NSFOCUS Fuying Lab’s Global Threat Hunting System has discovered a new botnet family called “hpingbot” that has been quickly expanding since June 2025, marking a significant shift in the cybersecurity scene.
This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386.
Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks.
According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm.
Innovative Tactics
Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently.
Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components.
This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods.
Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.
The botnet’s low frequency of DDoS instructions only a few hundred since June 17, primarily targeting Germany, the United States, and Turkey further suggests that attackers are prioritizing infrastructure-building for subsequent malicious activities.
Rapid Evolution
The rapid iteration of hpingbot, with frequent updates to its Pastebin content, C&C servers, and installation scripts, points to a professional development team with long-term operational goals.
Since June 19, 2025, attackers have distributed additional Go-based DDoS components via hpingbot nodes, indicating a strategy to either replace parts of the original botnet or expand its payload distribution network.
The presence of German debugging information in these components suggests they are in a testing phase, yet the attackers’ confidence in deploying them in live environments reflects a disregard for defensive measures.
Moreover, hpingbot’s independent SSH propagation module, persistence mechanisms via Systemd, SysVinit, and Cron, and trace-clearing techniques reveal a sophisticated approach to maintaining control over compromised systems.
As botnets increasingly serve as outposts for APT groups and ransomware campaigns, the potential for hpingbot to distribute more dangerous payloads remains a critical concern, warranting continuous vigilance and monitoring.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| IP Address | 45.139.113.61 |
| IP Address | 193.32.162.210 |
| URL | http://128.0.118.18 |
| URL | http://93.123.118.21 |
| URL | http://94.156.181.41 |
| File Hash | F33E6976E3692CB3E56A4CC9257F5AAE |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
