LameDuck: A Threat Actor Mixing Politics and Profit with Over 35,000 DDoS Attacks
Do Son 
In a recent report, Cloudflare reveals details about the threat actor LameDuck (Anonymous Sudan), a pro-Islamic, anti-Western group responsible for over 35,000 DDoS attacks against targets worldwide. Active since January 2023, LameDuck has managed a large-scale DDoS operation known as the Skynet Botnet, targeting high-profile sectors and leveraging cloud infrastructure in ways that challenge conventional defenses.
The U.S. Department of Justice (DOJ) recently unsealed an indictment against two Sudanese brothers for orchestrating LameDuckβs operations. According to Cloudflare, this group is known for “launching thousands of DDoS attacks against a wide array of global targets across critical infrastructure,β such as hospitals, banks, and government agencies. Their tactics were not limited to politically motivated attacks; they also ran DDoS-for-hire services, allowing customers to conduct attacks for a fee.
Contrary to traditional botnets, LameDuckβs Skynet Botnet is a Distributed Cloud Attack Tool (DCAT) designed to distribute attacks through a unique, multi-component system. As Cloudflare explains, Skynet consists of β
-
A command and control (C2) server
-
Cloud-based servers that receive commands from the C2 server and forward them to open proxy resolvers
-
Open proxy resolvers run by unaffiliated third parties, which then transmit the DDoS attack traffic to LameDuck targets”
This setup allows LameDuck to amplify attack traffic while avoiding conventional botnet infrastructure, making it more challenging to trace.
LameDuckβs operations blend financial motives with political ideology, creating a complex narrative. While the group has publicly championed anti-Western and pro-Sudanese rhetoric, it has also targeted organizations for financial gain through DDoS extortion. In one instance, the group attacked Microsoft and demanded $1 million to halt operations, and in another, Scandinavian Airlines faced escalating ransom demands reaching $3 million. Cloudflareβs report suggests that LameDuck may be using ideological messaging to bolster its reputation while primarily focusing on profit.
LameDuckβs choice of targets reflects both political and strategic priorities, with attacks often aligned with high-impact events. For instance, they targeted Israeli organizations following the Hamas attacks in October 2023 and launched DDoS attacks on Swedish organizations, purportedly in response to Quran burnings. Additionally, LameDuckβs βattacks against Kenyan organizations could be explained by the increasingly tense relations between the Sudanese government and Kenyaβ.
The groupβs attack methods reveal calculated tactics, such as launching attacks during high-demand periods for maximum disruption and targeting resource-intensive endpoints within infrastructures to increase the strain on systems. These strategies, including subdomain flooding and the “blitz approach,” make LameDuckβs campaigns particularly disruptive.
The revelation of LameDuckβs operations exposes vulnerabilities in modern cyber defenses, especially regarding DDoS protection. Cloudflareβs report highlights how the groupβs use of cloud servers and open proxies for anonymity underscores the need for advanced detection techniques that can adapt to this decentralized approach.
Related Posts:
- Attacker used DDoS attack to hit three major Dutch banks
- HTTP/2 Rapid Reset Attack: HTTP/2 Zero-Day Vulnerability Rocks Cybersecurity World
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
