Cybersecurity researchers are calling attention to a new botnet malware called HTTPBot that has been used to primarily single out the gaming industry, as well as technology companies and educational institutions in China.
“Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks,” NSFOCUS said in a report published this week. “By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms.”
HTTPBot, first spotted in the wild in August 2024, gets its name from the use of HTTP protocols to launch distributed denial-of-service attacks. Written in Golang, it’s something of an anomaly given its targeting of Windows systems.
The Windows-based botnet trojan is noteworthy for its use in precisely targeted attacks aimed at high-value business interfaces such as game login and payment systems.
“This attack with ‘scalpel-like’ precision poses a systemic threat to industries that rely on real-time interaction,” the Beijing-headquartered company said. “HTTPBot marks a paradigm shift in DDoS attacks, moving from ‘indiscriminate traffic suppression’ to ‘high-precision business strangulation.'”
HTTPBot is estimated to have issued no less than 200 attack instructions since the start of April 2025, with the attacks designed to strike the gaming industry, technology companies, educational institutions, and tourism portals in China.
Once installed and run, the malware conceals its graphical user interface (GUI) to sidestep process monitoring by both users and security tools in an effort to increase the stealthiness of the attacks. It also resorts to unauthorized Windows Registry manipulation to ensure that it’s run automatically on system startup.
The botnet malware then proceeds to establish contact with a command-and-control (C2) server to await further instructions to execute HTTP flood attacks against specific targets by sending a high volume of HTTP requests. It supports various attack modules –
- BrowserAttack, which involves using hidden Google Chrome instances to mimic legitimate traffic while exhausting server resources
- HttpAutoAttack, which makes use of a cookie-based approach to accurately simulate legitimate sessions
- HttpFpDlAttack, which uses the HTTP/2 protocol and opts for an approach that seeks to increase the CPU loader on the server by coercing it into returning large responses
- WebSocketAttack, which uses “ws://” and “wss://” protocols to establish WebSocket connections
- PostAttack, which forces the use of HTTP POST to conduct the attack
- CookieAttack, which adds a cookie processing flow based on the BrowserAttack attack method
“DDoS Botnet families tend to congregate on Linux and IoT platforms,” NSFOCUS said. “However, the HTTPBot Botnet family has specifically targeted the Windows platform.”
“By deeply simulating protocol layers and mimicking legitimate browser behavior, HTTPBot bypasses defenses that rely on protocol integrity. It also continuously occupies server session resources through randomized URL paths and cookie replenishment mechanisms, rather than relying on sheer traffic volume.”
