{
	"id": "f2c34249-a91b-4fa4-924e-dc69bb8cfd2e",
	"created_at": "2026-04-06T00:19:00.042338Z",
	"updated_at": "2026-04-10T13:13:00.574947Z",
	"deleted_at": null,
	"sha1_hash": "cbbb666c6357621b7b6146c4d15e5d35ba044f00",
	"title": "Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2695134,
	"plain_text": "Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets\r\nBy Bill Toulas\r\nPublished: 2022-10-27 · Archived: 2026-04-05 21:14:07 UTC\r\nA new version of the Fodcha DDoS botnet has emerged, featuring ransom demands injected into packets and new features to\r\nevade detection of its infrastructure.\r\n360Netlab researchers discovered Fodcha in April 2022, and since then, it has been silently receiving development and\r\nupgrades, steadily improving and becoming a more potent threat.\r\nAccording to a new report published by the same researchers, the latest Fodcha version 4 has grown to an unprecedented\r\nscale, with its developers taking measures to prevent analysis after Netlab's last report.\r\nhttps://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe most notable improvement in this botnet version is the delivery of ransom demands directly within DDoS packets used\r\nagainst victims' networks.\r\nIn addition, the botnet now uses encryption to establish communication with the C2 server, making it harder for security\r\nresearchers to analyze the malware and potentially take down its infrastructure.\r\nMore DDoS power\r\nAs a DDoS operation, Fodcha had grown significantly since April, when it targeted an average of 100 victims daily. The\r\naverage number of targets has increased by ten times, reaching 1,000 daily.\r\nThe botnet now relies on 42 C2 domains to operate 60,000 active bot nodes daily, generating up to 1Tbps of destructive\r\ntraffic.\r\nList of C2 addresses used by Fodcha (360Netlab)\r\nAccording to Netlab, Fodcha reached a new peak on October 11, 2022, attacking 1,396 targets in a single day.\r\nSome notable examples of confirmed attacks of Fodcha include:\r\nA DDoS attack against a healthcare organization on June 7 and 8, 2022.\r\nA DDoS attack against the communication infrastructure of a company in September 2022.\r\nA 1Tbps DDoS attack against a well-known cloud service provider on September 21, 2022.\r\nMost of Fodcha’s targets are located in China and the United States, but the botnet’s reach is already global, having infected\r\nsystems in Europe, Australia, Japan, Russia, Brazil, and Canada.\r\nhttps://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nPage 3 of 5\n\nFodcha's victim heatmap and activity volume diagram (360Netlab)\r\nEmbedding ransom demands\r\nNetlab's analysts believe Fodcha is making money by renting its firepower to other threat actors who wish to launch DDoS\r\nattacks. However, the latest version also includes extortion by demanding a Monero ransom to stop the attacks.\r\nBased on DDoS packets deciphered by Netlab, Fodcha now demands the payment of 10 XMR (Monero) from victims,\r\nworth approximately $1,500.\r\nThese demands are embedded in the 'Data' portion of the botnet's DDoS packets and warn that the attacks will continue\r\nunless a payment is made.\r\nFodcha's ransom message (360Netlab)\r\nHowever, as Monero is a privacy coin, it is much harder to trace. Therefore, it is not offered for sale by almost all US crypto\r\nexchanges due to the legal requirements to prevent money laundering or other illicit activity.\r\nTherefore, while ransomware gangs and other threat actors commonly request XMR as a payment option, almost all\r\ncompanies choose to pay in bitcoin, which will likely be a similar situation with DDoS attacks.\r\nhttps://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nhttps://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets/"
	],
	"report_names": [
		"fodcha-ddos-botnet-reaches-1tbps-in-power-injects-ransoms-in-packets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbbb666c6357621b7b6146c4d15e5d35ba044f00.pdf",
		"text": "https://archive.orkl.eu/cbbb666c6357621b7b6146c4d15e5d35ba044f00.txt",
		"img": "https://archive.orkl.eu/cbbb666c6357621b7b6146c4d15e5d35ba044f00.jpg"
	}
}