Security researchers at ANY.RUN have identified a powerful new botnet called Kamasers, which combines advanced distributed denial-of-service (DDoS) capabilities with a built-in malware loader, enabling attackers to deploy ransomware, steal data, and gain deeper network access.
Kamasers stands out due to its ability to launch multi-vector DDoS attacks, including HTTP floods, TLS exhaustion, UDP/TCP floods, and even GraphQL API abuse. However, what makes it especially dangerous is its secondary function as a loader, allowing command-and-control (C2) servers to deliver and execute additional malicious payloads on infected systems.
The botnet spreads through established malware delivery systems such as GCleaner and Amadey, indicating its integration into a broader malware-as-a-service ecosystem. Researchers believe this reflects a well-organized cybercriminal operation with access to sophisticated distribution channels.
A key feature of Kamasers is its Dead Drop Resolver (DDR) mechanism, which uses legitimate platforms like GitHub Gist, Telegram, Dropbox, and Bitbucket to retrieve C2 server addresses dynamically. This approach helps the malware evade detection, as links are generated at runtime rather than stored directly in the code. In some cases, the botnet has even leveraged blockchain infrastructure, querying Ethereum APIs to extract hidden command data.
Analysis also revealed connections to infrastructure associated with Railnet, a hosting provider linked to bulletproof hosting operations and previous malware campaigns. This infrastructure has been tied to attacks targeting organizations across Europe and beyond, highlighting the botnet’s global reach.
Kamasers infections have been observed most frequently in Germany and the United States, with additional activity in Poland and Latin America. Targeted sectors include education, telecommunications, and technology organizations.
Researchers also detected Spanish-language commands such as “!descargar” being used within the botnet, suggesting possible origins in Spanish-speaking regions, although the campaign operates internationally.
One of the most critical capabilities observed is the botnet’s ability to execute “download and run” commands. This allows attackers to quickly deploy ransomware, infostealers, or remote access tools on compromised systems, turning infected devices into launchpads for further attacks within hours.
Experts warn that Kamasers represents a shift in botnet evolution—from single-purpose DDoS tools to multifunctional cyberattack platforms capable of both disruption and full-scale compromise. Security teams are advised to monitor suspicious outbound connections, detect unusual command patterns, and prioritize threat intelligence to identify related infrastructure.
Recommended Cyber Technology News:
- WinMagic Warns of Rising Costs From Identity Security Flaws
- OneLayer Unveils Sentry Program to Enhance 5G Network Security
- Anmrex Boosts Crypto Market with Advanced Security Framework
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
