New DDoS IRC Bot Spreads Through Korean WebHard


A GoLang-programmed IRC (Internet Relay Chat) bot strain is being used to perform distributed denial-of-service (DDoS) attacks against Korean users.

Researchers at AhnLab’s Security Emergency-response Center (ASEC) revealed in a new paper issued on Wednesday that the virus is being distributed under the appearance of adult games. “In addition, the DDoS malware was downloaded and the UDP RAT was employed.”

The Attack Strategy

The virus is being distributed by the attackers using file-sharing websites such as Korean WebHards, according to researchers.

  • First, the malware-infected games are compressed ZIP packages and posted to webhards (a type of remote file storage service).
  • Secondly, when the game is launched, an executable (Game Open[.]exe) is staged to run a malware payload while the game is launched.
  • This payload, a GoLang-based downloader, connects to a remote command-and-control (C&C) server to download more malware, including a DDoS-attacking IRC bot.
  • “It’s a sort of DDoS Bot malware, but it communicates with the C&C server using IRC protocols,” the researchers explained. “Unlike UDP Rat, which only supported UDP Flooding assaults, Slowloris, Goldeneye, and Hulk DDoS attacks are all supported.”


According to the experts, GoLang’s minimal development costs and cross-platform capabilities have made it a popular choice among threat actors.


“The malware is actively transmitted via file-sharing websites such as Korean webhards,” according to AhnLab. “As a result, using executables downloaded from a file-sharing website with caution is suggested. It is recommended that customers obtain products from the developers’ official websites.”

What Is The Mechanism Behind It?

  • The DDoS IRC bot is installed using a GoLang downloader, UDP RAT, and a publicly available open-source Simple-IRC-Botnet.
  • The malware communicates with the C2 server using IRC protocols. While operating, it connects to a specified IRC server and enters the attacker’s channel. If directives are sent through the channel, it can launch DDoS assaults against a target.
  • While the UDP RAT just enables UDP Flooding assaults, this one also supports Hulk DDoS, Slowloris, and Goldeneye attacks.


The DDoS IRC bot is brand new and not frequently used yet. It is, however, still being aggressively propagated on Korean webhards, indicating a specific target group of potential victims. When downloading files from a file-sharing website, it is essential to be cautious and only use official sources.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.