A new DDoS botnet campaign targets online gaming servers by exploiting misconfigured Jenkins instances to gain remote code execution via the scriptText endpoint. The attackers deploy a cross-platform botnet that infects both Windows and Linux systems, primarily aiming to disrupt Valve Source Engine game servers. The article does not provide specific version information, CVSS scores, or patch details for Jenkins.
Malware , Security Operations , Patch/Configuration Management New botnet targets gaming servers via misconfigured Jenkins May 4, 2026 Share By SC Staff (Adobe Stock) As reported by HackRead, a new distributed denial-of-service (DDoS) botnet campaign has been detected, specifically targeting online gaming infrastructure. The campaign was identified by Darktrace's CloudyPots honeypot network on March 18, 2026, after observing attempts to exploit a misconfigured Jenkins server. The attackers gained initial access by abusing the scriptText endpoint of the Jenkins server, achieving remote code execution (RCE) through a Groovy script. This script was designed to deploy a botnet capable of infecting both Windows and Linux systems. On Windows, a file named w.exe was downloaded, renamed, and executed, opening TCP port 5444 for command and control. Linux systems received a Bash script that dropped a binary named bot_x64.exe into the /tmp directory. All malicious traffic traced back to a single IP address in Vietnam, owned by Webico. The malware employs evasion techniques, renaming itself to blend in with system processes. Its primary objective is to disrupt servers running the Valve Source Engine, used in popular games like Counter-Strike and Team Fortress 2, by employing methods such as attack_dayz and targeting specific ports like 27015. Source: HackRead SC Staff Related Malware New software supply chain attack uses sleeper packages for credential theft and CI tampering SC Staff May 1, 2026 The campaign, attributed to the GitHub account "BufferZoneCorp," involved malicious Ruby gems and Go modules disguised as legitimate libraries. Malware More sophisticated EtherRAT malware variant delivered via trojanized installer SC Staff May 1, 2026 More sophisticated EtherRAT malware variant delivered via trojanized installer Threat actors have leveraged a malicious copy of the popular Windows TFTP server and admin tool, Tftpd64, to compromise IT administrators and network professionals with an updated iteration of the EtherRAT malware as part of a new hybrid attack campaign that combines system compromise with cryptocurrency theft, according to Cyber Security News. Malware Clandestine Deep#Door stealer facilitates long-term data compromise SC Staff May 1, 2026 Infosecurity Magazine reports that Windows systems are being stealthily targeted for protracted surveillance and credential exfiltration with the new Python-based Deep#Door backdoor framework. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware Blue Team Bug Buffer Overflow Cold Warm Hot Disaster Recovery Site Countermeasure Cron Daemon Disassembly Disaster Recovery Plan (DRP) You can skip this ad in 5 seconds