 5444: This botnet uses TCP port 5444 for command-and-control (C2) communication. Block this port at your network perimeter.
- Update Firewalls: Block the confirmed attacker IP 103[.]177.110.202 at your gateway.
- Monitor Outbound Traffic: Watch for Linux servers (especially build servers) initiating large volumes of UDP traffic toward port 27015 (the default Valve Source Engine port).
