{
	"id": "a62e9b74-4212-49f4-92e6-9e68349df44f",
	"created_at": "2026-04-06T01:32:25.724097Z",
	"updated_at": "2026-04-10T03:21:48.905058Z",
	"deleted_at": null,
	"sha1_hash": "acc7708d89cc4e02532d9a1258f65205c8d52092",
	"title": "Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 125435,
	"plain_text": "Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting\r\nOrganizations Worldwide\r\nBy Achmad Adhikara, 4OURUP and GridGuardGhoul\r\nPublished: 2026-03-25 · Archived: 2026-04-06 01:11:04 UTC\r\nDDoS attacks are no longer only an infrastructure problem. They can quickly turn into a business issue, affecting\r\nuptime, customer experience, and operational stability. Kamasers is a strong example of this new reality, with\r\nbroad attack capabilities and resilient command-and-control mechanisms that allow it to remain active under\r\npressure.\r\nLet’s explore the Kamasers botnet through both technical and behavioral analysis, looking at the commands it\r\nreceives, the geographic distribution of its attacks, and the functions implemented in the malware sample.\r\nTogether, these elements help reveal how Kamasers operates and why it poses a serious threat to organizations\r\nworldwide\r\nKey Takeaways \r\nKamasers is a sophisticated DDoS botnet that supports both application-layer and transport-layer attacks,\r\nincluding HTTP, TLS, UDP, TCP, and GraphQL-based flooding. \r\nThe malware can also act as a loader, downloading and executing additional payloads, which raises the\r\nrisk of further compromise, data theft, and ransomware deployment.\r\nIts C2 infrastructure is resilient, using a Dead Drop Resolver (DDR) through legitimate public services\r\nsuch as GitHub Gist, Telegram, Dropbox, Bitbucket, and even Etherscan to retrieve active C2 addresses. \r\nAnalysis showed that Railnet ASN repeatedly appeared in malicious activity tied to multiple malware\r\nfamilies, making it a notable infrastructure element in the broader threat landscape. \r\nKamasers was observed being distributed through GCleaner and Amadey, showing that it fits into\r\nestablished malware delivery chains. \r\nThe botnet’s activity is international, with strong submission visibility in Germany and the United\r\nStates, while targeting extends across sectors including education, telecom, and technology.\r\nThe Business Risk Behind Kamasers \r\nKamasers is a flexible attack platform that can turn compromised enterprise systems into operational liabilities,\r\nexternal attack infrastructure, and potential entry points for deeper compromise: \r\nCorporate infrastructure can be turned against others: Infected enterprise systems may be used to\r\nlaunch DDoS attacks on third parties, creating reputational, contractual, and even legal risk for the\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 1 of 16\n\norganization. \r\nA broader incident can follow quickly: Because Kamasers can function as a loader, a single infection\r\nmay lead to additional payload delivery, raising the risk of data theft, ransomware, and deeper intrusion. \r\nVisibility gaps become harder to defend: The malware uses legitimate public services to retrieve C2\r\ninformation, making malicious communication more difficult to detect and increasing the chance of\r\ndelayed response. \r\nResponse costs rise fast: Investigating infected hosts, validating external impact, restoring systems, and\r\nhandling possible IP blacklisting can create significant operational and financial strain. \r\nBusiness trust can be affected early: If company infrastructure is linked to malicious traffic, customers,\r\npartners, and providers may react before the full incident is even understood. \r\nKamasers highlights a serious enterprise risk: attackers can use resilient C2 discovery, flexible attack methods,\r\nand follow-on payload delivery to turn a single compromise into an incident with operational, financial,\r\ncompliance, and reputational consequences. \r\nKamasers Threat Overview \r\nKamasers is a malware botnet family designed to carry out DDoS attacks using both application-layer and\r\ntransport-layer vectors. It supports HTTP GET/POST floods, API-targeted attacks, defense evasion techniques,\r\nTLS handshake exhaustion, connection-holding methods, as well as UDP and TCP floods. Infected nodes receive\r\ncommands from the command-and-control infrastructure and generate the corresponding traffic. In\r\naddition, Kamasers can also function as a loader, downloading and executing files from the network. \r\nANY.RUN previously observed activity associated with Udados, which is most likely an evolution or updated\r\nversion of Kamasers. As such, Udados can be considered part of the Kamasers family. \r\nYou can find public sandbox analysis sessions related to the Kamasers family with the following Threat\r\nIntelligence Lookup query: \r\nthreatName:”kamasers” \r\nANY.RUN’s sandbox sessions related to the Kamasers attacks\r\nANY.RUN’s sandbox sessions related to the Kamasers attacks displayed inside TI Lookup\r\nIf a corporate host becomes part of a botnet and is used to carry out DDoS attacks, the organization may face\r\nfinancial risks related to incident response, system recovery, network costs, and potential contractual penalties, as\r\nwell as regulatory scrutiny if inadequate security measures are identified, especially in cases involving data\r\ncompromise. \r\nAn additional risk stems from the malware’s ability to act as a loader, downloading and executing third-party\r\npayloads. This increases the likelihood of further intrusion, data exfiltration, ransomware deployment, and the\r\nresulting operational and reputational damage. \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 2 of 16\n\nC2 and Infrastructure \r\nAs part of the analysis, it was observed that the bot received the !httpbypass control command, which initiates an\r\nHTTP flood attack against a specified URL with defined intensity and duration parameters. After completing the\r\nattack, the bot reported its status and returned to standby mode. \r\nView analysis session \r\nCommunication between the infected host and the C2 server\r\nCommunication between the infected host and the C2 server \r\n In the sandbox analysis session, we can see how a DDoS attack targets a domain: \r\nDDoS attack targeting a domain, exposed inside ANY.RUN sandbox \r\nDDoS attack targeting a domain, exposed inside ANY.RUN sandbox \r\nIn a number of analysis sessions, the command-and-control server was used not only to coordinate DDoS activity,\r\nbut also to deliver additional payloads. Specifically, the bot received the !downloadcommand, after which it\r\ndownloaded and executed a file from an external domain, then confirmed successful session completion to the C2\r\nserver: \r\nView analysis session \r\nExample of a C2 command used to download a malicious file\r\nExample of a C2 command used to download a malicious file\r\nIn one observed case, the bot received the !descargar command, the Spanish-language equivalent of !download, to\r\nretrieve an executable file from an external domain. \r\nView analysis session with C2 command in Spanish \r\nC2 command in Spanish used to download a malicious file\r\nC2 command in Spanish used to download a malicious file observed inside ANY.RUN sandbox\r\nIn some cases, the Kamasers botnet was observed using public blockchain infrastructure as an auxiliary\r\nmechanism for obtaining the C2 address. Specifically, infected hosts queried the Etherscan API(api.etherscan.io)\r\nto retrieve data containing the URL of the command-and-control server: \r\nView session querying the Etherscan API \r\nQuerying the Etherscan API (api.etherscan.io) to retrieve data\r\nQuerying the Etherscan API (api.etherscan.io) to retrieve data\r\nAfter obtaining the URL, the bot connects to the C2 server and sends information about its ID, command\r\nexecution status, bot version, privileges on the infected host, C2 discovery source, and system information: \r\nVictim request to the C2 server \r\nVictim request to the C2 server \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 3 of 16\n\nIn a number of cases, Kamasers uses public services, including GitHub, as an auxiliary source of configuration: \r\nCheck how Kamasers uses public services  \r\nBehavioral analysis of Kamasers showed that the botnet frequently establishes connections to IP addresses\r\nassociated with Railnet LLC’s ASN.\r\nRailnet is regularly mentioned in public reporting as a legitimate front for the hosting provider Virtualine. This\r\nprovider is known for the absence of KYC procedures, and some research has noted that the associated\r\ninfrastructure is used to host malicious services and facilitate attacks. \r\nRailnet infrastructure has previously been observed in campaigns targeting both government and private-sector\r\norganizations across several European countries, including Switzerland, Germany, Ukraine, Poland, and France. \r\nThere are also documented cases of Railnet infrastructure being used to distribute other malware families,\r\nincluding Latrodectus, which a number of reports link to activity associated with groups such as TA577. \r\nAt the time of analysis, ANY.RUN data showed that Railnet’s ASN consistently appeared in reports tied to a wide\r\nrange of malicious activity and was being used by multiple malware families. These were not isolated incidents,\r\nbut a recurring pattern: the same ASN was repeatedly involved across different campaigns, making it a convenient\r\ninfrastructure hub for threat actors. \r\nThe current picture of Railnet activity can be quickly verified using ANY.RUN’s Threat Intelligence Lookup.\r\nSearching by ASN makes it possible to assess how extensively it is involved in malicious chains, which malware\r\nfamilies interact with it, and how the nature of that activity changes over time: \r\ndestinationIpAsn:”railnet” \r\nQuery for RAILNET ASN in ANY.RUN’s TI Lookup \r\nIn the analyzed sandbox sessions, Kamasers was distributed via GCleaner and Amadey, a delivery pattern that\r\nhas also been observed in other DDoS campaigns.\r\nAttack Geography and Targeting \r\nAmong the observed DDoS targets were companies in the LATAM region. However, according\r\nto ANY.RUN’s threat intelligence data, the targeting profile is broader: the education sector is affected most\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 4 of 16\n\noften, along with telecommunications and technology organizations. \r\nQuery in ANY.RUN TI to search for the Kamasers malware family \r\nBy geographic distribution of observed submissions, the largest share comes from Germany and the United\r\nStates, with separate cases also recorded in Poland and other countries. During the analysis, control commands\r\nin Spanish were also observed. This may indirectly suggest that the botnet may have originated from, or evolved\r\nwithin, a Spanish-speaking operator environment, although its actual activity is clearly international in scope. \r\nIt is also important to consider that the botnet uses the infrastructure of infected hosts to carry out attacks. If\r\ncorporate systems are compromised, the organization may not only become a potential target itself, but also\r\ninadvertently serve as a source of attacks against third parties. This creates reputational risks, the possibility of IP\r\naddress blacklisting, and additional financial costs related to investigation and infrastructure recovery. \r\nTechnical Breakdown of Kamasers  \r\nTo better understand the Kamasers botnet architecture, a detailed sample analysis was conducted. The starting\r\npoint was the sample from this ANY.RUN sandbox session:\r\nCheck analysis session \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 5 of 16\n\nANY.RUN’s analysis session used as a starting point for technical investigation \r\nThis was followed by reverse engineering of the binary. The analysis focused primarily on how the malware\r\nreceives and processes commands from the C2 server, as well as the attack capabilities implemented in the\r\nsample. \r\nAfter launch, the malware begins retrieving commands through a Dead Drop Resolver mechanism. It uses public\r\nservices such as GitHub Gist, Telegram, Dropbox, and Bitbucket as intermediary sources. From these sources,\r\nthe bot extracts the address of the real C2 server and then establishes a connection to it. \r\nThe bot validates the format of the command sent by the C2 server\r\nThe bot validates the format of the command sent by the C2 server\r\nCommand processing takes place in several stages. First, the bot verifies that the command format is valid. All\r\nvalid commands must begin with the “!” character. If this prefix is missing, the command is rejected and not\r\nexecuted. \r\nCode for the handler caching mechanism \r\nCode for the handler caching mechanism \r\nAfter validating the prefix, the bot matches the command against an internal handler table. The analysis showed\r\nthat Kamasers uses a handler caching mechanism. If the previously used handler matches the current command\r\nindex, the bot takes a fast path without performing another lookup. Otherwise, it triggers the dynamic resolution\r\nroutine. \r\nPseudocode of the flowchart showing command receipt and handler caching\r\nPseudocode of the flowchart showing command receipt and handler caching\r\nThis mechanism can be briefly described as shown in the pseudocode above. \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 6 of 16\n\nOne of the most illustrative commands is !udppro. It implements a high-speed UDP flood with support for source\r\nIP spoofing. Code analysis shows the standard sequence for creating a UDP socket via the WinSock API using the\r\nAF_INET, SOCK_DGRAM, and IPPROTO_UDP parameters. \r\nDisassembled code for the “!udppro” command \r\nDisassembled code for the “!udppro” command \r\nAfter initializing the socket, the malware configures the packet transmission parameters. Support for IP\r\nspoofing enables reflection and amplification attacks through public NTP and DNS servers. In such scenarios,\r\nthe victim receives responses that are significantly larger than the original requests, leading to a sharp increase in\r\nload.  \r\nThe !download command is also present, implementing a Download \u0026 Execute mechanism. The bot retrieves an\r\nexecutable file from the specified URL, checks for the MZ signature, allocates memory, maps the sections, and\r\ntransfers execution to the entry point. If successful, it sends a task completion message; if an error occurs, it\r\ngenerates a failure notification. \r\nBot status messages related to the download process \r\nBot status messages related to the download process \r\nImplementation of Dead Drop Resolver Channels\r\nKamasers uses four Dead Drop Resolver channels: GitHub Gist, a Telegram bot, a file hosted on Dropbox, and\r\na Bitbucket repository. Importantly, links to these services are not stored in the sample in plain form. Instead, they\r\nare constructed and unpacked dynamically at runtime, which is why such strings do not appear during static\r\nanalysis of the binary. \r\nThe Dead Drop Resolver (DDR) mechanism serves as an intermediary layer between the bot and the primary C2\r\nserver. After launch, the malware sequentially sends HTTP GET requests to each of the public resources. The\r\ncontent hosted there contains the current address of the command-and-control server. Once a response is received,\r\nthe bot extracts the C2 address and establishes a direct connection to continue receiving commands. \r\nIf the first source returns a valid address, no further requests are made. If the connection fails or the response is\r\ninvalid, the bot automatically falls back to the next channel: Telegram, then Dropbox, and finally Bitbucket. \r\nDDR links in the Kamasers codebase \r\nDDR links in the Kamasers codebase \r\nAll of these resources ultimately point to the same C2 infrastructure: \r\nGitHub Gist content used by Kamasers as DDR \r\nGitHub Gist content used by Kamasers as DDR \r\nBitbucket content used by Kamasers as DDR\r\nBitbucket content used by Kamasers as DDR \r\nFallback domains used if the DDR links are unavailable\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 7 of 16\n\nFallback domains used if the DDR links are unavailable\r\nIf none of the DDR channels responds, the malware falls back to a built-in list of backup domains. \r\nCatching Kamasers Early: A Practical Detection Approach \r\nKamasers shows how a single malware infection can quickly turn into a broader business problem. Beyond DDoS\r\nactivity, the botnet can also download and execute additional payloads, increasing the risk of deeper compromise. \r\nFor security teams, the challenge is not only spotting the malware itself but also understanding whether an\r\ninfected host is being used for external attacks, communicating with resilient C2 infrastructure, or pulling in\r\nfollow-on payloads. \r\nEarly detection depends on moving quickly from suspicious network activity to confirmed malicious behavior. \r\n1. Monitoring: Spot Malicious Infrastructure and Unusual Network Behavior Early \r\nKamasers relies on external infrastructure to receive commands, retrieve C2 addresses, and in some cases\r\ndownload additional payloads. It also uses public services such as GitHub Gist, Telegram, Dropbox, Bitbucket,\r\nand even Etherscan as part of its Dead Drop Resolver logic. \r\nMonitoring for suspicious outbound connections, newly observed infrastructure, and repeated communication\r\nwith known malicious hosting can help teams detect activity before the infection leads to larger operational\r\nimpact. \r\nActionable IOCs delivered by TI Feeds to your existing stack \r\nActionable IOCs delivered by TI Feeds to your existing stack \r\nANY.RUN’s Threat Intelligence Feeds help surface suspicious indicators early, giving SOC teams faster visibility\r\ninto malicious domains, IPs, and infrastructure patterns linked to emerging threats. \r\n2. Triage: Confirm Botnet Activity with Behavior-Based Analysis \r\nWith threats like Kamasers, static detection alone may not show the full risk. A suspicious file may appear\r\ninconclusive until its real behavior is observed during execution. \r\nRunning the sample inside the ANY.RUN interactive sandbox makes it possible to confirm the full execution flow,\r\nincluding: \r\nretrieval of C2 data through Dead Drop Resolver channels \r\nconnection to the active command-and-control server \r\nreceipt and execution of DDoS commands \r\ndownload-and-execute behavior through commands like !download or !descargar \r\nstatus reporting back to the C2 infrastructure \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 8 of 16\n\nRelevant IOCs automatically gathered in one tab inside ANY.RUN sandbox \r\nThis helps teams quickly determine whether the malware is only participating in DDoS activity or whether it also\r\ncreates risk of further payload delivery and deeper compromise. \r\n3. Threat Hunting: Pivot from One Sample to Related Infrastructure \r\nOnce Kamasers is confirmed, the next step is understanding how far the activity may extend. \r\nUsing ANY.RUN’s Threat Intelligence Lookup, teams can pivot from the initial sample to uncover related\r\ninfrastructure, connected sessions, and recurring patterns across the broader campaign. \r\nThis makes it possible to: \r\nidentify other samples tied to the Kamasers family \r\ntrace infrastructure linked to the botnet’s C2 activity \r\ninvestigate repeated use of ASN-linked hosting such as Railnet\r\nexpand detection based on shared behavior and network indicators \r\nthreatName:”kamasers” \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 9 of 16\n\nANY.RUN’s sandbox sessions related to the Kamasers attacks displayed inside TI Lookup \r\nBy pivoting from one confirmed sample, security teams can turn a single investigation into broader visibility\r\nacross related botnet activity. \r\nConclusion \r\nKamasers is a sophisticated DDoS botnet with a well-designed architecture. Its use of a Dead Drop\r\nResolver through legitimate services makes its C2 infrastructure highly resilient to takedown efforts. The presence\r\nof 16 different attack methods, including modern vectors such as GraphQL and HTTP bypass, along with\r\nadvanced implementations of classic techniques, makes Kamasers a highly versatile tool for carrying out DDoS\r\nattacks. \r\nFor business leaders, Kamasers shows that resilient, multi-vector botnets can threaten not only infrastructure, but\r\nalso uptime, customer experience, and revenue-critical operations. \r\nPower faster, clearer investigations with ANY.RUN ➜ \r\nAbout ANY.RUN \r\nANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, fits naturally into\r\nmodern SOC workflows and supports investigations from initial alert to final containment.  \r\nIt allows teams to safely execute suspicious files and URLs, observe real behavior in an interactive environment,\r\nenrich indicators with immediate context through TI Lookup, and continuously monitor emerging\r\ninfrastructure using Threat Intelligence Feeds. Together, these capabilities help reduce uncertainty, accelerate\r\ntriage, and limit unnecessary escalations across the SOC.  \r\nANY.RUN also meets enterprise security and compliance expectations. The company is SOC 2 Type II\r\ncertified, reinforcing its commitment to protecting customer data and maintaining strong security controls.  \r\nComplete List of Kamasers Commands \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 10 of 16\n\nCommand  Purpose \r\n!stop  Stops the current operation. Closes sockets, terminates attack threads, and clears buffers. \r\n!download \r\nDownloads and executes a file. Retrieves a PE file over HTTP, verifies it, and launches it. Also\r\ndetects whether the file has been removed by antivirus software.\r\n!visiturl  Sends a basic HTTP GET request to the specified URL to generate traffic or check availability.\r\n!httpget \r\nBasic HTTP GET flood implementation. Spawns several dozen threads with minimal\r\nrandomization.\r\n!httpgetpro \r\nAdvanced HTTP GET flood. Spawns hundreds of threads, randomizes the User-Agent,\r\nReferer, URL paths, and parameters. Uses keep-alive connections.\r\n!httppost \r\nHTTP POST flood. Sends POST requests with randomized headers and payloads, creating\r\nload on server-side data processing.\r\n!tlsflood \r\nTLS handshake flood. Initiates SSL/TLS handshakes without completing them, creating load\r\non the server’s cryptographic operations. \r\n!httpbypass \r\nHTTP attack with defense evasion. Uses WAF/CDN bypass techniques such as header\r\nmanipulation, payload encoding, and request fragmentation.\r\n!graphql \r\nGraphQL API flood. Sends deeply nested GraphQL queries that create exponential load on the\r\nserver parser. \r\n!httphulk \r\nHULK attack (HTTP Unbearable Load King). Applies maximumrandomization to all HTTP\r\nrequest parameters to bypass caching and rate limiting. \r\n!fastflood \r\nOptimized high-speed flood with minimal overhead, designed to saturate available\r\nbandwidth. \r\n!proloris \r\nProfessional implementation of Slowloris. Slowly sends partial HTTP headers to exhaust the\r\nserver’s connection pool. \r\n!slowread  Slow Read attack. Requests a large file and reads it very slowly to tie up server resources. \r\n!udppro  Professional UDP flood with support for IP spoofing and NTP/DNS amplification. \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 11 of 16\n\nCommand  Purpose \r\n!tcppro \r\nAdvanced TCP flood. Combines SYN flood, ACK flood, and connection reset techniques to\r\nexhaust the TCP state table. \r\n!tcphold \r\nTCP connection holding. Establishes the maximum number of connections\r\nwhile maintaining minimal keep-alive traffic to exhaust server limits. \r\nIndicators of Compromise (IOCs)   \r\nF6c6e16a392be4dbf9a3cf1085b4ffc005b0931fc8eeb5fedf1c7561b2e5ad6b\r\nDd305f7f1131898c736c97f43c6729bf57d3980fc269400d23412a282ee71a9a\r\nhxxp://45[.]151[.]91[.]187/pa[.]php\r\nhxxp://91[.]92[.]240[.]50/pit/wp[.]php\r\n071a1960fbd7114ca87d9da138908722d7f1c02af90ea2db1963915fbe234c52\r\nhxxp://178[.]16[.]54[.]87/uda/ph[.]php\r\nC2 Infrastructure (DDR): \r\ngist[.]github[.]com/pitybugak/5d16b75e8bd071e15b04cc9c06dcfafa[.]js\r\napi[.]telegram[.]org/bot8215158687:AAFgSmsaxfsJozcHIIYPv-HytZ3eCEaUrKg\r\ndl[.]dropboxusercontent[.]com/s/jqvpmc0kwg6ffi1mineh2/fj[.]txt\r\nBitbucket[.]org/serky/repyx/raw/main/fq[.]txt\r\nFallback domains: \r\npitybux[.]com\r\nryxuz[.]com\r\ntoksm[.]com\r\nBoskuh[.]com\r\nYara rules: \r\nrule Kamasers { \r\n    meta: \r\n        description = “Detects Kamasers DDoS botnet” \r\n        author = “ANY.RUN” \r\n        date = “2026-02-11” \r\n        threat = “Kamasers” \r\n    strings: \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 12 of 16\n\n$cmd1 = “!stop” ascii fullword \r\n        $cmd2 = “!download” ascii fullword \r\n        $cmd3 = “!visiturl” ascii fullword \r\n        $cmd4 = “!httpget” ascii fullword \r\n        $cmd5 = “!httpgetpro” ascii fullword \r\n        $cmd6 = “!httppost” ascii fullword \r\n        $cmd7 = “!tlsflood” ascii fullword \r\n        $cmd8 = “!httpbypass” ascii fullword \r\n        $cmd9 = “!graphql” ascii fullword \r\n        $cmd10 = “!httphulk” ascii fullword \r\n        $cmd11 = “!fastflood” ascii fullword \r\n        $cmd12 = “!proloris” ascii fullword \r\n        $cmd13 = “!slowread” ascii fullword \r\n        $cmd14 = “!udppro” ascii fullword \r\n        $cmd15 = “!tcppro” ascii fullword \r\n        $cmd16 = “!tcphold” ascii fullword \r\n        $msg1 = “Task completed:” ascii fullword \r\n        $msg2 = “Task completed: GraphQL Flood on” ascii fullword \r\n        $msg3 = “Task completed: HULK on” ascii fullword \r\n        $msg4 = “Task completed: UDPPRO Flood on” ascii fullword \r\n        $msg5 = “Task completed: TCPPRO Flood on” ascii fullword \r\n        $msg6 = “Task completed: TCP HOLD on” ascii fullword \r\n        $msg7 = “Task completed: Download \u0026 Execute from” ascii fullword \r\n        $msg8 = “Task completed: Visit URL” ascii fullword \r\n        $msg9 = “Starting GraphQL Flood on” ascii fullword \r\n        $msg10 = “Starting HULK on” ascii fullword \r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 13 of 16\n\n$msg11 = “Starting UDP PRO on” ascii fullword \r\n        $msg12 = “Starting TCP PRO on” ascii fullword \r\n        $msg13 = “Starting TCP HOLD on” ascii fullword \r\n        $msg14 = “Starting Visit URL task on” ascii fullword \r\n        $msg15 = “Runtime error in D\u0026E task:” ascii fullword \r\n        $msg16 = “Unknown exception in DownloadAndExecuteTask” ascii fullword \r\n        $msg17 = “Awaiting task” ascii fullword \r\n        $msg18 = “Downloading file from:” ascii fullword \r\n        $msg19 = “Downloaded file disappeared (AV/EDR?)” ascii fullword \r\n        $msg20 = “Download failed with HRESULT:” ascii fullword \r\n        $msg21 = “HTTP GET Flood” ascii fullword \r\n        $msg22 = “HTTP GET PRO” ascii fullword \r\n        $msg23 = “HTTP POST Flood” ascii fullword \r\n        $msg24 = “HULK_POST” ascii fullword \r\n    condition: \r\n        uint16(0) == 0x5A4D and \r\n        (10 of ($cmd*)) and \r\n        (8 of ($msg*)) \r\n} \r\nAdhikara\r\nAchmad Adhikara\r\nThreat Hunter at ANY.RUN | + posts\r\nAchmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below\r\nperiscope depth. fnord.\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 14 of 16\n\n4OURUP\r\nI research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one\r\nstep ahead of adversaries.\r\nGridGuardGhoul\r\nI am a network security researcher and reverse engineer exploring malware, protocols, and exploits.\r\nachmad-adhikara\r\nAchmad Adhikara\r\nThreat Hunter at ANY.RUN\r\nAchmad Adhikara is a threat hunter at ANY.RUN. Former red teamer. I chase threats. I prefer to stay below\r\nperiscope depth. fnord.\r\n4ourup\r\n4OURUP\r\nI research malicious activity, attack tactics, and techniques. I analyze cyber threats, process data, and help stay one\r\nstep ahead of adversaries.\r\ngridguardghoul\r\nGridGuardGhoul\r\nI am a network security researcher and reverse engineer exploring malware, protocols, and exploits.\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 15 of 16\n\nSource: https://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nhttps://any.run/cybersecurity-blog/kamasers-technical-analysis/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/kamasers-technical-analysis/"
	],
	"report_names": [
		"kamasers-technical-analysis"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439145,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/acc7708d89cc4e02532d9a1258f65205c8d52092.pdf",
		"text": "https://archive.orkl.eu/acc7708d89cc4e02532d9a1258f65205c8d52092.txt",
		"img": "https://archive.orkl.eu/acc7708d89cc4e02532d9a1258f65205c8d52092.jpg"
	}
}