Massive Scraper Botnet of 3,600+ Devices Targets US and UK Websites

GreyNoise has discovered an undiscovered version of a scraper botnet with more than 3,600 distinct IP addresses worldwide, which is a major cybersecurity development.

This botnet, first observed on April 19, 2025, exhibits a distinct behavioral footprint that makes it stand out, even as it employs a simplistic and easily spoofable user-agent string, “Hello-World/1.0.”

Unlike traditional detection methods that rely on superficial identifiers, GreyNoise analysts have leveraged the advanced JA4+ suite of signatures to create a meta-signature based on the botnet’s network behavior.

This includes the JA4H fingerprint, which captures the structure and ordering of HTTP headers, and the JA4T fingerprint, which encodes the nuances of TCP connection establishment.

Untracked Botnet Variant

Together, these behavioral markers form a globally unique identifier for this botnet variant, rendering evasion or spoofing exceedingly difficult.

The botnet’s traffic pattern reveals a methodical approach, with repeated GET requests distributed evenly across ports 80 to 85, targeting systems predominantly located in the United States and the United Kingdom.

Geographic analysis of the botnet’s infrastructure paints a concerning picture, with a striking concentration in Taiwan, where 1,934 IPs accounting for 54% of the total originate.

Other notable clusters include Japan with 315 IPs (9%), Bulgaria with 265 IPs (7%), and France with 111 IPs (3%).

The overwhelming presence of Taiwanese IP addresses suggests potential systemic issues, such as the widespread compromise of a common technology or service in the region, or a localized exposure to a shared vulnerability driving this clustering.

Heavy Concentration in Taiwan

Of the total IPs detected, GreyNoise classifies 1,359 (38%) as malicious and 122 (3%) as suspicious, while the majority, 2,114 (59%), show no association with other known malicious activity.

Intriguingly, only one IP was identified as benign, underscoring the predominantly harmful nature of this network.

This botnet’s global reach and sophisticated fingerprinting challenge conventional security measures, as its behavior-driven signature allows it to persist even under scrutiny. The implications of this discovery are profound for cybersecurity defenders.

GreyNoise recommends immediate action, urging organizations to block all identified IPs associated with this botnet to curb automated scraping activities that could compromise data integrity or system performance.

Beyond reactive measures, defenders are advised to proactively monitor internal traffic for any communication to or from these IPs, which could indicate deeper infiltration or compromised devices within their networks.

Additionally, tracking similar JA4+ signatures may uncover related variants or broader campaigns, providing a strategic edge against evolving threats.

GreyNoise users can access detailed insights through the Visualizer tool or API to stay ahead of this botnet’s activities.

As scraper botnets grow in complexity, blending simplistic facades with intricate behavioral patterns, the reliance on advanced fingerprinting techniques like JA4+ becomes indispensable.

This discovery not only highlights the persistent ingenuity of cybercriminals but also underscores the critical need for behavior-based detection in safeguarding digital ecosystems, particularly for high-value targets in the US and UK.

With over half of the botnet’s infrastructure tied to Taiwanese networks, international collaboration and vigilance will be key to dismantling this threat and preventing further exploitation of regional vulnerabilities.

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.