Skip to content
.ca
sign in
Work being done in the backend.
5 minhigh

Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide

Kamasers is a sophisticated, multi-vector DDoS botnet and loader that leverages resilient Dead Drop Resolver (DDR) mechanisms via legitimate public services to maintain command-and-control communication. It poses significant enterprise risk by turning infected hosts into attack infrastructure and facilitating follow-on payload delivery, including potential ransomware deployment.

Sens:ImmediateConf:highAnalyzed:2026-03-25reports

Authors: ANY.RUN

ActorsUdadosGCleanerAmadeyTA577
KamasersDead Drop ResolverDDoSLoaderBotnet

Source:ANY.RUN

IOCs · 2

Key Takeaways

  • Kamasers is a multi-vector DDoS botnet supporting HTTP, TLS, UDP, TCP, and GraphQL floods.
  • The malware functions as a loader, downloading and executing additional payloads, which increases the risk of ransomware and data theft.
  • It utilizes a Dead Drop Resolver (DDR) mechanism via legitimate services like GitHub Gist, Telegram, Dropbox, Bitbucket, and Etherscan for resilient C2 discovery.
  • Kamasers frequently leverages Railnet ASN infrastructure, a known hub for malicious activity.
  • The botnet is distributed via established malware delivery chains, including GCleaner and Amadey.

Affected Systems

  • Windows OS
  • Corporate Infrastructure

Attack Chain

Kamasers is initially distributed via established loaders such as GCleaner and Amadey. Upon execution, the malware utilizes a Dead Drop Resolver (DDR) mechanism, sequentially querying public services like GitHub Gist, Telegram, Dropbox, Bitbucket, or the Etherscan API to dynamically retrieve its active C2 server address. Once connected, the bot receives commands to launch various multi-vector DDoS attacks (HTTP, UDP, TCP, GraphQL) or acts as a loader to download and execute secondary payloads, reporting its status back to the C2.

Detection Availability

  • YARA Rules: Yes
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: ANY.RUN

A YARA rule is provided in the article to detect the Kamasers DDoS botnet based on specific command strings and status messages within the binary.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the secondary payload execution and network connections to unusual ports/IPs, but the initial DDR queries to legitimate services (GitHub, Telegram) might blend with normal traffic. Network Visibility: High — The botnet generates significant, anomalous outbound traffic during DDoS attacks and communicates with known C2 IPs and fallback domains. Detection Difficulty: Moderate — While the DDoS traffic is noisy and easy to spot, detecting the initial C2 resolution via legitimate services (DDR) requires behavioral analysis and baseline comparisons.

Required Log Sources

  • Network flow logs
  • DNS query logs
  • Process execution logs
  • HTTP proxy logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unusual, high-volume outbound network traffic originating from single endpoints, indicative of DDoS participation.Network flow logsImpactLow
Monitor for sequential HTTP GET requests to multiple public services (GitHub Gist, Telegram API, Dropbox) in a short timeframe, suggesting DDR activity.HTTP proxy logs, DNS query logsCommand and ControlMedium
Identify processes making API calls to Etherscan (api.etherscan.io) without a legitimate business justification.HTTP proxy logs, DNS query logsCommand and ControlMedium

Control Gaps

  • Lack of outbound traffic filtering
  • Insufficient monitoring of API queries to public services

Key Behavioral Indicators

  • Sequential queries to GitHub Gist, Telegram, and Dropbox
  • High volume of outbound UDP/TCP traffic to external IPs
  • Execution of newly downloaded binaries following connections to unknown IPs

False Positive Assessment

  • Medium (Queries to GitHub, Telegram, or Dropbox are common in enterprise environments, potentially leading to false positives if alerting solely on domain names without behavioral context.)

Recommendations

Immediate Mitigation

  • Isolate hosts exhibiting high-volume outbound traffic or communicating with known Kamasers C2 IPs.
  • Block access to the identified fallback domains and C2 IP addresses.

Infrastructure Hardening

  • Implement strict egress filtering to prevent unauthorized outbound connections.
  • Monitor and restrict access to public API services (e.g., Telegram API, Etherscan) if not required for business operations.

User Protection

  • Deploy robust endpoint protection to detect and block the execution of secondary payloads.
  • Ensure systems are patched and monitored to prevent initial compromise via loaders like Amadey.

Security Awareness

  • Educate security teams on the use of Dead Drop Resolvers (DDR) and how legitimate services can be abused for C2.

MITRE ATT&CK Mapping

  • T1498 - Network Denial of Service
  • T1498.001 - Direct Network Flood
  • T1498.002 - Reflection Amplification
  • T1102 - Web Service
  • T1102.001 - Dead Drop Resolver
  • T1105 - Ingress Tool Transfer

Additional IOCs

  • Ips:
    • 45[.]151[.]91[.]187 - C2 Server
    • 91[.]92[.]240[.]50 - C2 Server
    • 178[.]16[.]54[.]87 - C2 Server
  • Domains:
    • pitybux[.]com - Fallback C2 domain
    • ryxuz[.]com - Fallback C2 domain
    • toksm[.]com - Fallback C2 domain
    • boskuh[.]com - Fallback C2 domain
    • api[.]etherscan[.]io - Legitimate API abused for DDR
    • pitbul[.]pitybux[.]com - C2 related domain observed in sandbox
  • Urls:
    • hxxp://45[.]151[.]91[.]187/pa.php - C2 communication endpoint
    • hxxp://91[.]92[.]240[.]50/pit/wp.php - C2 communication endpoint
    • hxxp://178[.]16[.]54[.]87/uda/ph.php - C2 communication endpoint
    • hxxps://api[.]telegram[.]org/bot8215158687:AAFgSmsaxfsJozcHIIYPv-HytZ3eCEaUrKg - Telegram bot API used as DDR
    • hxxps://dl[.]dropboxusercontent[.]com/s/jqvpmc0kwg6ffi1mineh2/fj.txt - Dropbox file used as DDR
    • hxxps://bitbucket[.]org/serky/repyx/raw/main/fq.txt - Bitbucket repository used as DDR
    • hxxps://pitybux[.]com/XA/throughput_5999.1634_INSTALL.exe - Secondary payload download URL
    • hxxps://pitybux[.]com/3/sax.exe - Secondary payload download URL
    • hxxps://silencestress[.]st//home - Target URL for DDoS attack observed in sandbox
  • File Hashes:
    • F6c6e16a392be4dbf9a3cf1085b4ffc005b0931fc8eeb5fedf1c7561b2e5ad6b (SHA256) - Kamasers malware sample
    • Dd305f7f1131898c736c97f43c6729bf57d3980fc269400d23412a282ee71a9a (SHA256) - Kamasers malware sample
    • 071a1960fbd7114ca87d9da138908722d7f1c02af90ea2db1963915fbe234c52 (SHA256) - Kamasers malware sample
    • edb873a5f0ef7f5f3d162cdd84267329cbda6c145ed90bb5f3c0589b9d820997 (SHA256) - Kamasers malware sample observed in sandbox

Related