What is HTTPBot?
Cybersecurity researchers are drawing attention to a new botnet malware called HTTPBot, which primarily targets the gaming industry, alongside technology companies and educational institutions in China.
“Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks,” NSFOCUS stated in a report published this week. “By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms.”
Researchers first spotted HTTPBot in the wild in August 2024 and named it for its use of HTTP protocols to launch distributed denial-of-service attacks. Written in Golang, it stands out as an anomaly due to its focus on Windows systems.
This Windows-based botnet trojan stands out for executing precisely targeted attacks on high-value business interfaces, such as game login and payment systems.
“This attack with ‘scalpel-like’ precision poses a systemic threat to industries that rely on real-time interaction,” the Beijing-headquartered company emphasized. “HTTPBot marks a paradigm shift in DDoS attacks, moving from ‘indiscriminate traffic suppression’ to ‘high-precision business strangulation.'”
How it works?
Since the start of April 2025, HTTPBot has issued no fewer than 200 attack instructions, aiming these strikes at the gaming industry, technology companies, educational institutions, and tourism portals in China.
Once installed and running, the malware actively hides its graphical user interface (GUI) to evade process monitoring by both users and security tools, thereby increasing the stealthiness of its attacks. In addition, it manipulates the Windows Registry without authorization to ensure it runs automatically at system startup.
Next, the botnet malware establishes contact with a command-and-control (C2) server, then waits for further instructions to launch HTTP flood attacks against designated targets by sending a high volume of HTTP requests. It supports various attack modules:
- BrowserAttack, which launches hidden Google Chrome instances to mimic legitimate traffic while exhausting server resources
- HttpAutoAttack, which simulates valid sessions using a cookie-based method
- HttpFpDlAttack, which employs the HTTP/2 protocol and drives up server CPU load by triggering large response requests
- WebSocketAttack, which initiates connections through “ws://” and “wss://” protocols
- PostAttack, which executes attacks via HTTP POST requests
- CookieAttack, which enhances BrowserAttack by incorporating a cookie-processing flow
“DDoS botnet families typically congregate on Linux and IoT platforms,” NSFOCUS noted. “However, the HTTPBot botnet family specifically targets the Windows platform.”
“By deeply simulating protocol layers and imitating legitimate browser behavior, HTTPBot bypasses defenses that rely on protocol integrity. Moreover, it persistently occupies server session resources through randomized URL paths and cookie replenishment techniques, rather than depending solely on overwhelming traffic volume.”
Source: TheHackerNews
