The CI/CD Pipeline as a Weapon: New Jenkins-Based Botnet Targets Valve Source Engine Infrastructure

In a striking demonstration of how lateral movement can occur from administrative tools to global disruption, a new DDoS botnet has emerged, specifically engineered to strike at the heart of online gaming.

By exploiting exposed and poorly secured Jenkins Continuous Integration (CI) servers, threat actors are repurposing enterprise automation tools into high-powered attack nodes. The primary target? The Valve Source Engine infrastructure, which powers massive multiplayer titles such as Counter-Strike and Team Fortress 2.

This campaign serves as a critical reminder that a single misconfigured CI server isn’t just a data leak risk—it is a potential launchpad for multi-platform volumetric attacks, including UDP, TCP, and sophisticated application-layer floods.

The discovery was made possible through Darktrace’s CloudyPots, a global honeypot network. By emulating internet-facing services across various cloud environments and protocols, CloudyPots allows researchers to observe attacker methodologies in a controlled, real-time environment. Among these decoys, Darktrace deployed a Jenkins instance configured with intentional credential weaknesses to attract brute-force attempts and observe the subsequent exploitation chain.

On March 18, 2026, an unidentified actor successfully authenticated to the Jenkins honeypot. Darktrace analysts observed the attacker immediately pivot from initial access to the deployment of a specialized DDoS botnet tuned for gaming environments.

Exploiting the Jenkins scriptText Endpoint for RCE

The technical core of this exploit lies in the abuse of the Jenkins scriptText endpoint. This feature is designed to allow administrators to execute Groovy scripts directly on the server to manage automation tasks. However, when left exposed to the public internet with weak authentication, it effectively becomes a built-in Remote Code Execution (RCE) backdoor.

Request sent to the scriptText endpoint containing the malicious script (Source : Darktrace).
A captured request sent to the scriptText endpoint containing a malicious payload (Source: Darktrace).

The attackers delivered their payload via URL-encoded form-data. Upon decoding the script, analysts identified a dual-branch execution logic designed to infect both Windows and Linux environments simultaneously.

  • Windows Execution: The script targets the Windows Temp directory to download a payload from 103[.]177.110[.]20. It then renames the file to appear as a benign executable, bypasses local internet download restrictions, and opens TCP port 5444 to establish Command-and-Control (C2) communications.
  • Linux Execution: The script utilizes a lightweight Bash one-liner to fetch a 64-bit bot binary into the /tmp directory, executing it instantly to minimize the disk footprint and speed up the infection lifecycle.

Threat intelligence linked the IP 103[.]177.110[.]20 to the Vietnamese hosting provider Webico (Tino brand). Notably, the attackers utilized a highly consolidated infrastructure; the same IP address was used for initial delivery, payload hosting, and C2 instructions. While this “all-in-one” approach reduces the operational overhead for the attacker, it also significantly increases the risk of the entire botnet being neutralized if a single IP is flagged and blacklisted.

On Linux systems, the malware employs several stealth techniques to ensure persistence. It sets Jenkins-related environment variables to “dontKillMe” to prevent Jenkins from timing out the process. It then executes a “double fork” to daemonize, renames itself to mimic legitimate kernel processes like kworker or ksoftirqd/0, and redirects all standard I/O to /dev/null to avoid detection in system logs.

Initial connection to the C2 server (Source : Darktrace).
The malware establishing its initial handshake with the C2 server (Source: Darktrace).

Specialized Capabilities: Targeting the Source Engine

The botnet is not a generic flood tool; it is purpose-built for the gaming industry. While it supports standard volumetric attacks, its true strength lies in its ability to exploit the specific protocols used by online games.

Code for the UDP attack method (Source : Darktrace).
Analysis of the underlying UDP attack logic (Source: Darktrace).

Key attack vectors include:

  • Optimized UDP Floods: The bot can alternate between large 1,450-byte packets to saturate bandwidth and tiny 64-byte packets to maximize packets-per-second (PPS) to overwhelm network stacks.
  • Source Engine Query Exploitation: A specialized function, attack_dayz, sends crafted Valve Source Engine Query packets. This triggers an amplification effect where the target game server is forced to send much larger responses, effectively using the server’s own resources against itself.
  • Application-Layer Attacks: The bot utilizes non-blocking, no-delay sockets to launch high-rate HTTP GET requests and TCP push floods.
The code for the HTTP attack function (Source : Darktrace).
Implementation of the HTTP-based attack function (Source: Darktrace).

Conclusion and Defensive Recommendations

This evolution in botnet design highlights a growing trend: attackers are no longer just looking for “powerful” servers; they are looking for any available server to add to their collective strength. For a botnet operator, the utility of a host is measured by its connectivity and uptime, not its importance to the enterprise that owns it.

To mitigate these risks, organizations should:

  • Hardened CI/CD Security: Never expose Jenkins or similar CI/CD tools directly to the public internet. Use VPNs or Zero Trust Network Access (ZTNA) to gate access.
  • Credential Hygiene: Implement strong, multi-factor authentication (MFA) for all administrative interfaces.
  • Network Segmentation: Ensure that build servers are isolated from critical production environments to prevent lateral movement.
  • Gaming Infrastructure Protection: Game server operators should implement robust DDoS mitigation strategies, specifically targeting UDP/Source Engine ports (such as 27015) and monitoring for unexpected query amplification.

Related Articles

Back to top button