New DDoS Botnet Targets Valve Source Engine Game Servers via Exposed Jenkins Instances
Security researchers at Darktrace uncovered a sophisticated DDoS botnet exploiting misconfigured Jenkins servers to launch attacks against Valve Source Engine game infrastructure, including Counter-Strike and Team Fortress 2 servers. The malware, first detected on March 18, 2026, via Darktrace’s CloudyPots honeypot network, stands out for its cross-platform capabilities and precise targeting of the gaming sector a growing focus for cybercriminals, which Cloudflare ranks as the fourth most attacked industry globally.
The attack begins with threat actors scanning for Jenkins instances with weak or default credentials, leveraging an exposed remote code execution (RCE) endpoint to deploy malicious payloads. Once inside, the malware delivers Windows and Linux variants: on Windows, it downloads a disguised system update file, while on Linux, it executes a Bash script to fetch and run a payload from the /tmp directory. Both use a Vietnamese-hosted IP (103[.]177.110.202) for command-and-control (C2) and payload delivery an unusual consolidation that reduces operational resilience.
The botnet employs multiple DDoS techniques, including UDP floods, TCP push attacks, and HTTP request floods, with a particularly effective method called "attack_dayz." This tactic exploits Valve Source Engine’s query protocol, sending small requests that trigger disproportionately large responses, overwhelming servers with minimal attacker bandwidth. The malware also ensures persistence by:
- Manipulating Jenkins environment variables ("dontKillMe") to evade process timeouts.
- Renaming itself to mimic legitimate Linux kernel processes ("ksoftirqd/0" or "kworker").
- Using double forking and redirecting logs to /dev/null to avoid detection.
- Ignoring termination signals (SIGTERM) to resist manual shutdowns.
Once active, the malware connects to the C2 server, reporting system details and awaiting attack commands. It supports three utility functions: PING (keep-alive), !stop (termination), and !update (self-updating). Darktrace recommends blocking TCP port 5444 (used for C2 communication) and the identified attacker IP at the network perimeter, alongside securing Jenkins instances with strong authentication and restricting public access.
Source: https://cybersecuritynews.com/new-ddos-malware-exploits-jenkins/
Jenkins cybersecurity rating report: https://www.rankiteo.com/company/jenkinsio
Valve corporation cybersecurity rating report: https://www.rankiteo.com/company/valve-corporation
"id": "JENVAL1777645518",
"linkid": "jenkinsio, valve-corporation",
"type": "Vulnerability",
"date": "3/2026",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Users of Counter-Strike and '
'Team Fortress 2 game servers',
'industry': 'Gaming/Video Games',
'name': 'Valve Corporation',
'type': 'Company'}],
'attack_vector': 'Exposed Jenkins instances with weak/default credentials '
'(RCE endpoint)',
'date_detected': '2026-03-18',
'description': 'Security researchers at Darktrace uncovered a sophisticated '
'DDoS botnet exploiting misconfigured Jenkins servers to '
'launch attacks against Valve Source Engine game '
'infrastructure, including Counter-Strike and Team Fortress 2 '
'servers. The malware, first detected on March 18, 2026, via '
'Darktrace’s CloudyPots honeypot network, stands out for its '
'cross-platform capabilities and precise targeting of the '
'gaming sector, which Cloudflare ranks as the fourth most '
'attacked industry globally.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to Valve '
'and affected game communities',
'operational_impact': 'Overwhelmed game servers leading to service '
'disruption',
'systems_affected': 'Valve Source Engine game servers '
'(Counter-Strike, Team Fortress 2)'},
'initial_access_broker': {'backdoors_established': 'Malware persistence via '
'Jenkins environment '
'variables, process '
'renaming, and signal '
'evasion',
'entry_point': 'Exposed Jenkins instances with '
'weak/default credentials',
'high_value_targets': 'Valve Source Engine game '
'servers (Counter-Strike, '
'Team Fortress 2)'},
'investigation_status': 'Ongoing (research and mitigation recommendations '
'provided)',
'lessons_learned': 'Misconfigured Jenkins servers with weak/default '
'credentials are prime targets for DDoS botnets. '
'Cross-platform malware can exploit both Windows and Linux '
'systems, and the gaming industry is increasingly targeted '
'by cybercriminals.',
'motivation': 'Disruption of gaming services (potential financial gain or '
'competitive advantage)',
'post_incident_analysis': {'corrective_actions': ['Secure Jenkins instances '
'with strong authentication '
'and restrict public access',
'Implement network-level '
'protections (e.g., '
'blocking C2 ports/IPs)',
'Monitor for unusual '
'process behavior and log '
'redirections'],
'root_causes': ['Misconfigured Jenkins servers '
'with weak/default credentials',
'Exposed RCE endpoints in Jenkins '
'instances',
'Lack of network-level protections '
'against DDoS attacks targeting '
'gaming infrastructure']},
'recommendations': ['Block TCP port 5444 and the attacker IP '
'(103[.]177.110.202) at the network perimeter',
'Secure Jenkins instances with strong authentication and '
'restrict public access',
'Monitor for unusual process names (e.g., ksoftirqd/0, '
'kworker) and log redirections to /dev/null',
'Implement network-level protections against UDP/TCP/HTTP '
'flood attacks, particularly those targeting Valve Source '
'Engine protocols'],
'references': [{'source': 'Darktrace'}],
'response': {'containment_measures': ['Blocking TCP port 5444 (C2 '
'communication)',
'Blocking attacker IP '
'(103[.]177.110.202) at network '
'perimeter'],
'remediation_measures': ['Securing Jenkins instances with strong '
'authentication',
'Restricting public access to Jenkins '
'servers'],
'third_party_assistance': 'Darktrace (security research and '
'mitigation recommendations)'},
'title': 'New DDoS Botnet Targets Valve Source Engine Game Servers via '
'Exposed Jenkins Instances',
'type': 'DDoS Botnet',
'vulnerability_exploited': 'Remote Code Execution (RCE) in misconfigured '
'Jenkins servers'}