By rssfeeds-admin .webp?ssl=1 "New DDoS Malware Exploits Jenkins to Attack Valve Source Engine Game Servers")
Security researchers at Darktrace identified the threat after capturing it on one of their honeypot systems.
What makes this malware stand out is its specific targeting of video game servers, combined with a smart infection process that works across multiple operating systems.
Jenkins is a widely used continuous integration tool that helps software developers run tests and build code automatically.
When poorly configured, it can expose a remote code execution endpoint that attackers abuse.
In this campaign, attackers found a Jenkins instance with a weak password and used that open door to deliver malicious code onto the target machine.
The attack method is simple but effective, since many organizations still leave Jenkins accessible without strong authentication.
Darktrace analysts first identified this threat on March 18, 2026, when a threat actor targeted a Jenkins honeypot operated by the company’s global honeypot network known as “CloudyPots.”
Further investigation by Darktrace’s Threat Research team confirmed the botnet was specifically built to attack Valve Source Engine game servers, including those running Counter-Strike and Team Fortress 2.
The findings reflect a broader pattern where cyber attackers are increasingly targeting the gaming sector, which Cloudflare has identified as the fourth most targeted industry globally.
Once a Jenkins server is compromised, the malware drops payloads for both Windows and Linux systems. On Windows, a payload is downloaded from a remote IP and saved under a filename disguised as a system update file.
On Linux, a Bash command pulls the payload into the /tmp directory and executes it. The IP used for both delivery and command-and-control communication belongs to a Vietnamese hosting provider, which is unusual since most malware families keep their delivery and C2 infrastructure separate for better resilience.
The botnet supports multiple DDoS methods, including UDP floods, TCP push attacks, and HTTP request floods. One technique called “attack_dayz” sends TSource Engine Query packets, which force Valve Source Engine servers to return large volumes of data.
By flooding a target with small requests and triggering large responses, an attacker can exhaust server resources using comparatively little bandwidth, making it a dangerous amplification attack for game server operators.
Infection Mechanism and Persistence
After landing on a Linux system, the malware immediately works to stay hidden and resist removal. It sets Jenkins environment variables to “dontKillMe,” tricking Jenkins into letting the process run beyond its usual timeout.
Without this, Jenkins would automatically shut down the malicious process. This small but effective step allows the malware to survive on a compromised server without immediate detection.
The malware then deletes its original executable and renames itself to look like a legitimate Linux kernel process, either “ksoftirqd/0” or “kworker,” both found on standard Linux installations.
It uses a double fork method to run silently as a background daemon and redirects all input, output, and error channels to /dev/null, ensuring no logs are left behind.
It also intercepts termination signals like SIGTERM, causing them to be ignored and making it harder to stop the process through normal commands.
Once active, the malware connects to the C2 server, reports system architecture, and enters a loop waiting for attack instructions.
Three utility commands exist: “PING” for keep-alive checks, “!stop” to exit, and “!update” to pull a newer version from the C2 server and restart.
Server operators running Valve Source Engine game servers should act now to reduce exposure.
Removing public access to Jenkins endpoints, enforcing strong authentication, and monitoring outbound traffic for unusual connections are essential first steps.
Blocking TCP port 5444 at the firewall level is also recommended, as the payload uses this port for C2 communication.
Organizations should block the confirmed attacker IP 103[.]177.110.202 at the network perimeter and review all published indicators of compromise without delay.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New DDoS Malware Exploits Jenkins to Attack Valve Source Engine Game Servers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.