Post

HTTPBot: The Emerging Botnet Targeting Gaming and Tech Industries

Posted
By Tom Grant
3 min read
HTTPBot: The Emerging Botnet Targeting Gaming and Tech Industries

TL;DR

A new botnet, HTTPBot, has emerged, targeting China’s gaming, tech, and education sectors with precision attacks. Since its detection in August 2024, it has employed advanced DDoS tactics, including HTTP Floods and obfuscation, to bypass traditional detection methods.

Main Content

HTTPBot

Cybersecurity researchers at NSFOCUS have identified a new botnet, HTTPBot, which is specifically targeting the gaming industry, technology firms, and educational institutions in China. This botnet, first detected in August 2024, has seen a surge in activity by April 2025, employing a periodic, multi-stage strategy to launch continuous and highly targeted assaults on specific victims1.

Precision Attacks and Advanced Tactics

HTTPBot uses an “attack ID” for precise control and employs advanced DDoS tactics such as HTTP Floods and obfuscation to bypass traditional detection methods. This approach allows attackers to target high-value business interfaces, such as game login and payment systems, with “scalpel-like” precision, posing a systemic threat to industries that rely on real-time interaction2.

Since early April 2025, the botnet has issued over 200 attack commands, with activity spread across all hours of the day. The botnet supports 7 built-in DDoS attack methods, all of which are HTTP types. The primary attack methods include http_fp, http_auto, and HTTP.

“HTTPBot marks a paradigm shift in DDoS attacks, moving from ‘indiscriminate traffic suppression’ to ‘high-precision business strangulation’.”

Targeted Industries and Attack Methods

The attacks have covered more than 80 independent targets, primarily in the domestic gaming industry, but also including technology companies, educational institutions, and tourist attractions. Attackers usually launch multiple rounds of attacks on the same target during different time periods, with clear objectives3.

The malware hides its GUI to evade detection and ensures persistence by adding itself to the Windows startup registry. The bot communicates with its server via a streamlined process using an “attack ID” for precise control. It supports 7 HTTP-based DDoS methods, configurable with parameters like target, duration, and method. Here are the detailed attack methods:

  • BrowserAttack: Launches hidden Chrome instances to simulate real user behavior and deplete server resources.
  • HttpAutoAttack: Utilizes cookies to mimic legitimate session behavior with high accuracy.
  • HttpFpDlAttack: Leverages the HTTP/2 protocol to overload server CPUs by triggering large response payloads.
  • WebSocketAttack: Establishes connections using “ws://” and “wss://” protocols to exploit WebSocket communication.
  • PostAttack: Conducts attacks by forcing the use of HTTP POST requests.
  • CookieAttack: Enhances BrowserAttack with advanced cookie handling to further imitate authentic web interactions.

Evasion Techniques

The malware bypasses detection using Base64 encoding, dynamic URLs, and simulates human behavior. Some attacks require Windows versions greater than 8, showcasing advanced evasion and control techniques.

“DDoS Botnet families tend to congregate on Linux and IoT platforms. However, the HTTPBot Botnet family has specifically targeted the Windows platform. In just a few months, it has emerged as a significant threat that cannot be ignored on the Windows platform.”

Conclusion

The emergence of HTTPBot represents a significant shift in DDoS attack strategies, focusing on high-precision business strangulation rather than indiscriminate traffic suppression. As this botnet continues to evolve, it is crucial for industries to enhance their cybersecurity measures to mitigate such targeted threats.

Follow me on Twitter, Facebook, and Mastodon.

Pierluigi Paganini (LinkedIn)

For more details, visit the full article: source

References

  1. NSFOCUS (2025). “High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding”. NSFOCUS Global. Retrieved 2025-05-16. ↩︎

  2. NSFOCUS (2025). “High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding”. NSFOCUS Global. Retrieved 2025-05-16. ↩︎

  3. NSFOCUS (2025). “High Risk Warning for Windows Ecosystem: New Botnet Family HTTPBot is Expanding”. NSFOCUS Global. Retrieved 2025-05-16. ↩︎

Cybersecurity & Data Protection, Malware
cybersecurity botnet ddos
This post is licensed under CC BY 4.0 by the author.