New HTTPBot Botnet Expanding Aggressively to Attack Windows Machines

A new botnet family named HTTPBot has emerged as a critical threat to the Windows ecosystem, leveraging sophisticated HTTP-based distributed denial-of-service (DDoS) attacks to disrupt high-value targets.

First observed in August 2024, HTTPBot’s activity surged in April 2025, with attacks primarily targeting the gaming industry, technology firms, and educational institutions.

Developed in GoLang, this malware employs a modular design to bypass traditional security measures, using randomized HTTP headers, dynamic URL paths, and cookie manipulation to evade detection.

Its “scalpel-like” precision in targeting business-critical interfaces-such as payment gateways and login systems-marks a shift from brute-force traffic floods to strategic resource exhaustion.

According to NSFOCUS Fuying Lab researchers, HTTPBot operates through a multistage attack strategy, using unique “attack IDs” to orchestrate and terminate campaigns programmatically.

Unlike conventional botnets that focus on overwhelming bandwidth, HTTPBot aims to cripple transactional systems by exploiting application-layer vulnerabilities.

For example, it dynamically switches between HTTP and HTTPS protocols, adjusts request rates based on server responses, and even launches browser-based attacks using headless Chrome instances. These tactics allow it to mimic legitimate traffic while exhausting server resources.

NSFOCUS analysts noted that HTTPBot’s operators have adopted a “low-traffic, high-impact” approach, focusing on sectors reliant on real-time interaction.

Over 80 independent targets were impacted in a 15-day period, including gaming platforms like m.doyo.cn and 28jh.com, as well as educational portals such as Tongji Education.

The botnet’s ability to bypass rule-based defenses has raised alarms, prompting calls for upgraded mitigation strategies combining behavioral analysis and elastic infrastructure scaling.

Infection Mechanism and Persistence Tactics

HTTPBot ensures long-term persistence on infected Windows systems through a combination of stealthy execution and registry manipulation.

After initial compromise-often via phishing or exploited vulnerabilities-the malware hides its graphical interface to evade process monitoring.

Code analysis reveals a dedicated function to suppress window visibility:-

main_getConsoleWindow();
if (v0) {
    WindowThreadProcessId = main_getWindowThreadProcessId(v0);
    golang_org_x_sys_windows_GetCurrentProcessId();
    if (v1 == WindowThreadProcessId)
        main_showWindow(v3, 0); // Hides the window
}

To survive reboots, HTTPBot writes its executable path to the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun registry key.

This autorun mechanism ensures execution at startup, even if the initial infection vector is removed. The malware uses GoLang’s syscall package to interact with the Windows Registry:

Key = main_regCreateKeyEx(-2147483647, off_E38DB0, dword_E38DB4, 0, 0, 983103);
v14 = path_filepath_Base(v13, v11);
v1 = syscall_StringToUTF16Ptr(v13, v11);

NSFOCUS researchers highlighted that this persistence method is paired with environmental checks. For instance, certain attack modules (e.g., BrowserAttack) activate only on Windows 8+ systems, indicating a tailored approach to maximize impact while minimizing detection.

The malware also embeds retry mechanisms for failed connections, sleeping for 100 ms between attempts to avoid triggering firewall alerts.

Defending against HTTPBot requires moving beyond signature-based detection. NSFOCUS recommends implementing adaptive security measures such as:-

• Behavioral analysis to identify abnormal session patterns.
• Dynamic cookie injection to distinguish bots from legitimate users.
• Rate limiting with AI-driven thresholds to counter randomized request intervals.

The botnet’s evolution highlights the need for proactive threat hunting and infrastructure elasticity in critical sectors.

As HTTPBot continues to refine its tactics, organizations must prioritize layered defenses that address both protocol-layer subterfuge and application-layer deception.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers