NSFOCUS Fuying Lab's Global Threat Hunting System has discovered a new botnet family called "hpingbot" that has been quickly expanding.
This cross-platform botnet, built from scratch using the Go programming language, targets both Windows and Linux/IoT environments and supports multiple processor architectures including amd64, mips, arm, and 80386.

Unlike derivatives of well-known botnets like Mirai or Gafgyt, hpingbot showcases remarkable innovation by leveraging unconventional resources for stealth and efficiency, such as using the online text storage platform Pastebin for payload distribution and the network testing tool hping3 to execute Distributed Denial of Service (DDoS) attacks.

According to the Report, this approach not only enhances its ability to evade detection but also significantly reduces the costs associated with development and operation, making hpingbot a formidable and evolving threat in the digital realm.

Hpingbot’s operational strategy is notably distinct, as it employs Pastebin to host and dynamically update malicious payloads, allowing attackers to adjust their load distribution frequently.

DDoS Attacks
Attack method
Monitoring data from Fuying Lab indicates that Pastebin links embedded in the botnet have shifted content multiple times since mid-June 2025, from hosting IP addresses to providing scripts for downloading additional components.

This flexibility is paired with the botnet’s reliance on hping3, a versatile command-line tool typically used for network diagnostics, to launch a variety of DDoS attacks such as SYN, UDP, and mixed-mode floods.

Interestingly, while the Windows version of hpingbot cannot utilize hping3 for DDoS attacks due to environmental limitations, its persistent activity underscores a broader focus on downloading and executing arbitrary payloads, hinting at intentions beyond mere network disruption.