Cybersecurity researchers are calling attention to new botnet malware called httpbot It has been used primarily to select gaming industry, technology companies and educational institutions in China.
“Over the past few months, we have actively expanded our continued use of infected devices to launch external attacks,” NSFOCUS said in a report released this week. “We circumvent traditional rule-based detection mechanisms by employing highly simulated HTTP flood attacks and dynamic feature obfuscation techniques.”
First discovered in the wild in August 2024, HTTPBOT retrieves its name from launching a distributed denial of service attack using the HTTP protocol. This one written in Golang is like an anomaly given the targeting of Windows systems.
Windows-based Botnet Trojan is notable for its use in precisely targeted attacks aimed at high-value business interfaces such as gaming logins and payment systems.
“This attack with ‘scalpel-like’ accuracy poses a systematic threat to industries that rely on real-time interactions,” the Beijing headquarters said. “HTTPBOT marks a paradigm shift in DDOS attacks, moving from “indiscriminate traffic control” to “high-precision business strangulation.” ”
HTTPBOT is estimated to have issued more than 200 attack instructions since its launch in April 2025, and is designed to attack the Chinese gaming industry, technology companies, educational institutions and tourism portals.
When installed and run, malware hides the graphical user interface (GUI) by both users and security tools avoiding process process monitoring to increase the stealthiness of attacks. It also relies on incorrect Windows registry operations to ensure that it runs automatically when the system starts up.
Botnet malware is waiting for further instructions to perform an HTTP flood attack on a particular target by establishing contact with a command and control (C2) server and sending large numbers of HTTP requests. Supports a variety of attack modules –
- browserAttack, including using hidden Google Chrome instances to mimic legal traffic while running out of server resources
- httpautoAttack uses a cookie-based approach to accurately simulate legitimate sessions
- Choose an approach that uses the HTTP/2 protocol and tries to increase CPU loaders by forcing the server’s CPU loader to return a large response httpfpdlattack
- websocketAttack establishes a websocket connection using the “ws://” and “wss://” protocols
- After attacks force the use of HTTP posts to carry out attacks
- BrowserAttack Add cookie processing flow based on Attack Method cookieattack
“The DDOS BOTNET family tends to converge on Linux and IoT platforms,” NSFocus said. “However, the HTTPBOT BOTNET family is specifically targeted at the Windows platform.”
“By deep simulating the protocol layer and mimicking legal browser behavior, HTTPBOT bypasses defenses that rely on protocol integrity, and continually occupies server session resources via randomized URL paths and cookie replenishment mechanisms.
