DARKTRACE has analysed a Jenkins honeypot that was abused to deploy a new DDoS botnet targeting online game servers, with attackers using Jenkins scriptText to run malicious Groovy scripts. According to Darktrace, a threat actor attempting to target the honeypot on 18 March 2026 used a single IP, 103.177.110[.]202, which is linked to Webico Company Limited’s Tino brand, for delivery and C2 communications.
The botnet payload is downloaded differently depending on the host OS: on Windows it saves update[.]dat to C:\Windows\Temp, renames it to win_sys.exe, and opens a firewall rule for TCP 5444; on Linux, the script downloads a bot_x64.exe and executes it. The malware’s C2 communications and multiple attack commands include UDP, TCP, HTTP, and DayZ‑targeted style actions, with some functions seemingly duplicating others to inflate perceived capabilities.
Jenkins’ scriptText endpoint is abused to deploy the botnet, which Darktrace notes demonstrates opportunistic targeting of internet-facing misconfigurations, including those in gaming infrastructure.