New DDoS Botnet Exploits Jenkins to Target Gaming Servers

Cybersecurity analysts at Darktrace have uncovered a new distributed denial-of-service (DDoS) botnet that specifically targets the video game industry. By exploiting internet-facing Jenkins servers, attackers are building a powerful network capable of launching sophisticated, multi-platform attacks against game servers.

The campaign was first observed on March 18, 2026, when a threat actor attempted to compromise a Jenkins honeypot. This discovery serves as a reminder that even “lower-value” misconfigured systems can be a goldmine for botnet operators seeking to grow their strength at scale.

The attack begins by targeting the Jenkins build system, a popular tool used by developers to automate code building and testing. Attackers focus on the scriptText endpoint, which allows users to programmatically send new jobs using Groovy scripts.

By abusing this endpoint, attackers can bypass traditional restrictions and achieve remote code execution. As the report details, “An attacker can abuse the scriptText endpoint to run a malicious script, achieving code execution on the victim host”.

Once the attacker gains access, they deploy a multi-platform payload designed to function across different operating systems. The botnet is equipped with a variety of attack vectors, allowing it to disrupt services through:

• UDP and TCP Floods: Overwhelming network capacity with high volumes of traffic.
• Application-Layer Attacks: Targeting specific server functions to exhaust resources.
• Game-Specific Techniques: Utilizing specialized DoS methods tailored to crash or lag video game servers.

The presence of these specialized techniques highlights that “the gaming industry continues to be extensively targeted by cyber attackers,” ranking as one of the most frequently hit sectors worldwide.

To maintain its presence, the botnet utilizes several evasion tactics. The malware installs itself in a way that avoids common detection signatures and often communicates with its command-and-control (C2) infrastructure using encrypted or obfuscated channels.

The analysts noted that the botnet’s effectiveness relies on numbers; while individual compromised hosts might not be high-value, their collective power in a coordinated DDoS attack is devastating.

The emergence of this botnet demonstrates that “attackers continue to opportunistically exploit any internet-facing misconfiguration”. For organizations using Jenkins or similar CI/CD tools, this is a call to action to audit their security postures.