Hpingbot Unleashed: New Go-Based Botnet Leverages Pastebin & Hping3 for Stealthy Attacks
A newly emerged botnet known as hpingbot, identified by the NSFOCUS Fuying Lab‘s global threat monitoring system, has rapidly become one of the most prominent cyber threats since its appearance in early June 2025.
According to experts, hpingbot is an entirely original creation—developed from the ground up in the Go programming language. It is capable of operating across Windows, Linux, and IoT environments, while also supporting a wide array of processor architectures, including amd64, mips, arm, and 80386.
Unlike more widely known botnets such as Mirai or Gafgyt, hpingbot demonstrates a novel and sophisticated approach, employing unconventional techniques to obscure its activities and enhance its operational effectiveness. Notably, attackers use the Pastebin service to deliver malicious components and leverage the hping3 networking tool to orchestrate DDoS attacks.
The report notes that this methodology not only complicates detection efforts but also significantly reduces the cost of maintaining and expanding the botnet—making hpingbot one of the fastest-evolving and most formidable threats in the wild.
Researchers highlight that Pastebin allows attackers to dynamically update malicious payloads, enabling the botnet to swiftly adapt to shifting targets and operational goals. Since mid-June 2025, Pastebin-hosted links associated with hpingbot have seen frequent changes, ranging from simple IP lists to complex scripts for loading additional components.
The linchpin of the botnet’s attack arsenal is the hping3 utility—typically employed for network diagnostics, but here repurposed to unleash high-intensity DDoS attacks. The botnet is capable of launching SYN floods, UDP floods, and hybrid attacks, posing a serious threat to the availability of targeted infrastructure.
Curiously, the Windows variant of hpingbot cannot utilize hping3 due to OS limitations. Nevertheless, infected Windows machines remain active—continuing to download and execute arbitrary malicious payloads. This suggests that the attackers’ objectives extend beyond mere network disruption and likely encompass broader malicious campaigns.
Fuying Lab’s monitoring has recorded only a few hundred DDoS commands since June 17, with most targeting systems in Germany, the United States, and Turkey. This limited activity indicates that the developers’ primary focus currently lies in scaling their infrastructure in preparation for future, more expansive operations.
The pace at which hpingbot is evolving is cause for serious concern. The botnet undergoes continual updates: its command-and-control (C2) servers, Pastebin links, installation scripts, and malicious modules are all being rotated frequently. As early as June 19, the attackers began distributing additional Go-based components through hpingbot nodes—likely either to refresh existing payloads or to expand the botnet’s capabilities.
Notably, these new components contain debugging information in German, suggesting they may still be in the testing phase. Yet their simultaneous deployment in live environments reflects a high level of confidence among the attackers—and a disregard for operational security.
In addition, researchers have uncovered hpingbot modules engineered for self-propagation via SSH, mechanisms for persistent system presence using Systemd, SysVinit, and Cron, as well as various stealth techniques designed to conceal its activity. This points to a high degree of sophistication and organizational maturity behind the botnet’s development.
Given the growing trend of modern botnets serving as platforms for espionage operations and ransomware distribution, hpingbot’s potential to become a vehicle for far more dangerous campaigns is deeply troubling. Vigilant monitoring of the threat continues.
