By rssfeeds-admin .webp?ssl=1 "Kamasers DDoS Botnet With Loader Capabilities Attacking Organizations to Deploy Ransomware")
Kamasers is a sophisticated malware botnet engineered to execute both application-layer and transport-layer DDoS attacks across a wide range of vectors, including HTTP GET/POST floods, TLS handshake exhaustion, UDP and TCP floods, GraphQL API abuse, and advanced bypass techniques targeting WAFs and CDNs.
What sets Kamasers apart from conventional DDoS tools is its secondary capability as a malware loader, which allows the C2 server to push executable payloads to compromised hosts and, on them, dramatically expands the blast radius of a single infection.
View analysis session with C2 command in Spanish
Security researchers at ANY.RUN, who conducted an in-depth behavioral analysis, and reverse engineering analysis, have also identified Udados as a likely evolution or updated variant within the same malware family.
Gain earlier visibility into disruptive threats. Reduce the risk of downtime, pressure, and loss Power up your SOC
Kamasers DDoS Botnet With Loader Capabilities
Kamasers has been confirmed to spread through two well-established malware delivery platforms: GCleaner and Amadey, both of which are commonly used as initial-access loaders in multi-stage attack chains.
This distribution pattern places Kamasers squarely within the broader malware-as-a-service ecosystem, where threat actors pay for pre-built infection pipelines to deploy their tools at scale. The use of established delivery infrastructure signals that Kamasers operators are experienced actors with access to organized cybercriminal supply chains.
One of Kamasers’ most technically sophisticated features is its Dead Drop Resolver (DDR) mechanism, which uses legitimate public platforms GitHub Gist, Telegram, Dropbox, and Bitbucket as intermediary relays to deliver the actual C2 server address to infected bots.
Links to these services are not stored in plain text within the binary; instead, they are dynamically constructed and unpacked at runtime, making them invisible to static analysis tools.
If the first DDR channel fails, the bot automatically cascades through fallback channels — Telegram, then Dropbox, then Bitbucket — and ultimately falls back to a hardcoded list of backup domains, including pitybux[.]com, ryxuz[.]com, toksm[.]com, and Boskuh[.]com.
In some observed cases, infected hosts were also seen querying api.etherscan.io, the Ethereum blockchain explorer API, to retrieve C2 addresses embedded within blockchain data — a novel abuse of public Web3 infrastructure for command-and-control evasion.
Behavioral analysis of Kamasers sessions consistently revealed connections to IP addresses associated with Railnet LLC’s ASN, a hosting provider publicly reported as a front for Virtualine, a bulletproof hosting service with no KYC (Know Your Customer) procedures.
Railnet infrastructure has been linked to campaigns targeting government and private-sector organizations in Switzerland, Germany, Ukraine, Poland, and France, and has previously been used to distribute other malware families, including Latrodectus, linked to threat group TA577.
Its ASN appears repeatedly across diverse malware campaigns, making it an established infrastructure hub for threat actors operating across multiple families.
Kamasers’ targeting profile is international in scope. Submission data indicates the highest visibility in Germany and the United States, with additional cases recorded in Poland and LATAM-region targets.
The sectors most frequently affected include education, telecommunications, and technology organizations.
Notably, control commands in Spanish including !descargar, the Spanish-language equivalent of !download were observed during analysis sessions, suggesting that botnet operators may have roots in a Spanish-speaking environment, though the campaign clearly operates on a global scale.
Security researchers observed the botnet receiving !download commands instructing it to retrieve PE executable files from external domains, verify MZ signatures, map sections into memory, and transfer execution to the entry point, a fully implemented Download & Execute routine.
This capability means any Kamasers-infected host can become a staging point for ransomware, infostealers, or remote access trojans, with the full attack chain potentially unfolding within hours of initial compromise.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| SHA-256 | F6c6e16a392be4dbf9a3cf1085b4ffc005b0931fc8eeb5fedf1c7561b2e5ad6b |
| SHA-256 | Dd305f7f1131898c736c97f43c6729bf57d3980fc269400d23412a282ee71a9a |
| SHA-256 | 071a1960fbd7114ca87d9da138908722d7f1c02af90ea2db1963915fbe234c52 |
| C2 URL | hxxp://45[.]151[.]91[.]187/pa[.]php |
| C2 URL | hxxp://91[.]92[.]240[.]50/pit/wp[.]php |
| C2 URL | hxxp://178[.]16[.]54[.]87/uda/ph[.]php |
| DDR (GitHub) | gist[.]github[.]com/pitybugak/5d16b75e8bd071e15b04cc9c06dcfafa[.]js |
| DDR (Telegram) | api[.]telegram[.]org/bot8215158687:AAFgSms... |
| Fallback Domain |
pitybux[.]com, ryxuz[.]com, toksm[.]com, Boskuh[.]com |
Detection Recommendations
Security teams should treat Kamasers as a dual-threat, both a DDoS weapon and a ransomware delivery vehicle — and apply detection strategies accordingly. Key actions include:
- Monitor outbound connections to GitHub Gist, Telegram bots, Dropbox, and Bitbucket from non-user endpoints, as these may indicate DDR activity
- Flag Railnet/Virtualine ASN traffic as high-priority suspicious behavior across network telemetry
-
Deploy behavioral sandboxing to detect the
!downloadexecution chain, C2 beacon patterns, and DDoS command parsing in suspicious binaries -
Hunt using threat intelligence with queries like
threatName:"kamasers"anddestinationIpAsn:"railnet"in TI Lookup platforms to surface related infrastructure and campaign artifacts.
Kamasers demonstrates that modern botnets are no longer single-purpose tools — they are modular, resilient platforms capable of pivoting from network disruption to full-scale business compromise with a single command from the C2 server..
74% of Fortune 100 companies rely on ANY.RUN for earlier detection and faster SOC response Power your SOC now
The post Kamasers DDoS Botnet With Loader Capabilities Attacking Organizations to Deploy Ransomware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.