# Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets **[bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/](https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/)** Bill Toulas By [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) October 27, 2022 10:12 AM 0 A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands injected into packets and new features to evade detection of its infrastructure. [360Netlab researchers discovered Fodcha in April 2022, and since then, it has been silently](https://www.bleepingcomputer.com/news/security/new-fodcha-ddos-botnet-targets-over-100-victims-every-day/) receiving development and upgrades, steadily improving and becoming a more potent threat. According to [a new report published by the same researchers, the latest Fodcha version 4](https://blog.netlab.360.com/ddosmonster_the_return_of__fodcha_cn/) has grown to an unprecedented scale, with its developers taking measures to prevent analysis after Netlab's last report. The most notable improvement in this botnet version is the delivery of ransom demands directly within DDoS packets used against victims' networks. ----- In addition, the botnet now uses encryption to establish communication with the C2 server, making it harder for security researchers to analyze the malware and potentially take down its infrastructure. ## More DDoS power As a DDoS operation, Fodcha had grown significantly since April, when it targeted an average of 100 victims daily. The average number of targets has increased by ten times, reaching 1,000 daily. The botnet now relies on 42 C2 domains to operate 60,000 active bot nodes daily, generating up to 1Tbps of destructive traffic. **List of C2 addresses used** **by Fodcha** _(360Netlab)_ According to Netlab, Fodcha reached a new peak on October 11, 2022, attacking 1,396 targets in a single day. ----- Some notable examples of confirmed attacks of Fodcha include: A DDoS attack against a healthcare organization on June 7 and 8, 2022. A DDoS attack against the communication infrastructure of a company in September 2022. A 1Tbps DDoS attack against a well-known cloud service provider on September 21, 2022. Most of Fodcha’s targets are located in China and the United States, but the botnet’s reach is already global, having infected systems in Europe, Australia, Japan, Russia, Brazil, and Canada. **Fodcha's victim heatmap and activity volume diagram** _(360Netlab)_ ## Embedding ransom demands Netlab's analysts believe Fodcha is making money by renting its firepower to other threat actors who wish to launch DDoS attacks. However, the latest version also includes extortion by demanding a Monero ransom to stop the attacks. Based on DDoS packets deciphered by Netlab, Fodcha now demands the payment of 10 XMR (Monero) from victims, worth approximately $1,500. These demands are embedded in the 'Data' portion of the botnet's DDoS packets and warn that the attacks will continue unless a payment is made. ----- **Fodcha's ransom message** _(360Netlab)_ However, as Monero is a privacy coin, it is much harder to trace. Therefore, it is not offered for sale by almost all US crypto exchanges due to the legal requirements to prevent money laundering or other illicit activity. Therefore, while ransomware gangs and other threat actors commonly request XMR as a payment option, almost all companies choose to pay in bitcoin, which will likely be a similar situation with DDoS attacks. ### Related Articles: [Updated RapperBot malware targets game servers in DDoS attacks](https://www.bleepingcomputer.com/news/security/updated-rapperbot-malware-targets-game-servers-in-ddos-attacks/) [Malicious extension lets attackers control Google Chrome remotely](https://www.bleepingcomputer.com/news/security/malicious-extension-lets-attackers-control-google-chrome-remotely/) [New Chaos malware infects Windows, Linux devices for DDoS attacks](https://www.bleepingcomputer.com/news/security/new-chaos-malware-infects-windows-linux-devices-for-ddos-attacks/) [Pro-Russian hacktivists take down EU Parliament site in DDoS attack](https://www.bleepingcomputer.com/news/security/pro-russian-hacktivists-take-down-eu-parliament-site-in-ddos-attack/) [FBI: Hacktivist DDoS attacks had minor impact on critical orgs](https://www.bleepingcomputer.com/news/security/fbi-hacktivist-ddos-attacks-had-minor-impact-on-critical-orgs/) [Bill Toulas](https://www.bleepingcomputer.com/author/bill-toulas/) Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives. -----