Cybersecurity researchers pay attention to a new malicious software called Httpbot This was used primarily to highlight the gaming industry as well as technology and educational institutions in China.
“Over the past few months it has been aggressively expanded, constantly using infected devices to launch external attacks,” NSFOCUS – Note In a report published this week. “Using high -dotted flood attacks and dynamic methods of aggravation, this bypasses the traditional mechanisms for detecting the rules.”
Httpbot, first noticed in the wild in August 2024, is named from the use of HTTP protocols to launch common attacks on services. Written in the hunting, it’s something anomaly given its aiming Windows systems.
Trojan Botnet based on Windows deserves attention to its use in accurately targeted attacks aimed at high -cost business interfaces such as login and payment systems.
“This attack with the” scalpel “accuracy is a systemic threat to the real-time industries,” said the campaign that is outdated to Beijing. “Httpbot notes the shift of the paradigm in DDOS attacks, moving from” parsing the suppression “to” high accuracy, strangling business “.
Httpbot estimates have issued at least 200 attacks on the attack since the beginning of April 2025, and attacks aimed at the gaming industry, technology companies, educational institutions and tourist portals in China.
After installing and launching, the malicious software hides its graphic user interface (GUI) to monitor the processes both users and safety tools, trying to increase the conception of the attacks. It also resortes to unauthorized Windows registry manipulation to make sure it works automatically when running the system.
Then the Botnet malicious software continues to make contact with the command and control server (C2) to wait for further instructions to perform the HTTP flood attacks for specific purposes by sending a large volume of HTTP requests. It supports different attack modules –
- A browser that includes the use of hidden Google Chrome specimens to mimic legitimate traffic by exhausted server resources
- Httpautoattack that uses cookie -based approach to accurately imitated legitimate sessions
- Httpfpdlattack that uses the HTTP/2 protocol and chooses an approach that seeks to increase the processor loader on the server, forcing it to return the big answers
- WebSocketattack, which uses the protocols “WS: //” and “WSS: //” to install WebSocket connections
- Postattack that causes use HTTP POST to attack
- Cookieattack that adds a processing stream based on the browsing attack method
“Families DDOS Botnet are usually going on Linux and Iot platforms,” NSFOCUS said. “However, the Botnet httpbot family specifically sent a Windows platform.”
“By imitating the layers of protocols and imitating the legitimate browser behavior, HTTPBOT bypasses the defense that relies on the integrity of the protocols. It also constantly occupies the resources of the server sessions through randomized URL ways and the mechanisms of replenishment, rather than relying on the volume of Traf.”
