The Fodcha DDoS botnet's latest version features ransom demands injected into packets and can evade detection.
First discovered in April 2022, Fodcha has evolved as a significant threat. The one major improvement is the delivery of ransom demands directly within DDoS packets used against victims' networks.
Additionally, the botnet now communicates with the C2 server using encryption. The malware is therefore harder to analyze and take down by security researchers.


Who are the victims?

A majority of Fodcha’s targets are located in China and the United States. However, the botnet has infected systems in Australia, Europe, Russia, Japan, Brazil, and Canada.
  • Some of the confirmed DDoS attacks carried out by Fodcha are mentioned below:
  • A healthcare organization was attacked on June 7 and 8.
  • A communication infrastructure of a company was targeted in September.
  • A 1Tbps attack against a cloud service provider on September 21.

The numbers game

  • In April, Fodcha targeted an average of 100 victims per day; now, it targets 1,000 victims per day, which is a tenfold increase.
  • The botnet relies on 42 C2 domains to power 60,000 active bot nodes each day, garnering up to 1Tbps of deleterious traffic.
  • According to Netlab, on October 11, Fodcha set a new record by attacking 1,396 targets in a single day.

Demanding ransom in Monero

  • The most recent DDoS attack includes extortion by demanding a ransom (in cryptocurrency) to stop the attacks. Monero is a privacy coin that is much more difficult to trace and is not sold by U.S. crypto exchanges to prevent illicit activity.
  • Based on DDoS packets deciphered by Netlab, Fodcha now demands that victims pay 10 XMR (Monero), which is roughly $1,500, or else the attacks will continue.


It is believed that Fodcha makes money by renting out its services to other threat actors who wish to launch DDoS attacks. In light of the rise in attacks, within just seven months of the launch of the botnet, security researchers want organizations to stay alert against this threat.
Cyware Publisher