Cybersecurity researchers are drawing attention to a new botnet malware known as HTTPBot that has been targeting the gaming industry, technology companies, and educational institutions in China.
“In recent months, it has been rapidly expanding, utilizing infected devices to launch external attacks,” NSFOCUS stated in a report released this week. “By using highly realistic HTTP Flood attacks and dynamic feature obfuscation techniques, it evades traditional rule-based detection methods.”
First identified in the wild in August 2024, HTTPBot derives its name from its use of HTTP protocols to carry out distributed denial-of-service attacks. Despite being written in Golang, it stands out for its focus on Windows systems.
This Windows-based botnet trojan is notable for its involvement in targeted attacks aimed at critical business interfaces such as game login and payment systems.
“This precise attack represents a systemic threat to industries that depend on real-time interaction,” the Beijing-based company remarked. “HTTPBot signifies a shift in DDoS attacks, moving from ‘indiscriminate traffic suppression’ to ‘high-precision business disruption.’
Since April 2025, HTTPBot is believed to have issued over 200 attack commands, targeting the gaming industry, technology firms, educational institutions, and tourism websites in China.
Once installed and activated, the malware hides its graphical user interface (GUI) to avoid detection by users and security tools, aiming to enhance the stealth of its attacks. It also manipulates the Windows Registry without authorization to ensure automatic execution upon system startup.
The botnet malware then connects to a command-and-control (C2) server to receive further instructions for executing HTTP flood attacks on specific targets by sending a large volume of HTTP requests. It supports various attack modules, including:
- BrowserAttack, using hidden Google Chrome instances to mimic legitimate traffic and deplete server resources
- HttpAutoAttack, employing a cookie-based method to simulate legitimate sessions accurately
- HttpFpDlAttack, utilizing the HTTP/2 protocol to overload the server’s CPU by inducing large responses
- WebSocketAttack, establishing WebSocket connections using “ws://” and “wss://” protocols
- PostAttack, using HTTP POST for the attack
- CookieAttack, adding a cookie processing flow based on the BrowserAttack method
NSFOCUS mentioned, “DDoS Botnet families typically target Linux and IoT platforms, but the HTTPBot Botnet family specifically focuses on the Windows platform.”
“By closely mimicking protocol layers and legitimate browser behavior, HTTPBot bypasses defenses relying on protocol integrity. It also continually occupies server session resources through randomized URL paths and cookie replenishment mechanisms, instead of relying solely on traffic volume.”
