Security researchers unintentionally crash KmsdBot botnet

Security researchers unintentionally crash KmsdBot botnet

Akamai security researchers accidently took down the KmsdBot cryptomining botnet while analyzing its capabilities.

Earlier this month, Akamai released a report detailing the KmsdBot botnet that infected victims via SSH and weak credentials. The botnet targets both Windows and Linux devices with the goal of deploying mining software and ensnare the compromised hosts into a DDoS botnet. Some of KmsdBot’s victims include gaming and technology companies, as well as luxury car manufacturers.

The researchers modified a recent sample of KmsdBot in order to test various scenarios related to C&C functionality.

“This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures. Interestingly, after one single improperly formatted command, the bot stopped sending commands. It’s not every day you come across a botnet that the threat actors themselves crash their own handiwork,” Akamai vulnerability researcher Larry Cashdollar explained.

While the KmsdBot malware has the command-and-control functionality, the version analyzed by the researchers lacked an error-checking mechanism to verify that the commands are properly formatted, which allowed the expert to deactivate the malware.

More specifically, the crash was caused by a malformed command where the space between the target website and the port was missing, which severed connection between the Go binary running on the infected machine and the C&C server.

The researchers noted that because the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch.

“It’s not often we get this kind of story in security. In our world of zero-days and burnout, seeing a threat that can be mitigated with the coding equivalent of a typo is a nice story. This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar concluded.


Back to the list

Latest Posts

Hacker plants data-wiping code in Amazon’s AI coding extension

Hacker plants data-wiping code in Amazon’s AI coding extension

Amazon says that the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error.
28 July 2025
Cyberattack forces Russian airline Aeroflot to cancel dozens of flights

Cyberattack forces Russian airline Aeroflot to cancel dozens of flights

The Silent Crow hacking group claimed to have spent a year infiltrating Aeroflot’s networks, allegedly destroying 7,000 servers.
28 July 2025
Scattered Spider targets VMware ESXi in attacks on US critical sectors

Scattered Spider targets VMware ESXi in attacks on US critical sectors

Scattered Spider employs social engineering tactics to gain initial access.
28 July 2025