Fodcha DDoS Botnet Now Capable of 1Tbps Power & Attack 100+ Targets Daily

Fodcha DDoS botnet has made a significant return with a brand new version. This updated version of the Fodcha botnet was revealed to the community for the first time by 360Netlab on April 13, 2022.

Several brand-new features were found in this revamped version of the botnet. These features include ransom demands that are injected into packets, as well as evasion tools to hide the infrastructure from detection.

A number of updates and developments have been quietly made to the botnet since April 2022. This means that the threat is constantly evolving and becoming more dangerous threat with every passing day.

There has been an unprecedented amount of growth in Fodcha version 4, which is the latest version of the botnet. At the moment, the team behind the botnet is taking some major steps to stop any further investigation after the last report provided by Netlab.

Communication Protocol

There have been changes made to the protocol used for communication between Fodcha and the users in the newly released version. At the file and traffic level, in an attempt to evade detection, the developers behind this botnet used two key algorithms to encrypt the sensitive resources and network communication. 

Here below we have mentioned the two key algorithms used by the threat actors for encryption:-

While as the primary choice C2, the developers presented the “OpenNIC domain name,” and as a dual C2 solution for backup C2 they presented the “ICANN domain name.”

There are 14 OpenNIC C2s that were constructed and here below we have mentioned them below:-

  • techsupporthelpars.oss
  • yellowchinks.geek
  • yellowchinks.dyn
  • wearelegal.geek
  • funnyyellowpeople.libre
  • chinksdogeaters.dyn
  • blackpeeps.dyn
  • pepperfan.geek
  • chinkchink.libre
  • peepeepoo.libre
  • respectkkk.geek
  • bladderfull.indy
  • tsengtsing.libre
  • obamalover.pirate

Focha’s comeback is even better than before, and all credit belongs to the strong integration of N-Day vulnerability abilities provided by the team behind it.

New Capabilities

The new version of Fodcha has evolved a lot and offers tons of devasting capabilities that we have mentioned below:-

  • 60K daily active bot nodes
  • 40+ IPs bound to C2 domain names
  • Ability to generate more than 1Tbps traffic
  • The daily attack target is 100+
  • The cumulative attack target is over 20,000.

According to 360Netlab report, A total of 1,396 targets were attacked in a single day on October 11 when the attacks peaked at the top edge. A scanned script containing the word “N3t1@bG@Y” was used by the author of Fodcha to provoke the researchers. 

This is interpreted as “NETLABGAY,” where a black Netlab is more or less itchy because it is so blatantly perceptible.


In the following section, we have presented some of the most significant DDoS attack events that have been observed to exhibit some sample evolution:-

  • The first sample of the Fodcha botnet was captured on January 12, 2022.
  • The Fodcha botnet, as well as versions V1 and V2, was publicly disclosed for the first time on April 13, 2022.
  • On April 19, 2022, version V2.x was identified.
  • On April 24, 2022, version V3 was identified.
  • On June 5, 2022, version V4 was identified.
  • On June 7 & 8, 2022, an attack by Fodcha was conducted on a health code organization in a particular country.
  • On July 7, 2022, version V4.x was identified.
  • On September X, 2022, Fodcha attacked a company’s voice business with DDoS during the process of helping a law enforcement agency in a particular country to revise the evidence chain.
  • On September 21, 2022, In the course of a recent attack investigation, a well-known cloud service provider contacted Netlab for assistance, as they claimed they had been attacked and traffic in the attack exceeded 1Tbps. As a result of the investigation, Fodcha was identified as the attacker.

Massive DDoS Scale

This botnet version features the most significant improvement in its functionality in that it delivers ransom demands directly to the network of victims via DDoS packets.

There has been a significant transition in Fodcha’s DDoS operations since April when it attacked an average of 100 victims on a daily basis. Every day, more than a thousand targets are being targeted, a significant increase of ten times from each previous day’s attacks.

There is a significant cost associated with the IP resources that Fodcha uses. Fodcha’s author is keen to expend this money since the author will make double or more money from DDoS attacks alone.

In the below image, you can see the current attack trends and target area distribution of Fodcha:-

China and the United States both have darker colors, which can be attributed to the fact that they have been attacked more frequently than the other countries.

However, the botnet’s influence already extends around the globe, infecting systems in the following countries:-

  • Europe
  • Australia
  • Japan
  • Russia
  • Brazil
  • Canada

There are two versions of Fodcha that use the parallel configuration organization method, V2.X, and V3. The structured Config organization method is used in both V4 and V4.X when it comes to the configuration.

It is imperative to note that the organization methods of Config are completely different, but, the encryption method is similar.

Ransom Demands & Telecommunication

As far as the code level of Fodcha’s network communication is concerned, the feature is very fixed. The network communication of Fodcha involves 4 primary steps and the following steps are involved in Fodcha’s network communication:-

  • decrypt C2
  • DNS query
  • erected communication
  • execute instruction

Fodcha is making money by renting its firepower to other threat actors who wish to launch DDoS attacks. Rather than having its own weapons, Fodcha rents out its firepower to other threat actors so that it can make money. 

Moreover, extortion is also included in this version where a Monero ransom is demanded in order to stop the attacks from going forward.

A DDoS packet analyzed by Netlab has led Fodcha to request that victims pay 10 XMR (Monero) to the attacker, which equals roughly $1,500 based on the amount of XMR requested from victims.

The threat actors demand Monero because it is a privacy coin, which means that the transaction can not be traced much more easily. In consequence, XMR is commonly requested as a payment method by ransomware gangs and other threat actors.

Managed DDoS Attack Protection for Applications – Download Free Guide

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.