Do Son 
Experts at the Chinese cybersecurity firm NSFOCUS have identified an active campaign involving a new botnet known as HTTPBot, which is targeting gaming platforms, technology firms, and educational institutions. Over recent months, the infected infrastructure has expanded rapidly, serving as a launchpad for highly targeted attacks. These operations are far from indiscriminate — on the contrary, they are executed with surgical precision against mission-critical business systems.
HTTPBot was first observed in the wild in August 2024. It stands out among contemporary malware for its exclusive focus on Windows, whereas most botnets to date have exploited vulnerabilities in Linux and IoT environments. Written in the Go programming language, HTTPBot utilizes HTTP-based protocols to execute distributed denial-of-service (DDoS) attacks, emphasizing the quality and authenticity of simulated user activity rather than overwhelming traffic volumes.
According to the NSFOCUS report, since April 2025, HTTPBot has issued no fewer than 200 unique attack commands. Its primary targets include login portals for online games, payment gateways, and business services. The list of victims also encompasses educational platforms and travel-related websites.
A hallmark of HTTPBot is its arsenal of modular DDoS attack techniques:
- BrowserAttack – Launches hidden instances of Google Chrome to simulate genuine user behavior.
- HttpAutoAttack – Leverages cookies to mimic authentic session data.
- HttpFpDlAttack – Utilizes HTTP/2 to coerce servers into generating resource-intensive responses.
- WebSocketAttack – Exploits connections over ws:// and wss:// protocols.
- PostAttack – Employs POST requests in place of GET, complicating detection and filtering.
- CookieAttack – An extension of BrowserAttack that includes dynamic cookie generation.
To enhance stealth, HTTPBot conceals its graphical interface, eliminating visible traces on the host system, and modifies Windows registry keys to ensure execution at startup. Once deployed, it connects to its command-and-control (C2) server and awaits instructions to initiate an attack.
What sets this malicious campaign apart is its strategic pivot from traditional DDoS tactics — which rely on brute force and high-volume data streams — toward precision strikes. HTTPBot doesn’t flood servers with traffic; instead, it strangles them by monopolizing session resources, deceiving protocol-level defenses, and mimicking legitimate browser behavior.
This evolution in technique poses a serious threat to industries whose operations hinge on fast and uninterrupted real-time interaction. Gaming companies are particularly vulnerable, as login delays or disruptions in payment systems can result in immediate financial losses and mass user attrition.
HTTPBot represents a new generation of digital sabotage tools — increasingly sophisticated, covert, and devastating — especially as businesses remain deeply dependent on online infrastructure.
Donate