A new threat has rapidly emerged in the global cybersecurity landscape as NSFOCUS Fuying Lab reports the detection and ongoing evolution of “hpingbot,” a botnet family written from scratch in Go and demonstrating notable innovation and agility.
Unlike typical botnets, which often borrow from leaked source code such as Mirai or Gafgyt, hpingbot stands out due to its cross-platform capabilities, spanning Windows, Linux, and IoT devices, and its support for a wide range of architectures including amd64, mips, arm, and 80386.
The botnet utilizes the online text storage platform Pastebin for payload distribution and employs the powerful hping3 network testing tool to facilitate DDoS attacks, significantly enhancing its stealth and efficiency while reducing development costs.
Since its initial detection, hpingbot has shown a marked preference for maintaining silence, issuing relatively few DDoS commands primarily targeting Germany, the United States, and Turkey since June 17, 2025.
Interestingly, analysis revealed that an early target, IP “79...212,” which hosts the real-time monitoring tool NetData, has been subjected to thousands of DDoS attempts by emerging botnets, suggesting that such infrastructures are being exploited for capability testing.
Pastebin as a Flexible Distribution Channel
One of hpingbot’s distinguishing traits is its use of Pastebin for payload hosting. Earlier versions of the malware accessed hard-coded Pastebin links upon execution, while later versions required an UPDATE command to trigger the download module, demonstrating an evolving architecture.
The Pastebin content itself is frequently updated by attackers, shifting from simple IP addresses to download scripts such as “payload.sh,” which supports architecture detection, old environment cleanup, tool adaptation (with curl, wget, or auto-installation), and robust persistence mechanisms using Systemd, SysVinit, and Cron.
Trace-cleaning functions involving clearing command history and self-deletion of scripts—attest to the attacker’s focus on evasion and operational security.
Moreover, hpingbot’s propagation strategy is noteworthy, as its SSH weak password brute-force propagation module is maintained separately, not integrated within the main sample.
According to the Report, this modular approach mirrors a broader shift in the threat landscape, allowing greater control and secrecy regarding the botnet’s operational details.
Hping3 Tool Powers DDoS Attacks
Hpingbot leverages hping3 a widely respected network testing tool known for its support of multiple protocols and packet-level customization to conduct over ten DDoS attack types.
On Linux environments, hping3 is installed using various package managers (apt, yum, pacman) to ensure broad compatibility, while Windows variants of hpingbot, unable to use hping3 natively, reportedly focus on their ability to download and execute arbitrary payloads, highlighting a broader threat vector beyond simple DDoS.
Notably, the command-and-control structure relies on a heartbeat mechanism without authentication, sending fixed-string messages every ten seconds.
Attack instructions follow a streamlined plaintext format, specifying attack methods and parameters passed directly to hping3, enabling highly customizable assault campaigns.
Frequent updates to both the Pastebin payloads and the malware’s own codebase, coupled with multiple changes to the C&C infrastructure, indicate an active, professional development team with significant anti-detection capabilities.
Recent observations show that attackers are also distributing new DDoS components via hpingbot, hinting at possible future modularization or diversification of this burgeoning threat.
The rapid iteration and operational sophistication of hpingbot underline the growing convergence between botnets, ransomware, and APT threats, making ongoing vigilance and monitoring essential. Security professionals are urged to monitor the indicators of compromise (IOC) associated with hpingbot, as listed below.
Indicators of compromise (IOC)
| IP Address | Domain/URL | Hash |
|---|---|---|
| 45.139.113.61 | http://128.0.118.18 | F33E6976E3692CB3E56A4CC9257F5AAE |
| 193.32.162.210 | http://93.123.118.21 | |
| http://94.156.181.41 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
