SYMBOLCOMMON_NAMEaka. SYNONYMS
win.kamasers (Back to overview)

Kamasers

VTCollection    

Kamasers is a DDOS botnet. The bot has backdoor capabilities as it connects to an attacker controller C2 server. This allows it to download files, receive commands, and execute files, allowing it to perform HTTP and DNS flooding attacks. The bot is also used to access sensitive files.

The bot has been seen to be communicating with third-party platforms such as Telegram, Discord, and GitHub, using these platforms as backup C2 servers.

References
2026-03-25ANY.RUNAchmad Adhikara, GridGuardGhoul
Kamasers Analysis: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide
Kamasers
2025-09-26abuse.chabuse.ch
Twitter Post
Kamasers
Yara Rules
[TLP:WHITE] win_kamasers_auto (20260504 | Detects win.kamasers.)
rule win_kamasers_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.kamasers."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.kamasers"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8b4db8 46 41 eb75 6a0c 8bcf }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]
            //   46                   | inc                 esi
            //   41                   | inc                 ecx
            //   eb75                 | jmp                 0x77
            //   6a0c                 | push                0xc
            //   8bcf                 | mov                 ecx, edi

        $sequence_1 = { 8b07 8bcf ff5008 837df00f 8d4604 0f57c0 }
            // n = 6, score = 100
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8bcf                 | mov                 ecx, edi
            //   ff5008               | call                dword ptr [eax + 8]
            //   837df00f             | cmp                 dword ptr [ebp - 0x10], 0xf
            //   8d4604               | lea                 eax, [esi + 4]
            //   0f57c0               | xorps               xmm0, xmm0

        $sequence_2 = { 52 e8???????? 83c408 8b856cffffff c78510feffff00000000 c78514feffff0f000000 c68500feffff00 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b856cffffff         | mov                 eax, dword ptr [ebp - 0x94]
            //   c78510feffff00000000     | mov    dword ptr [ebp - 0x1f0], 0
            //   c78514feffff0f000000     | mov    dword ptr [ebp - 0x1ec], 0xf
            //   c68500feffff00       | mov                 byte ptr [ebp - 0x200], 0

        $sequence_3 = { 8bf9 ba11000000 8bc7 2bf7 0f1107 c6471000 0f1f00 }
            // n = 7, score = 100
            //   8bf9                 | mov                 edi, ecx
            //   ba11000000           | mov                 edx, 0x11
            //   8bc7                 | mov                 eax, edi
            //   2bf7                 | sub                 esi, edi
            //   0f1107               | movups              xmmword ptr [edi], xmm0
            //   c6471000             | mov                 byte ptr [edi + 0x10], 0
            //   0f1f00               | nop                 dword ptr [eax]

        $sequence_4 = { c78508feffff03000000 c60053 398d0cfeffff 0f4785f8fdffff c6400165 8d85f8fdffff 398d0cfeffff }
            // n = 7, score = 100
            //   c78508feffff03000000     | mov    dword ptr [ebp - 0x1f8], 3
            //   c60053               | mov                 byte ptr [eax], 0x53
            //   398d0cfeffff         | cmp                 dword ptr [ebp - 0x1f4], ecx
            //   0f4785f8fdffff       | cmova               eax, dword ptr [ebp - 0x208]
            //   c6400165             | mov                 byte ptr [eax + 1], 0x65
            //   8d85f8fdffff         | lea                 eax, [ebp - 0x208]
            //   398d0cfeffff         | cmp                 dword ptr [ebp - 0x1f4], ecx

        $sequence_5 = { 66f3ab 8b7df0 8b4d10 2bf9 8d047d02000000 8b7df8 50 }
            // n = 7, score = 100
            //   66f3ab               | rep stosd           dword ptr es:[edi], eax
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   2bf9                 | sub                 edi, ecx
            //   8d047d02000000       | lea                 eax, [edi*2 + 2]
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   50                   | push                eax

        $sequence_6 = { 8bd9 895dec 8b450c 8bc8 8b7508 2bce 8945f0 }
            // n = 7, score = 100
            //   8bd9                 | mov                 ebx, ecx
            //   895dec               | mov                 dword ptr [ebp - 0x14], ebx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8bc8                 | mov                 ecx, eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   2bce                 | sub                 ecx, esi
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax

        $sequence_7 = { 8b0d???????? 49 890d???????? 89048d947df904 5d c3 55 }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   49                   | dec                 ecx
            //   890d????????         |                     
            //   89048d947df904       | mov                 dword ptr [ecx*4 + 0x4f97d94], eax
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_8 = { 83c404 ba???????? 8bc8 e8???????? c645fc1c 8b8dc8fdffff }
            // n = 6, score = 100
            //   83c404               | add                 esp, 4
            //   ba????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   c645fc1c             | mov                 byte ptr [ebp - 4], 0x1c
            //   8b8dc8fdffff         | mov                 ecx, dword ptr [ebp - 0x238]

        $sequence_9 = { 0f87ef010000 ff2485e19df604 8b7e08 33c0 884638 384714 7507 }
            // n = 7, score = 100
            //   0f87ef010000         | ja                  0x1f5
            //   ff2485e19df604       | jmp                 dword ptr [eax*4 + 0x4f69de1]
            //   8b7e08               | mov                 edi, dword ptr [esi + 8]
            //   33c0                 | xor                 eax, eax
            //   884638               | mov                 byte ptr [esi + 0x38], al
            //   384714               | cmp                 byte ptr [edi + 0x14], al
            //   7507                 | jne                 9

    condition:
        7 of them and filesize < 906240
}
Download all Yara Rules