Security Experts:

Connect with us

Hi, what are you looking for?



Jaku Botnet: Active Operation With Possible Links to Darkhotel APT Group

Jaku Botnet is an Active Botnet Operation Possibly Controlled by Darkhotel Threat Actors 

Jaku Botnet is an Active Botnet Operation Possibly Controlled by Darkhotel Threat Actors 

Recent analysis of the Jaku botnet by security researchers at Forcepoint provides surprisingly contradictory indications on who might be behind it. On the one hand there are elements of sophisticated professionalism: three separate mechanisms are used to ensure that harvested victim telemetry gets through to the malware authors. But on the other hand, that same telemetry is held in 500 MB files disguised as jpegs. A 500 MB jpeg would be a red flag to any security researcher.

Such contradictions and half clues have led Forcepoint researchers to decline formal attribution. Pressed by SecurityWeek, Andy Settle, Forcepoint’s lead analyst on the research, commented, “If we were asked to make an informed assessment, then we would be willing to propose and argue the hypothesis that Darkhotel and Jaku share the same developers and possibly operators. If this hypothesis was accepted, then the inference would be that JAKU and Darkhotel are both campaigns being operated by an organization that is able to draw upon a re-deployable support infrastructure.”

The botnet was discovered when Forcepoint, formerly known as Raytheon|Websense, detected the use of ‘tactics, techniques and procedures’ (TTPs) similar to those used by the Darkhotel APT, a campaign that targeted business travelers in the Asia-Pacific regionThis led to the discovery of a C&C server and the first 500 MB jpeg – which turns out to be a SQLite database of victims’ telemetry.

Pivoting off that data, Forcepoint discovered a total of 7 C&C servers. It cannot legally see into the victim machines directly, but can still learn much about them from the collected telemetry. It knows of about 19,000 victims from all around the world. The majority, however, are concentrated in several APAC countries, especially Korea and Japan.

A surprisingly high percentage of the victims use pirated versions of Windows – statistically suggesting that there are even more illegal versions in these APAC countries than was previously believed. One observed attack method is via BitTorrent.

Although the majority of victims are consumer PCs, there are nevertheless a few corporate victims shown in the telemetry. Settle told SecurityWeek, “We also found a number of corporates in there. Those corporates were fairly low in number, but show that it just takes one weak link for the bad guys to get into an enterprise. One example involved a large US corporate. Out of thousands of employees, it had two road warriors on the road with laptops that weren’t correctly configured to provide the protection they should have had. This was enough for Jaku to get into the corporate infrastructure via one of the employees.”

One rather surprising discovery was that other hackers had located Jaku and were using it at weekends. “We found,” said Settle, “that other bad guys found and took over the C&C servers for a bit of weekend Spanish credit card scamming – the Jaku guys came back on Monday and booted them off – which incidentally shows that the Jaku actors don’t work over the weekend.” He declined to confirm that this suggests the actors behind Jaku are an organized and professional group; but admitted that it is a valid hypothesis.

The big surprise, however, remains the 500 MB telemetry databases half-heartedly disguised as jpegs. “Why would you have your telemetry data sitting in a 500 MB jpeg publicly readable on a web server? I don’t have an answer for that.” It is even more surprising when you realize that within these large databases there are a relatively few examples of specifically named and targeted individuals. Those individuals all have at least a loose connection to North Korea, although they are not necessarily located in North Korea.

This focus, plus Forcepoint’s conclusion that the malware authors are native Korean speakers, has led to some suggestions that Jaku is an elaborate cyberespionage database targeting North Korea. The argument suggests that the large readable telemetry databases are solely intended to hide the existence of the limited actual targets – hiding in plain sight. Neither Settle nor Leonard would comment on this possibility; but its weakness is that it hasn’t worked.

Related Reading: Darkhotel Attackers Target Business Travelers via Hotel Networks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...