Emerging DDoS Botnet Exploits Exposed Jenkins Servers to Target Gaming Infrastructure
A recent development in cybersecurity has revealed the emergence of a new Distributed Denial-of-Service (DDoS) botnet that exploits exposed Jenkins servers to conduct formidable attacks on the Valve Source Engine’s game infrastructure. This infrastructure includes servers that host popular online games such as Counter-Strike and Team Fortress 2.
This campaign illustrates a stark reality: even a single misconfigured Continuous Integration (CI) server can be co-opted into a multi-platform attack node. This node can launch a variety of DDoS attacks, encompassing User Datagram Protocol (UDP), Transmission Control Protocol (TCP), and even application-layer floods aimed at online gaming environments.
The cybersecurity firm Darktrace made this discovery using its innovative honeypot network, known as “CloudyPots.” This global network is designed to mimic internet-facing services across various cloud platforms and protocols, thereby enabling the observation of attacker behavior in real-time. In this specific case, Jenkins, a widely-used CI platform, was deliberately deployed with weak password protections. This design choice effectively invited brute-force attacks, allowing threat actors to compromise the system opportunistically.
On March 18, 2026, a malevolent actor successfully authenticated to a Jenkins honeypot and endeavored to deploy a new DDoS botnet. Darktrace later verified that this botnet was specifically fine-tuned for attacking online game servers, shedding light on a targeted approach within broader cybercriminal actions. Analysts at Darktrace noted that this activity underscores an alarming trend: even less frequently targeted services like Jenkins can easily fall victim to extensive botnet-building operations.
In particular, the attackers utilized Jenkins’ scriptText endpoint, which is designed to accept Groovy scripts for execution on the server. This capability was manipulated into a remote code execution (RCE) backdoor, owing to the server’s exposure and weak protections. The malicious script, sent as URL-encoded form data, was decoded by analysts, revealing distinct functionality for both Windows and Linux hosts.
On Windows systems, the script downloaded a payload from an IP address linked to a Vietnamese hosting provider, renaming the file to disguise its true nature. It further bypassed internet download restrictions and opened a TCP port for command-and-control (C2) traffic. Conversely, on Linux systems, a concise Bash command was employed to download and execute a 64-bit bot binary, offering a rapid, lightweight infection path.
Interestingly, this IP address was reused for various functions—including initial access, payload delivery, and C2 communications—indicating a uniquely consolidated infrastructure for this botnet. This strategy, while increasing operational risks, simplifies management by reducing the complexity typically required to maintain multiple layers of server infrastructure.
The malware adopted various tactics to obscure its presence on infected systems. Once operating on Linux, it set Jenkins-related environmental variables to “dontKillMe,” a clever move designed to circumvent Jenkins’ standard timeout policies for long-running tasks. In addition, the malware erased its original binary and renamed itself to disguise as legitimate kernel worker processes, effectively avoiding detection through classic monitoring methods.
Upon establishing a connection with its C2 server, the malware reported the infected system’s architecture and prepared to enter a command loop for further instructions. The commands it supported varied from basic utilities like “PING” for keep-alive checks to more complex attack commands that could be executed by providing an IP address, port, and duration.
The DDoS botnet displays a range of capabilities, employing both volumetric and application-layer DDoS techniques. Notably, several advertised modes of attack appear to reference the same fundamental functions, potentially indicating that the botnet’s operators may be attempting to pad its capabilities, or they could be placeholders for future enhancements.
Two significant flood functions were identified: one aimed to saturate bandwidth using 1,450-byte random packets, while another focused on maximizing packets-per-second with 64-byte payloads. Additionally, the botnet is capable of generating overwhelming responses from Valve’s Source Engine Query packets, utilizing minimal attacker bandwidth to exhaust resources on targeted game servers.
As the DDoS attack landscape continues to evolve, it is evident that even less conventional targets, such as Jenkins CI servers, can be repurposed as vital components in DDoS operations. This trend highlights the importance of cybersecurity for organizations engaged in online gaming.
Operators of Valve Source Engine servers and similar platforms are urged to harden their hosting environments. Implementing robust DDoS protection mechanisms and eliminating weak credentials for CI tools like Jenkins will be crucial in safeguarding against this emerging threat. As gaming remains a top target for DDoS attacks globally, the stakes have never been higher for those managing game server infrastructures.