New HTTPBot Botnet Launches 200+ Precision DDoS Attacks on Gaming and Tech Sectors
Summary:
In April 2025, NSFOCUS Fuying Lab's Global Threat Hunting system identified a surge in activity from a new Go-based botnet Trojan dubbed HTTPBot. Initially observed in August 2024, HTTPBot has rapidly expanded its reach, frequently leveraging compromised devices to conduct external attacks, primarily targeting China's gaming sector, but also affecting technology companies, educational institutions, and tourism websites. This botnet is notable for its targeted and phased attack strategy, conducting persistent and calculated saturation attacks against specific business interfaces such as game logins and payment systems. Unlike traditional bandwidth-focused botnets, HTTPBot represents a shift toward business-impacting, precision-based DDoS attacks that bypass rule-based defenses using behavioral obfuscation techniques.
HTTPBot incorporates seven distinct HTTP-based DDoS methods, relying on dynamic features such as real browser invocation, randomized headers, cookie manipulation, and HTTP Flood attacks to evade detection. The Trojan operates with high stealth, concealing its GUI and ensuring persistence by modifying registry settings. Each attack command includes an "attack ID" that enables precise initiation and termination of attacks. Control parameters such as attack method, target, thread count, and duration are transmitted using encoded formats like Base64 to avoid signature-based defenses.
Security Officer Comments:
Observed attacks targeted over 80 entities, with frequent attacks noted against gaming platforms, as well as educational sites and scenic attraction websites. HTTPBot’s capabilities include advanced techniques such as dynamic TCP/TLS selection, HTTP/2 exploitation, WebSocket message flooding, and fake browser processes that simulate user behavior. For instance, its HttpAutoAttack method parses server-issued cookies to simulate legitimate sessions, while its HttpFpDlAttack maximizes resource drain by forcing full file downloads and sustaining long-lived connections. The PostAttack and CookieAttack methods focus on deep HTTP POST session simulation and advanced cookie handling, respectively, to bypass server-side protections.
Suggested Corrections:
Defense strategies against HTTP Flood attacks include analyzing fixed traffic patterns such as URI and User-Agent combinations, using redirection mechanisms to filter out bots lacking full HTTP protocol support, leveraging cookie validation, and implementing CAPTCHA challenges to distinguish between bots and real users. Traditional defense mechanisms are becoming less effective against HTTPBot, which dynamically alters request intervals, header sequences, and payloads to evade detection.
Link(s):
https://thehackernews.com/2025/05/new-httpbot-botnet-launches-200.html
In April 2025, NSFOCUS Fuying Lab's Global Threat Hunting system identified a surge in activity from a new Go-based botnet Trojan dubbed HTTPBot. Initially observed in August 2024, HTTPBot has rapidly expanded its reach, frequently leveraging compromised devices to conduct external attacks, primarily targeting China's gaming sector, but also affecting technology companies, educational institutions, and tourism websites. This botnet is notable for its targeted and phased attack strategy, conducting persistent and calculated saturation attacks against specific business interfaces such as game logins and payment systems. Unlike traditional bandwidth-focused botnets, HTTPBot represents a shift toward business-impacting, precision-based DDoS attacks that bypass rule-based defenses using behavioral obfuscation techniques.
HTTPBot incorporates seven distinct HTTP-based DDoS methods, relying on dynamic features such as real browser invocation, randomized headers, cookie manipulation, and HTTP Flood attacks to evade detection. The Trojan operates with high stealth, concealing its GUI and ensuring persistence by modifying registry settings. Each attack command includes an "attack ID" that enables precise initiation and termination of attacks. Control parameters such as attack method, target, thread count, and duration are transmitted using encoded formats like Base64 to avoid signature-based defenses.
Security Officer Comments:
Observed attacks targeted over 80 entities, with frequent attacks noted against gaming platforms, as well as educational sites and scenic attraction websites. HTTPBot’s capabilities include advanced techniques such as dynamic TCP/TLS selection, HTTP/2 exploitation, WebSocket message flooding, and fake browser processes that simulate user behavior. For instance, its HttpAutoAttack method parses server-issued cookies to simulate legitimate sessions, while its HttpFpDlAttack maximizes resource drain by forcing full file downloads and sustaining long-lived connections. The PostAttack and CookieAttack methods focus on deep HTTP POST session simulation and advanced cookie handling, respectively, to bypass server-side protections.
Suggested Corrections:
Defense strategies against HTTP Flood attacks include analyzing fixed traffic patterns such as URI and User-Agent combinations, using redirection mechanisms to filter out bots lacking full HTTP protocol support, leveraging cookie validation, and implementing CAPTCHA challenges to distinguish between bots and real users. Traditional defense mechanisms are becoming less effective against HTTPBot, which dynamically alters request intervals, header sequences, and payloads to evade detection.
Link(s):
https://thehackernews.com/2025/05/new-httpbot-botnet-launches-200.html