Kamasers: A Dual-Threat DDoS Botnet with Ransomware Capabilities Emerges A newly analyzed DDoS botnet, Kamasers, has surfaced as one of the most operationally dangerous malware families in recent threat intelligence, combining multi-vector DDoS attacks with a built-in loader function that enables ransomware deployment, data theft, and deeper network intrusion. ### Key Capabilities & Technical Sophistication Kamasers executes application-layer and transport-layer DDoS attacks, including: - HTTP GET/POST floods - TLS handshake exhaustion - UDP/TCP floods - GraphQL API abuse - Advanced bypass techniques targeting WAFs and CDNs Unlike conventional DDoS tools, Kamasers also functions as a malware loader, allowing its command-and-control (C2) server to push executable payloads to infected hosts, expanding the impact of a single infection. Researchers at ANY.RUN identified Udados as a likely variant or evolution of the same malware family. ### Distribution & Infrastructure Kamasers spreads via GCleaner and Amadey, two established malware delivery platforms used in multi-stage attack chains. Its operators leverage malware-as-a-service (MaaS) ecosystems, indicating access to organized cybercriminal supply chains. A standout feature is its Dead Drop Resolver (DDR) mechanism, which uses GitHub Gist, Telegram, Dropbox, and Bitbucket to dynamically deliver C2 server addresses. If primary channels fail, the bot cascades through fallback services, including hardcoded domains (e.g., pitybux[.]com, ryxuz[.]com) and even Ethereum blockchain APIs (via api.etherscan.io) to evade detection. ### Hosting & Targeting Kamasers’ C2 infrastructure is linked to Railnet LLC’s ASN, a hosting provider tied to Virtualine, a bulletproof hosting service with no KYC requirements. Railnet has been previously associated with campaigns targeting government and private-sector entities in Switzerland, Germany, Ukraine, Poland, and France, as well as malware families like Latrodectus (TA577). The botnet’s global reach includes high visibility in Germany and the U.S., with additional cases in Poland and Latin America. Affected sectors include education, telecommunications, and technology. Notably, Spanish-language commands (e.g., !descargar) suggest operator origins in a Spanish-speaking environment, though operations span multiple regions. ### Dual-Threat Impact Kamasers-infected hosts can execute Download & Execute routines, retrieving and running PE executables from external domains. This capability allows threat actors to deploy ransomware, infostealers, or remote access trojans (RATs) within hours of initial compromise, turning a DDoS tool into a full-scale business disruption platform. Security teams are advised to monitor outbound connections to DDR services, flag Railnet ASN traffic, and deploy behavioral sandboxing to detect C2 beacon patterns and execution chains. Kamasers exemplifies the evolution of modern botnets modular, resilient, and capable of pivoting from network disruption to enterprise compromise with a single command.

Aeternum C2: The First Botnet Leveraging Polygon Blockchain for Unstoppable Command-and-Control Researchers at Qrator Research Lab have uncovered Aeternum C2, a new botnet loader that eliminates a long-standing weakness in cybercriminal operations: centralized command-and-control (C2) infrastructure. Unlike traditional botnets such as Emotet, TrickBot, and QakBot, which have been disrupted by seizing servers or domains Aeternum stores its commands directly on the Polygon blockchain, making takedowns nearly impossible. ### How Aeternum Works Instead of relying on hardcoded IPs, DNS domains, or peer-to-peer networks, Aeternum embeds instructions within smart contracts on Polygon. Infected devices retrieve commands by querying public RPC endpoints, blending malicious activity with legitimate blockchain traffic. Since the blockchain is decentralized and immutable, there is no single point of failure for defenders to target. Key features include: - Blockchain-based C2: Commands are stored in smart contracts, distributed across thousands of nodes, and retrieved via RPC queries. - Multi-payload flexibility: Operators can deploy different malware types (clippers, RATs, miners, DLL loaders) through separate smart contracts. - Targeted tasking: A "ping" function collects hardware IDs and user-agent strings, enabling precise bot management. - Low operational costs: A single $1 in MATIC can fund 100–150 command transactions, with no hosting or domain fees required. - Anti-analysis protections: The loader includes anti-VM checks and integrates Kleenscan API to test builds against antivirus detection before deployment. ### Why This Matters Aeternum’s blockchain-based model removes traditional intervention points, forcing defenders to rethink takedown strategies. Even if malware is removed from infected systems, the underlying smart contracts remain active, allowing operators to reactivate campaigns at will. Security experts warn that this approach could become a blueprint for future botnets, shifting the focus from infrastructure disruption to proactive network-level detection. The discovery highlights a major evolution in botnet resilience, with implications for how cybersecurity teams monitor and mitigate emerging threats.