A novel botnet was discovered that specializes exclusively in distributed denial-of-service (DDoS) attacks rather than conventional botnet activities.In a Sept. 23 blog post, Darktrace researchers explained that the botnet specifically targets misconfigured Docker containers on AWS cloud servers, deploying Go-based malware that turns infected systems into attack nodes.“What sets it apart is its service model: instead of the botnet operators launching attacks themselves, they've built a platform where customers can rent access to the infected network to conduct their own DDoS campaigns,” the researchers explained. “This discovery demonstrates how cybercriminals are moving toward service-oriented operations that treat illegal activities like business ventures, focusing on specific attack types rather than trying to monetize infected systems through multiple different criminal activities.”The researchers explained that by leveraging containerization, an extensive API, and a full user interface, the DDoS campaign demonstrates the continued development of cybercrime-as-a-service (CaaS). The ability to deliver modular functionality through a Go-based RAT and expose a structured API for operator interaction highlights how sophisticated some threat actors have become.Kelvin Lim, senior director, head of security engineering at Black Duck, pointed out that the discovery of a DDoS botnet targeting misconfigured Docker containers on AWS is major shift in the cybercrime business. Lim sai DDoS-as-a-service lowers the barrier-to-entry for hackers and enables even low- skilled hackers to launch large-scale attacks with minimal effort.“What this means for organizations is that misconfigured Docker environments will be a prime target,” said Lim. “Container security hardening is critical to any organizations running containers. Organizations must enforce least privilege, disable exposed Docker APIs, and implement strong authentication for their orchestration tools. Traditional perimeter defenses such as firewalls alone are insufficient.”Jason Soroko, senior fellow at Sectigo, added that by focusing only on DDoS and selling access to capacity, the operators reduce operational risk, simplify tooling, and align incentives with paying customers.“Container-aware infection of misconfigured Docker-on-cloud-hosts gives rapid scale and disposable infrastructure,” said Soroko. “Go-based implants enable cross platform builds and fast churn on features. The presence of an API and full UI turns the botnet into a platform, which shifts detection from host indicators toward control plane behaviors such as unusual Docker API calls, scripted container lifecycle events, and repetitive egress from ephemeral nodes."Soroko added that defenders should treat this platform as a product with a roadmap, watching for modular upgrades, abuse of legitimate cloud services, and new tenancy models rather than isolated campaigns. Shane Barney, chief information security officer at Keeper Security, said the botnet is another reminder that cybercrime is no longer a side hustle, but an industry. Barney said threat actors are treating DDoS attacks like a business service, complete with APIs, dashboards and user interfaces.“This type of industrialization should be a wake-up call for defenders,” said Barney. “The fact that attackers are exploiting misconfigured Docker containers on AWS is also concerning, highlighting how quickly adversaries are shifting into cloud-native environments where misconfigurations are common.”
Cloud Security, API security, Container security
Botnet platform rents access to malicious systems to launch DDoS attacks
(Adobe Stock)
An In-Depth Guide to Cloud Security
Get essential knowledge and practical strategies to fortify your cloud security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds