Darktrace CloudyPots honeypot network exposed a dangerous DDoS botnet on March 18, 2026 that was targeting Valve Source Engine game servers like Counter-Strike and Team Fortress 2 by abusing Jenkins scriptText endpoint with cross-platform payloads stealth daemon and UDP flood amplification attacks on both Windows and Linux.
This is not a surprise for the gaming industry but this time the weapon came from a place no one had anticipated. On March 18, 2026 Darktraces global honeypot network CloudyPots captured activity that sent shockwaves through the threat research community.
A threat actor targeted Darktraces Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet and deeper analysis by the Darktrace Threat Research team revealed that the botnet was specifically designed to target video game servers. Jenkins the tool that developers use daily to manage CI/CD pipelines to became a DDoS weapon.
And the game engine targeted was the Valve Source Engine, the powerhouse of Counter-Strike and Team Fortress 2 and other beloved multiplayer titles that millions of gamers around the world spend time on daily. The Jenkins CI/CD build system has an endpoint called scriptText that allows users to programmatically send new jobs in the form of Groovy script.
Groovy is a programming language that uses Java like syntax and runs on the Java Virtual Machine. An attacker can exploit this endpoint to run malicious scripts and achieve code execution on the victim host. This is the very endpoint through which this attack originated.
Darktrace notes that Jenkins is one of the less commonly abused services in their honeypot fleet and but this case proves that any misconfigured, internet-facing CI server can become valuable DDoS infrastructure. Low-value hosts are also useful for botnet operators because overall attack power depends on the number of bots and not individual criticality.
The first step of the attack was a malicious request to the scriptText endpoint and URL-encoded as form data containing an obfuscated Groovy script. Darktrace researchers decoded this script using CyberChef and found a disturbing plan inside. This script had distinct branches on both Windows and Linux meaning any exposed Jenkins server whether a Windows server or a Linux box, could become part of this botnet.
On Windows the script fetched an executable file named w.exe from the IP address 103.177.110.202 while on Linux a different payload was dropped that was specifically designed for stealth and persistence.
Stealth Daemon Amplification Attack & CS Server Targeting
The only thing that this botnet did on Linux was textbook stealth. The malware would delete its original executable and rename itself as a legitimate Linux kernel process like ksoftirqd/0 or kworker which are standard in Linux installations and not viewed with suspicion by admins.
It would then use the double fork method to silently run as a background daemon, redirecting all input, output and error channels to /dev/null so that no logs would escape. It would also intercept and ignore termination signals like SIGTERM meaning stopping the process with normal commands would be practically impossible.
Once activated the malware would connect to the C2 server and report the system architecture, and begin a loop waiting for attack instructions. Three utility commands were involved PING for keep-alive checks stop for exit and update to pull the new version from the C2 server meaning it was a self-updating and remotely managed weapon.
The botnet supported multiple DDoS methods UDP floods, TCP push attacks, and HTTP request floods. But the most clever and dangerous technique was attack_dayz It sends TSource Engine Query packets that force Valve Source Engine servers to return large volumes of data.
Send small requests trigger large responses the attacker can exhaust server resources while using comparatively less bandwidth. This is a pure amplification attack and is devastating for game server operators. Darktrace confirmed that this botnet was specifically created to target Valve Source Engine games like Counter-Strike and Team Fortress 2 and it is an ongoing nightmare of the gaming industry. Cloudflare reports gaming as the fourth most targeted industry globally.
The presence of game-specific DoS techniques highlights that the gaming industry remains a consistent high value target for cyber attackers and these botnets have likely already been used against game servers which is a serious reminder to server operators that appropriate mitigations must be in place. Every organization that exposes Jenkins development teams, DevOps environments CI/CD pipelines should immediately verify that the scriptText endpoint is not publicly accessible.
Its still important to put Jenkins behind network-level controls, enforce strong authentication and disable unused script execution features. This case is an important reminder that no low-value targets exist in cybersecurity.
If your server is on the internet and misconfigured and it could become part of someones botnet and even if your work is completely unrelated to gaming. Operators of gaming servers should deploy UDP amplification protection implement Source Engine query rate limits and use DDoS mitigation services because this botnet is still active.
