Comcast Corporation
03/27/2026 | Press release | Distributed by Public on 03/27/2026 13:11
Evolution of Jackskid Botnet: What We Found and How Residential Proxies Amplify Its Reach
Network & EngineeringMar 27, 2026
Evolution of Jackskid Botnet: What We Found and How Residential Proxies Amplify Its Reach
A new research report co-produced by the Comcast Threat Research Lab (CTRL) and the Nokia Deepfield Emergency Response Team (ERT), is revealing for the first time the secrets of Jackskid, a fast-evolving botnet with unusual longevity and sophistication. While many malware operations flare up briefly and disappear, Jackskid has been continuously evolving for months, growing from a simple prototype into a resilient, multi-platform threat that targets both common IoT devices such as cameras and routers and Android TV boxes.
This research was completed before a coordinated law-enforcement operation disrupted Jackskid and three related botnets. Publication of the report was delayed until that disruption process concluded, giving researchers a complete view of the botnet's lifecycle and infrastructure.
After this disruption, Jackskid's operator released a new malware version that began infecting devices using an updated command-and-control mechanism based on the Ethereum Name Service (ENS), providing some limited continuity through blockchain-based resolution even as the botnet's fast-flux DNS infrastructure largely collapsed.
Over a five-month period, we reverse-engineered 80+ malware samples across multiple architectures and build generations and watched it steadily expand its abilities. Early versions spread by guessing weak passwords on Internet-of-Things (IoT) devices such as cameras and routers. Later versions added a second path - exploiting Android TV devices using a tool built into Android software, which dramatically widened the pool of devices the botnet can take over. These Android-based infections are typically delivered through residential proxies, which make localhost-only ADB services accessible and allow attackers to access and infect devices that would otherwise be unreachable.
A major reason Jackskid is hard to disrupt is its self-healing infrastructure. It constantly rotates through dozens of command-and-control servers hidden behind fast-changing DNS records and large pools of network ports. Even older servers often stay online, meaning previously compromised systems may continue to connect long after the threat was thought to have moved on. The botnet also hides its communication using encrypted DNS-over-HTTPS, making it harder for defenders to observe what's going on.
Related Stories
We believe that Jackskid is far more advanced than typical descendants of Mirai, one of the most infamous botnets ever created and the foundation for hundreds of new botnets over the past decade. It uses three layers of encryption, includes strong anti-analysis protections, and even hunts down and removes competing malware from infected devices. Some versions block common infection ports or disable key system tools to make sure other attackers can't reclaim the device.
Its attack power has grown as well. While early builds could perform only basic network floods, current versions include nearly 20 different types of attacks, including specialized techniques aimed at overwhelming popular gaming platforms like Minecraft, Valve games, and FiveM. Some attack methods are designed specifically to bypass defenses that normally protect large services.
Our teams also found signs that Jackskid's operator may be collaborating with - or borrowing from - other advanced botnets, including Aisuru and variants in the "CatDDoS" family. Several March 2026 samples combined code and infrastructure from multiple previously independent malware families, which is unusual and suggests a higher level of organization than is typical in this space.
The operator isn't perfect, however. At least one accidentally published debug version included internal names, development artifacts, and anti-competition components - offering rare insights into how the botnet is built, tested, and maintained.
Overall, Jackskid represents a major shift in the malware landscape. Botnets are becoming long-lived, actively maintained software projects rather than disposable one-offs. This means that defenders, service providers, and device makers will need more coordinated, faster-moving efforts to keep threats like this from becoming entrenched.
Read the full research report from the Comcast Threat Research Lab (CTRL) and the Nokia Deepfield Emergency Response Team (ERT) here.
Comcast Corporation published this content on March 27, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on March 27, 2026 at 19:11 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]