Overview
In June 2025, NSFOCUS Fuying Lab Global Threat Hunting System detected that a new botnet family developed based on Go language was spreading on a large scale, and continued to iterate versions and develop rapidly. We named it “hpingbot” and put it under intensive monitoring. hpingbot is a cross-platform botnet family that supports Windows and Linux/IoT platforms. Attackers have developed versions adapted to multiple processor architectures such as amd64, mips, arm and 80386. In recent years, the leakage of botnet source code and the popularization of AI technology have lowered the threshold for botnet Trojan development, prompting new botnet Trojans based on traditional botnet families such as Mirai and Gafgyt to emerge continuously. In contrast, hpingbot shows strong uniqueness. This is a new botnet family built from scratch, showing strong innovation capabilities and efficiency in using existing resources, such as distributing loads through the online text storage and sharing platform Pastebin and launching DDoS attacks using the network testing tool hping3, which not only improves stealth but also significantly reduces development and operating costs.
It is worth noting that the Windows version of hpingbot cannot directly call hping3 to launch DDoS attacks, but its activity is just as frequent, indicating that attackers are not only focusing on launching DDoS, but are more likely to focus on its function of downloading and executing arbitrary payloads. Attackers are continuing to penetrate and attempt to establish infrastructure for downloading and executing other components through controlled nodes. In recent years, more and more APT groups or ransomware groups have used botnets as “outposts” to distribute other malicious components using their established footholds. We need to remain highly vigilant against such threats.
Attack Situation
Our monitoring data shows that hpingbot is silent most of the time, and it has issued relatively few DDoS attack instructions. Since June 17, only a few hundred DDoS instructions have been issued, with Germany as the main target country. The United States and Turkey have also been attacked.
An IP address “79.*.*.212” attacked by hpingbot in its early development is worth noting. Since March 2025, 6 emerging botnet families have launched more than 15,000 DDoS attacks against “79.*.*.212”. After further analysis, we found that the open source real-time performance monitoring tool NetData was deployed on port 19999 of this IP. NetData provides real-time monitoring and visual analysis of servers, containers, applications and network devices with second-level accuracy. The new botnet may use this method to test the DDoS attack capabilities of its newly developed DDoS module in actual attack activities.
Distribution of New Trojans
The developers of hpingbot have been extremely active recently. Since June 19, 2025, attackers have used nodes controlled by hpingbot to distribute another DDoS component developed based on Go language. This component is significantly different from hpingbot: although it uses the same C&C server and heartbeat mechanism, it does not include access to Pastebin or integrate hping3 calls. It only has built-in flood attack functions based on UDP and TCP protocols.
The presence of a large amount of uncleared German debugging information in the newly distributed DDoS component indicates that the component may be newly developed by the attacker and is in the testing stage. The attacker directly puts the components in the testing stage into the real environment for verification, showing a high degree of confidence in the attack and ignoring the existence of the defender.
There are two possible motivations for attackers to distribute new DDoS components through hpingbot: First, the intention is to replace the original hpingbot in whole or in part with a new DDoS component. For example, if hping3 is not successfully installed on some devices, it will be replaced selectively; Second, attackers rely heavily on hpingbot’s ability to download and execute arbitrary payloads in an attempt to use it as a distribution channel for other malicious components. Its specific purpose requires further monitoring, but its performance after distributing components is noteworthy:
1. After the new DDoS component is distributed, the original hpingbot sample remains active;
2. The new DDoS component has relatively basic functions and does not have the ability to self-update. If an attacker plans to completely replace the original hpingbot with this version, it will seriously weaken its subsequent attack iteration capabilities;
3. Although the Windows version of hpingbot cannot call hping3 to launch DDoS attacks, its activity level is high, further confirming that attackers attach great importance to the payload download execution function;
4. The frequency of DDoS attacks launched by hpingbot is low, and most of the time it is silent, which also shows that DDoS is not its only purpose.
In recent years, the integration of botnets with advanced threats such as APT and ransomware has become increasingly close. Attackers have fully explored the value of botnets as “outposts”, established footholds as many as possible, and carried out subsequent attack activities by reusing existing strongholds of botnets, or directly using botnets to distribute other attack components.
Split the Propagation Module
Hpingbot is mainly spread through SSH weak password blasting and other methods. It is worth noting that its SSH propagation module is not integrated into the sample body and exists independently. In recent years, attackers generally tend to use independent propagation modules. This strategy not only helps protect key information from being leaked, but also helps to more accurately control the scope of propagation.
Attack Technology Analysis (ATT&CK Perspective)
Hpingbot integrates and applies multi-stage ATT&CK tactics in technical implementation, such as: Use Pastebin platform to host malicious payloads; Combine system services (Systemd/SysVinit) with scheduled tasks (Cron) to achieve a persistence mechanism; Execute attack tool deployment and system architecture detection through Shell scripts; Deploy hping3 to launch DDoS attacks; Perform file self-deletion and log clearing operations after execution to avoid detection.
| ATT&CK Tactical Phase | Technology ID | Technical name |
|---|---|---|
| Execution | T1059.004 | Command and Scripting Interpreter: Unix Shell |
| T1569.002 | System Services: Service Execution | |
| Persistence | T1543.002 | Create or Modify System Process: Systemd Service |
| T1037.004 | Boot or Logon Initialization Scripts: RC Scripts | |
| T1053.003 | Scheduled Task/Job: Cron | |
| Defense Avoidance | T1070.004 | Indicator Removal: File Deletion |
| T1070.003 | Indicator Removal: Clear Command History | |
| Command and Control | T1102.002 | Web Service: Pastebin |
| T1095 | Non-Application Layer Protocol | |
| T1008 | Fallback Channels | |
| Impact | T1498 | Network Denial of Service |
| Discovery | T1082 | System Information Discovery |
| Resource Development | T1588.001 | Acquire Tool: Software |
| T1588.006 | Acquire Infrastructure: Web Services |
Trojan File Analysis
Hpingbot uses the online text storage and sharing platform Pastebin to distribute payloads, and is equipped with a dedicated download and installation module; It uses multiple technologies to achieve persistent control of compromised equipment; The process of establishing communication between the Trojan and the C&C server lacks an authentication mechanism, but includes a heartbeat mechanism-the sample is sent to the control end in one direction at a frequency of once every 10 seconds, and the content is a fixed string; Its DDoS module implements attacks by calling the command line test tool hping3. The attacker supports launching more than 10 DDoS attacks by configuring different parameters for hping3.
Using hping3 to Launch DDoS Attacks
Hpingbot downloads and installs hping3 by executing the command ‘apt -y install hping3′, and then calls hping3 to launch a DDoS attack. Please note that the Windows environment does not support the installation of hping3 via apt install. However, the Windows version of hpingbot is still spreading significantly, indicating that attackers are not solely focused on DDoS purposes and may be more on its ability to download and execute arbitrary payloads. Attackers are continuing to infiltrate and intend to use hpingbot to distribute other attack components. This behavior warrants high vigilance.
Hping3 is a powerful command line network testing tool that supports multiple protocols (such as TCP, UDP, ICMP, RAW-IP) and allows users to highly customize data packets. It is often used for network diagnosis, security auditing and attack simulation. Its flexibility and scripting capabilities make it a common tool for network engineers and security analysts.
Hpingbot’s DDoS attack instructions are all executed by calling hping3 and specifying the corresponding parameters. The current version of hpingbot supports the following DDoS attack methods:
| Instructions | Calling method | Description |
|---|---|---|
| ack | main_handleACK | ACK FLOOD |
| psh | main_handlePSH | TCP FLOOD |
| prst | main_handleRST | TCP FLOOD |
| syn | main_handleSYN | SYN FLOOD |
| udp | main_handleUDP | UDP FLOOD |
| fpua | main_handleFPUA | MIX FLOOD (Mixed Mode) |
| syn-ack | main_handleSYNACK | MIX FLOOD (Mixed Mode) |
| fin-syn | main_handleSYNFIN | SYN FLOOD |
| syn-psh | main_handleSYNPSH | SYN FLOOD |
| fin-ack | main_handleFINACK | ACK FLOOD |
| psh-ack | main_handlePSHACK | ACK FLOOD |
| fsrpau | main_handleFSRPau | MIX FLOOD (Mixed Mode) |
| botox | main_handleBOTOX | MIX FLOOD (Mixed Mode) |
Attack Instruction Parsing
The attack command format of hpingbot is highly streamlined and is issued as a plaintext string. The basic format is “<method name> <target IP> <port> <duration> <packet size> <other parameters>”. In this format, the various parameters are combined and passed to hping3 to drive hping3 to launch DDoS attacks on the target. For example, the above format is used to simulate a 2-second BOTOX attack on port 80 of a specific target IP. The actual attack traffic shows a mixed attack mode.
Download and Execute Any Payload with Pastebin
The hpingbot sample has four hard-coded Pastebin links embedded in it. Pastebin is an online text storage and sharing service that allows users to upload plain text content (such as code snippets, configuration files, logs, notes, etc.) to the server and generate a unique URL link for users to quickly share or access content through the link.
In earlier versions, these links were directly accessed after the sample was run to obtain data and parse it for execution; in subsequent versions, this function was integrated into the UPDATE module and can only be triggered after receiving the UPDATE command.
Our monitoring data shows that Pastebin link storage content changes frequently, indicating that the attacker is continuously adjusting the load distribution strategy. For example: June 13, 2025: The link only stores a single IP address;
June 14: Storage content is replaced with instructions to download the payload.sh file. Payload.sh is a download and installation script with German comments.
Dedicated Download and Installation Module
As a download and installation module, payload.sh is mainly responsible for the initial configuration, file download and installation, persistence mechanism implementation and trace cleaning during the self-update process.
(1) Self-update: The self-update operation of the hpingbot botnet is completed by executing payload.sh, and the specific process is as follows:
- Architecture identification: Detect CPU architecture (such as x86_64, arm64, etc.) through uname -m. Generate the corresponding file name (such as cARM-amd64) according to the architecture. Unsupported architectures will report an error and exit
- Old environment cleanup: delete the old directory, terminate the running process (the Trojan itself), and rebuild the directory
- Download tool adaptation: Prioritize using curl or wget to download components. If both are missing, curl is automatically installed
- Component download: Concatenate the complete download URL (such as http://128.*.*.18/cARM-amd64). Download the file to /etc/de/cARM through curl/wget and grant executable permissions
- Verify the validity of the file: Check that the file is not empty, otherwise report an error and exit
(2) Persistence: This module implements a variety of persistence methods, including:
- Systemd: Create a service unit file, set the boot self-start and start the service
- SysVinit: Create an init script and enable autostart with update-rc.d or chkconfig
- Cron: Set to run on restart via the @reboot rule
(3) Trace cleaning: After completing the self-update and persistence operations, the module will perform trace cleaning steps, which also shows that the attacker is on high alert. The implementation method is as follows:
- Clear command history
- The script is automatically deleted after 1-second dormant period, and the main process exits immediately
Frequently Updated Versions
Hpingbot is a new family of botnets that is rapidly iterating, and its attackers are constantly improving the Trojan. Since June 13, 2025, the attackers have implemented a number of improvements, as follows:
- Updated Pastebin link content multiple times: from the early single IP address, updated to download script instructions;
- Continuously optimize the download and installation script: According to the version number marked in the script annotation, at least 10 versions have been iterated;
- Improve the UPDATE module: The early version of the sample will automatically execute the update after running, and the new version needs to receive the UPDATE command before triggering the update;
- Enhance hping3 installation compatibility: The early version only supports apt install installation, and the new version also supports package managers such as yum and pacman to adapt to complex environments;
- The C&C server address has been changed three times. The frequent replacement of C&C servers by attackers indicates that they have strong anti-detection awareness and resource reserves.
Summary
Hpingbot is still in its early stages of development, but it is active and iterating rapidly. The family uses the Pastebin service to achieve flexible payload distribution; uses the hping3 tool to launch DDoS attacks; and ensures persistence through Systemd, SysVinit and Cron mechanisms; in order to evade detection and tracking, attackers frequently change command and control (C&C) server nodes and continuously update Trojan versions.
Monitoring data shows that the attackers are continuously optimizing the content they put on the Pastebin platform and the corresponding download and installation scripts, and quickly updating and iterating Trojan files based on problems found in actual attack activities, showing the potential intention of operating this malware family for a long time, and there is a risk of distributing more dangerous payloads (such as ransomware or APT components). Its rapid rate of improvement suggests that there may be a professional development team behind it. Fuying Lab will continue to monitor hpingbot and the controllers behind it.
IOC
45.139.113.61
193.32.162.210
http://128.0.118.18
http://93.123.118.21
http://94.156.181.41
F33E6976E3692CB3E56A4CC9257F5AAE
