New Scraper Botnet with 3,600+ Unique Devices Attacking Targets in US and UK

Cybersecurity researchers have uncovered a sophisticated scraper botnet comprising more than 3,600 unique devices that has been systematically targeting systems across the United States and United Kingdom since April 2025.

The malware campaign represents a significant escalation in automated web scraping attacks, leveraging a globally distributed infrastructure with a concerning concentration of compromised devices in Taiwan.

The botnet operates through a deceptively simple approach, employing the user-agent string “Hello-World/1.0” while executing repeated GET requests across ports 80-85 in an evenly distributed pattern.

Despite the seemingly basic user-agent identifier, the true complexity lies in the malware‘s behavioral fingerprinting, which makes traditional detection methods inadequate for identifying the threat.

GreyNoise analysts identified this previously untracked variant through advanced network fingerprinting techniques, moving beyond conventional signature-based detection to analyze the actual behavior of infected devices.

The research team developed a sophisticated detection methodology using JA4+ signatures, creating a meta-signature that captures the botnet’s unique network behavior patterns.

The geographic distribution reveals a troubling concentration, with 1,934 IP addresses originating from Taiwanese networks, representing 54% of the total botnet infrastructure.

This clustering suggests either widespread compromise of a common technology deployed across Taiwan or exploitation of a shared vulnerability affecting local systems.

Advanced Detection Through Behavioral Analysis

The breakthrough in identifying this botnet came through implementing JA4+ signature analysis, which combines JA4H (HTTP fingerprint) and JA4T (TCP fingerprint) technologies.

The JA4H component captures how HTTP headers are ordered and formatted, while JA4T encodes the specific manner in which devices establish network connections.

This behavioral approach creates a detection signature that cannot be easily spoofed or evaded, as it relies on fundamental network behavior rather than easily manipulated identifiers.

User-Agent: Hello-World/1.0
Ports: 80-85 (distributed)
Method: GET requests
Pattern: Repeated, systematic targeting

Among the identified IP addresses, 1,359 have been classified as malicious, with an additional 122 marked as suspicious, indicating the botnet’s active threat profile.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now