High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding

High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding

maio 12, 2025 | NSFOCUS

Overview

In April 2025, the Global Threat Hunting system of NSFOCUS Fuying Lab detected a significant increase in the activity of a new Botnet Trojan developed based on Go language. Given that many of its built-in DDoS attack methods are HTTP-based, Fuying Lab named it HTTPBot. The HTTPBot Botnet family first came into our monitoring scope in August 2024. Over the past few months, it has expanded aggressively, continuously leveraging infected devices to launch external attacks. Monitoring data indicates that its attack targets are primarily concentrated in the gaming industry in Asia. Additionally, some technology companies and educational institutions have also been affected. The attack of this Botnet family is highly targeted, with attackers employing a periodical and multi-stage attack strategy to conduct continuous saturation attacks on selected targets.

In terms of technical implementation, the HTTPBot Botnet Trojan uses an “attack ID” to precisely initiate and terminate the attack process. It also incorporates a variety of innovative DDoS attack methods. By employing highly simulated HTTP Flood attacks and dynamic feature obfuscation techniques, it circumvents traditional rule-based detection mechanisms, including but not limited to the following detection bypass mechanisms:

  • Cookie replenishment mechanism
  • Randomize the UA and header of http requests
  • Real browser calling
  • Randomize URL path
  • Dynamic rate control
  • Status code retry mechanism

In recent years, most emerging Botnet families have primarily focused on developing communication methods and network control. This includes creating specialized communication tools, separating vulnerabilities from Trojans to protect key information, and enhancing communication anonymity through techniques like DGA (Domain Generation Algorithm), DOH (DNS over HTTPS), and OpenNIC. These Botnets typically emphasize traffic-based attacks aimed at bandwidth consumption. However, HTTPBot has taken a different approach by developing a range of HTTP-based attack methods to conduct transactional (business) DDoS attacks. Attackers can use these methods to precisely target high-value business interfaces and launch targeted saturation attacks on critical interfaces, such as game login and payment systems. This attack with “scalpel-like” precision poses a systemic threat to industries that rely on real-time interaction. HTTPBot marks a paradigm shift in DDoS attacks, moving from “indiscriminate traffic suppression” to “high-precision business strangulation.” This evolution forces defense systems to upgrade from simple “rule-based interception” to a more dynamic approach combining “behavioral analysis and resource elasticity.”

Attack Monitoring

According to the monitoring data of NSFOCUS Fuying Lab’s global threat hunting system, HTTPBot has issued more than 200 attack instructions since early April 2025. The attack activities are distributed throughout the entire 24-hour period. The trend of attack activities over the past half-month is as follows:

The HTTPBot family has 7 built-in DDoS attack methods, all of which are http types. The attack methods used in its attack actions mainly include http_fp, http_auto and http (the above three attack methods are named by the attacker).

The above attacks covered more than 80 independent targets, mainly in the gaming industry in Asia, but also technology companies, educational institutions and tourist attractions. Attackers usually launch multiple rounds of attacks on the same target in different time periods, with clear targets.

Trojan File Analysis

Hide Window

After execution, the malware conceals its graphical user interface (GUI) to evade process monitoring by both users and security tools, thereby significantly enhancing the stealthiness of the attack.

Self-starting

The Trojan achieves automatic execution on startup by writing its path to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Control command

During the HTTPBot online authentication process, it sends a string “ok” to the server and then waits for the server to issue an attack command. The verification process is relatively streamlined. After completing the online authentication, wait to receive the control command issued by the server. Each instruction issued by the server is assigned an “attack ID”. Attackers can achieve precise control over attack processes by manipulating an “attack ID”. For example, they can stop an ongoing attack process by combining the “stop” command with the specific attack ID.

The Trojan has 7 built-in DDoS attack methods, and its control protocol content includes: attack method, attack ID, attack target, number of threads, attack duration and other parameters. Some of these parameters are encoded in Base64. For example, the attackers’ delivery usually contains the following key fields:

  • Attack method (such as HTTP_FP represents http flood)
  • Attack ID, each instruction will have an “attack ID”, such as: “d5713a6c-7da2-4a94-9b0f-bec05d2a6b0f”
  • The target URL of the attack, which may contain a dynamic path, intends to bypass the static URL detection mechanism through a random string
  • Request method (such as GET)
  • HTTP request header information decoded from Base64, (such as UserAgent, etc.)
  • Attack duration

Attack capability

The 7 built-in DDoS attack methods of HTTPBot are all http types, and some attack methods also have environmental restrictions. For example, BrowserAttack and CookieAttack attacks will only be triggered when the Windows version is greater than 8.

The built-in DDoS attack method of HTTPBot is highly original. It attempts to bypass the protection of anti-DDoS devices by randomizing features and highly simulating real-person operations, showing a high level of technical accumulation of attackers.

Common Ways to Defend Against HTTP Flood Attacks

HTTP flood attacks involve a large number of bots sending a high volume of HTTP requests to the target server. These requests often target URIs (Universal Resource Identifiers) that involve database operations or other resource-intensive processes. Since HTTP flood attacks are launched at the HTTP layer and closely simulate normal user behavior, they are closely related to the website’s business logic. The most common defense strategies are as follows:

Based on fixed features: Anti-DDoS devices identify abnormal traffic based on fixed features such as the URI and UserAgent of the request traffic. For example, if the access volume for a specific URI exceeds a certain threshold within a given time frame, the Anti-DDoS device will initiate behavior monitoring for the source IP address. If the proportion of this source IP’s requests for a specific URI exceeds the threshold relative to the total number of requests, the source IP will be identified as an attack source and added to the dynamic blacklist.

Based on the redirection mechanism: The Botnet tool does not implement a complete HTTP protocol stack, does not support automatic redirection, and cannot pass authentication. The browser supports automatic redirection and can be authenticated.

Based on the cookie mechanism: When defending against HTTP POST Flood attacks, Anti-DDoS devices act on behalf of the server to respond to clients. They send a status code (redirect for POST requests) and inject a Cookie into the client’s browser. When the client makes another request, the Cookie information is included in the HTTP header. The Anti-DDoS device verifies the authenticity of the Cookie to authenticate the client.

Based on verification code: Some Botnet tools implement the redirection function, or the free proxies used during the attack support redirection, which can render basic defense mechanisms ineffective. Such defense failure can be avoided by implementing verification codes. At this time, by asking users to enter a verification code, it is possible to determine whether the HTTP access is initiated by a real user rather than a Botnet tool. Because Botnet attacks rely on tools that are automatically implanted in PCs and cannot automatically respond to randomly changing verification codes, they can effectively defend against attacks.

HttpAttack

HTTPBot’s built-in attack method HttpAttack realizes the dynamic selection of TCP/TLS. That is, it can dynamically select plaintext TCP or encrypted TLS connection according to the target configuration.

In addition, this attack method also has the following characteristics:

  • Retry mechanism: If the connection fails, it will sleep for 100ms and try again to avoid frequent triggering of firewall rules
  • Randomization of UserAgent and headers: UserAgent, Referer and many header information are randomized. For example, when constructing the User-Agent, a random selection is made from a predefined list, and a randomization strategy is applied
  • Dynamic rate control: After each attack, the system will sleep for a certain period, dynamically adjusting the attack frequency

BrowserAttack

During the attack, BrowserAttack will start a browser process that tries to imitate the user’s real operation, but it is worth noting that its preset browser process path is “`C: \Windows\Temp\chrome-win\pp.exe`”, which is not the default configuration path of Chrome.  Given the fact that attackers have not launched this attack method in the monitoring data for nearly half a month, it is speculated that it is still in the testing stage.

It has the following characteristics:

  • Real browser invocation: By starting a legal browser process (`C:\Windows\Temp\chrome-win\pp.exe`), the request is initiated using the browser engine, and the traffic characteristics are the same as those of real users
  • Hide Window mode: Hide the browser window to avoid triggering desktop environment alarms
  • Automation control: Remote control is achieved by communicating with browser subprocesses
  • Dynamic adjustment: Avoid static feature detection by dynamically constructing various parameters

HttpAutoAttack

Compared with HttpAttack, the attack method of HttpAutoAttack introduces an automated Cookie handling process. This enhancement allows for a more accurate simulation of legitimate sessions. Specifically, it parses the SetCookie in the response, extracts the guardret parameter, and constructs a new Cookie, which is then included in subsequent requests to simulate a legitimate session. The guardret parameter is a session identifier returned by the server through the Set-Cookie header. It is usually used to verify the legitimacy of client requests. By parsing the guardret value from the response and re-injecting it into subsequent requests, HTTPBot can simulate the behavior of a legitimate user’s session. This approach helps avoid triggering protective rules that might be activated due to missing or fixed Cookie values.

In addition, it has the following characteristics:

  • Status code retry mechanism: If the response status code is `429` (Too Many Requests) or `405` (Method Not Allowed), it wil trigger sleep (`time_Sleep` 705ms) to bypass the server-side speed limit policy
  • HTTP/HTTPS dynamic support: Automatically select plaintext HTTP or encrypted HTTPS by the protocol type of the target URL
  • Randomized UA and headers: Randomly select UA from a predefined list and dynamically construct fake Referer headers to achieve randomization

HttpFpDlAttack

The attack method HttpFpDlAttack adopts a resource consumption maximization strategy. Set the TCP Keep-Alive time to 30 minutes to ensure that it will not be disconnected by the operating system even if there is no data transmission. Force the use of HTTP/2. The multiplexing feature of HTTP/2 allows multiple large files to be transmitted in parallel on a single connection, forcing complete reception of responses. Enable ‘isSaveResponse’ to save the response body and consume the bandwidth of target server. Even if the data content is not required, the server is required to fully transmit the response body. When isSaveResponse is set to 1, HTTPBot will fully receive and save the response body returned by the server (even if the attack does not utilize the response content). This operation forces the server to generate and transmit the entire response data (such as large files or dynamic pages), significantly increasing its bandwidth and CPU load.

It also has the following characteristics:

  • Automatic redirection and request retry mechanism: Set a maximum of 5 redirections. Trigger retries for the ‘429’ (Too Many Requests) and `405` (Method Not Allowed) status codes, and add a 705ms delay to simulate manual operation.
  • Multi-protocol support: Dynamic processing of HTTP/HTTPS, and automatic management of TLS handshakes.
  • Path and data randomization: Dynamically replace placeholders in URLs and generate random request bodies.
  • Randomized UA: Dynamically select browser fingerprints or randomly choose UA from a predefined list.
  • Automatic cookie management: Parse Set-Cookie from responses (such as guardret), construct valid Cookies, and inject them into subsequent requests.
  • Use non-standard cipher suites and skip certificate verification.
  • Randomize request intervals to avoid fixed frequency trigger rate limits.
  • Dynamically generate the ‘guardret’ cookie parameter to bypass interception based on static Session ID.

WebSocketAttack

The attack method WebSocketAttack supports dynamic switching of ws/wss. Parse the target URL, supporting `ws://` and `wss://` protocols. After the WebSocket connection is established, messages are sent cyclically to reduce the overheads of handshake by controlling the number of messages in a single connection.

In addition, it has the following characteristics:

  • UA randomization and header obfuscation: Randomly select UA.
  • Dynamically generate header key-value pairs and shuffle the order of headers.
  • Random Payloads: Use random content as the message body, supporting dynamic placeholder replacement to generate random or specific attack payloads.
  • Simulation of handshake request: During the WebSocket handshake phase, disguise as a normal HTTP request by including legitimate headers such as ‘Upgrade: websocket’ and the ‘Connection: Upgrade’ header.
  • Message interval control: By dynamically controlling the intervals between message transmissions, it simulates the rhythm of human operations (e.g., sending 1 to 5 messages per second) to evade frequency-based detection.

PostAttack

PostAttack forces the use of HTTP POST method.

It has the following characteristics:

  • Content-Type dynamic management: Dynamically set Content-Type, (such as ‘application/json’ or ‘multipart/form-data’), to match the target interface specification.
  • Cookie replenishment mechanism: Parse the ‘Set-Cookie’ in the response and automatically manage the session.
  • Deep UA masquerading and randomized header order: Randomly select UA from a predefined pool and rotate them dynamically to simulate multiple browser versions. Iterate through the header mappings and shuffle the injection order (e.g. Header-Order: Host, User-Agent, Accept) to bypass detection rules that rely on a fixed header order.

CookieAttack

The attack method CookieAttack adds a cookie processing flow based on the BrowserAttack attack method, realizes automatic management of cookies, parses the ‘Set-Cookie’ in the response and stores it in variables, and subsequent requests automatically carry legal cookies.

This attack method has the following characteristics:

  • Browser invocation: Call the Chrome process (`C:\Windows\Temp\chrome-win\pp.exe`) in the Hide Window, initiate a request through the browser engine, and the traffic characteristics are the same as those of real users.
  • Dynamically issue attack instructions (such as URL, rate parameters).
  • Smart placeholder replacement: Dynamically replace tags such as ‘%%RAND%%’ in the URL to generate random paths (such as ‘/api/%%RAND%%/submit’).
  • Adaptive retry mechanism: For ‘429’ (Too Many Requests) and ‘405’ (Method Not Allowed), trigger 705ms sleep to simulate human behaviors.

Summary

DDoS Botnet families tend to congregate on Linux and IoT platforms. However, the HTTPBot Botnet family has specifically targeted the Windows platform. In just a few months, it has emerged as a significant threat that cannot be ignored on the Windows platform. By deeply simulating protocol layers and mimicking legitimate browser behavior, HTTPBot bypasses defenses that rely on protocol integrity. It also continuously occupies server session resources through randomized URL paths and cookie replenishment mechanisms, rather than relying on sheer traffic volume. Additionally, HTTPBot can dynamically adjust its attack tempo based on the target’s response, evading detection mechanisms that rely on request rate thresholds. This approach enables attacks featuring “low-traffic, high-impact”. As a result, existing defense systems that rely on rule-based matching are at risk of widespread failure in the face of such sophisticated tactics.