Emergence of HTTPBot Botnet Initiates Over 200 Targeted DDoS Assaults on Gaming and Technology Industries

Cybersecurity researchers have recently identified a new botnet malware named HTTPBot, which is primarily targeting the gaming industry, as well as technology firms and educational institutions in China. This malware has gained attention due to its aggressive expansion and the sophisticated techniques it employs to execute external attacks.

According to a report by NSFOCUS, HTTPBot has been leveraging infected devices for a variety of malicious purposes, utilizing advanced HTTP flood attacks and obfuscation strategies that make it difficult for traditional detection systems to identify. The malware, which emerged in August 2024, operates by exploiting HTTP protocols to conduct distributed denial-of-service (DDoS) attacks. Uniquely, it is coded in Golang, a language not commonly associated with such attacks on Windows systems.

This Windows-based botnet Trojan is particularly noteworthy for its capacity to conduct highly targeted strikes on critical business systems, including gaming login and payment interfaces. NSFOCUS has described these precision attacks as a systemic risk to sectors reliant on real-time interactions, emphasizing that HTTPBot represents a significant shift in DDoS strategies—transitioning from indiscriminate traffic disruption to targeted business sabotage.

Since April 2025, HTTPBot has reportedly issued over 200 attack commands, mainly aimed at the gaming sector, tech companies, educational institutions, and tourism websites across China.

Once installed, HTTPBot conceals its graphical user interface (GUI) to avoid detection by users and security tools. It manipulates the Windows Registry without authorization to ensure it launches automatically upon system start. Following installation, the malware connects to a command-and-control (C2) server, waiting for further instructions to conduct HTTP flood attacks against selected targets through a high volume of HTTP requests.

HTTPBot includes several attack modules, each designed to exploit specific vulnerabilities:

– BrowserAttack: Utilizes hidden Google Chrome instances to mimic legitimate user traffic, thereby depleting server resources.
– HttpAutoAttack: Employs a cookie-based simulation to replicate legitimate session behavior.
– HttpFpDlAttack: Utilizes the HTTP/2 protocol to burden servers by generating large response payloads.
– WebSocketAttack: Establishes connections using “ws://” and “wss://” protocols to mount attacks.
– PostAttack: Forces the attack through HTTP POST requests.
– CookieAttack: Enhances the BrowserAttack method with cookie management.

While DDoS botnets frequently target Linux and Internet of Things (IoT) platforms, HTTPBot is a notable case that has specifically focused on Windows environments. Its advanced simulation of protocol layers and imitation of legitimate browser actions allow it to evade defenses reliant on maintaining protocol integrity. By replenishing cookies and randomizing URL paths, HTTPBot maintains continuous resource occupation on servers without depending solely on high traffic volumes.

The growing sophistication of HTTPBot underscores the need for enhanced cybersecurity measures, particularly within vulnerable sectors such as gaming and education. Protecting against such targeted attacks requires a comprehensive understanding of attack methodologies and the implementation of robust defenses that can adapt to evolving threats.