Cybersecurity researchers are drawing attention to a newly identified botnet malware called HTTPBot,
which has primarily targeted the gaming industry, technology companies, and educational institutions in China.
According to a report published this week by NSFOCUS, "Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms."
HTTPBot, first observed in the wild in August 2024, is named for its use of HTTP protocols to carry out distributed denial-of-service (DDoS) attacks. Written in Golang, it stands out for its focus on Windows systems, which is unusual for botnet malware.
The Windows-based botnet trojan is particularly notable for its use in highly targeted attacks against valuable business functions such as gaming login and payment systems.
NSFOCUS described it as an attack with "scalpel-like" precision, presenting a systemic threat to industries dependent on real-time interaction. HTTPBot represents a shift in DDoS attack strategy, moving from broad traffic disruption to precise business interference.
Since April 2025, HTTPBot is believed to have executed over 200 attack commands. These attacks have been aimed at sectors including gaming, technology, education, and tourism portals in China.
Once installed and executed, the malware hides its graphical user interface (GUI) to avoid detection by users and security tools, enhancing the stealth of its operations. It also modifies the Windows Registry without authorization to ensure it launches automatically when the system starts.
The botnet then connects to a command-and-control (C2) server and waits for further instructions. It is capable of launching HTTP flood attacks on designated targets by sending large volumes of HTTP requests. It supports several attack modules including:
- BrowserAttack: Uses hidden Google Chrome processes to simulate legitimate traffic and overload servers
- HttpAutoAttack: Employs cookie-based tactics to mimic real user sessions accurately
- HttpFpDlAttack: Uses HTTP/2 to increase CPU load on servers by forcing them to deliver large responses
- WebSocketAttack: Establishes WebSocket connections via "ws://" and "wss://"
- PostAttack: Uses HTTP POST requests for the attack
- CookieAttack: Adds cookie processing to the BrowserAttack method
NSFOCUS noted that most DDoS botnets typically target Linux and IoT platforms. However, HTTPBot has been deliberately developed for the Windows environment.
By deeply simulating protocol behaviors and mimicking legitimate browser activity, HTTPBot is able to evade detection methods that rely on protocol integrity. It also maintains server session exhaustion by using random URL paths and continuous cookie updates instead of relying solely on high traffic volumes.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
