A stealthy new cyber threat is wreaking havoc on gaming, tech, and education sectors across China. Known as the HTTPBot botnet, this sophisticated malware has launched more than 200 highly targeted DDoS attacks since April 2025, primarily disrupting gaming logins, payment gateways, and other real-time services.
According to a new report from NSFOCUS, HTTPBot is no ordinary botnet. Unlike most botnet families that typically infect Linux and IoT devices, HTTPBot is written in Golang and specifically targets Windows-based systems, marking a rare but dangerous deviation from the norm.
What makes HTTPBot especially concerning is its surgical precision. Instead of flooding networks with indiscriminate traffic, it focuses on high-value business interfaces—a tactic NSFOCUS describes as moving from “traffic suppression” to “business strangulation.”
From Hidden Chrome Instances to Cookie-Based Floods
First discovered in the wild in August 2024, HTTPBot uses the HTTP protocol to orchestrate Distributed Denial-of-Service (DDoS) attacks. It employs advanced evasion techniques to fly under the radar of traditional rule-based detection systems, including GUI concealment and Windows Registry manipulation to ensure it launches on every system startup.
Once active, the malware links up with a command-and-control (C2) server, waiting for instructions to attack specific platforms. Its arsenal includes a range of attack modules engineered to mimic legitimate user behavior:
- BrowserAttack: Launches hidden Chrome sessions to mimic real traffic and overwhelm servers.
- HttpAutoAttack: Simulates authenticated sessions using cookies for greater legitimacy.
- HttpFpDlAttack: Leverages HTTP/2 and coerces servers into sending large responses, increasing CPU usage.
- WebSocketAttack: Uses
ws://andwss://protocols to open WebSocket sessions and consume server threads. - PostAttack: Utilizes HTTP POST methods to overload server endpoints.
- CookieAttack: Enhances the BrowserAttack by dynamically updating cookies to maintain session persistence.
These modules are not only protocol-deep, but also capable of simulating browser-level interactions, which allows the HTTPBot botnet to evade detection and sustain long-term disruptions. Its attacks are especially damaging for platforms that rely on real-time interactivity, such as online games, live-streaming services, and tourism portals.
A Wake-Up Call for Windows-Based Infrastructures
The targeting of Windows systems by a DDoS botnet is a growing concern for security professionals. As HTTPBot evolves, it challenges the assumption that Windows environments are less vulnerable to large-scale botnet campaigns.
NSFOCUS warns that HTTPBot represents a paradigm shift in DDoS operations. By focusing on session hijacking, protocol mimicry, and session resource occupation, rather than raw traffic volume, HTTPBot effectively bypasses many traditional DDoS mitigation strategies.
For organizations in the gaming, technology, and education sectors, especially those in China, this is a clear sign that next-generation DDoS threats are becoming smarter, stealthier, and more selective in their targets.
