The attack begins with unauthorized access to exposed Jenkins instances, often enabled by weak credentials. Threat actors abuse the scriptText endpoint, which allows execution of Groovy scripts, to achieve remote code execution. The malicious script delivers platform-specific payloads: on Windows systems, it downloads and executes a binary disguised as a system file, modifies firewall rules to allow command-and-control (C2) communication, and removes security flags from downloaded files. On Linux systems, a Bash one-liner is used to retrieve and execute a payload from the same remote server.
Post-exploitation, the malware establishes persistence and evasion mechanisms. It renames itself to mimic legitimate system processes, daemonizes execution, suppresses output, and ignores termination signals. The malware communicates with a single C2 infrastructure that is also used for payload delivery and initial access. Once active, infected hosts receive commands to launch various DDoS techniques, including UDP flooding, TCP connection exhaustion, HTTP request floods, and specialized attacks targeting gaming servers (e.g., Valve Source Engine queries).