HTTPBot: Precision DDoS Malware Targeting Windows Systems and Chinese Industries

Cybersecurity experts are raising alarms about a newly identified botnet malware known as HTTPBot, which has been increasingly active in recent months, particularly targeting the gaming sector, tech firms, and academic institutions in China.

  Asia Cyber affairs News   May 19, 2025  Add to Reading List
HTTPBot: Precision DDoS Malware Targeting Windows Systems and Chinese Industries

Cybersecurity experts are raising alarms about a newly identified botnet malware known as HTTPBot, which has been increasingly active in recent months, particularly targeting the gaming sector, tech firms, and academic institutions in China.

According to a new report from NSFOCUS, HTTPBot has rapidly evolved, utilizing compromised devices to orchestrate external cyberattacks. Unlike traditional DDoS malware, HTTPBot employs advanced HTTP Flood techniques and dynamic obfuscation, enabling it to slip past conventional detection systems that rely on static rules.

Discovered in August 2024, HTTPBot distinguishes itself by using HTTP protocols for carrying out distributed denial-of-service (DDoS) attacks, and by being developed in Golang—an uncommon choice for malware targeting Windows platforms.

The malware stands out for its surgical precision, often targeting critical business operations such as gaming login and payment systems. NSFOCUS describes this tactic as a shift from broad-scale disruption to targeted operational sabotage, threatening industries that depend heavily on real-time user interaction.

Since April 2025, over 200 attack commands have been linked to HTTPBot, with a focus on Chinese gaming companies, technology providers, educational platforms, and tourism websites.

Once installed on a system, HTTPBot hides its GUI, making it harder for users or antivirus tools to detect its activity. It also modifies the Windows Registry to gain persistence, ensuring it runs every time the system boots.

The malware communicates with a command-and-control (C2) server to receive specific instructions and launch various HTTP-based DDoS attacks, which include:

  • BrowserAttack: Uses hidden instances of Google Chrome to simulate normal web traffic and deplete server resources.

  • HttpAutoAttack: Employs cookies to accurately mimic valid user sessions.

  • HttpFpDlAttack: Utilizes HTTP/2 to increase server CPU load by triggering large data responses.

  • WebSocketAttack: Establishes WebSocket connections to exploit "ws://" and "wss://" protocols.

  • PostAttack: Relies on HTTP POST requests for disruptive activity.

  • CookieAttack: Enhances BrowserAttack by introducing more complex cookie management.

NSFOCUS highlights that while most DDoS botnets typically operate on Linux or IoT devices, HTTPBot breaks the mold by specifically targeting Windows environments.

Its strength lies in its ability to emulate legitimate web traffic down to the protocol layer, allowing it to bypass defenses that focus on traffic patterns or protocol compliance. Rather than overwhelming targets with sheer volume, HTTPBot undermines systems by occupying session resources through techniques like randomized URLs and constant cookie updates.