GreyNoise analysts identified this previously untracked variant through advanced network fingerprinting techniques, moving beyond conventional signature-based detection to analyze the actual behavior of infected devices. The research team developed a sophisticated detection methodology using JA4+ signatures, creating a meta-signature that captures the botnet’s unique network behavior patterns. Cybersecurity researchers have uncovered a sophisticated scraper botnet comprising more than 3,600 unique devices that has been systematically targeting systems across the United States and United Kingdom since April 2025. The botnet operates through a deceptively simple approach, employing the user-agent string “Hello-World/1.0” while executing repeated GET requests across ports 80-85 in an evenly distributed pattern. The breakthrough in identifying this botnet came through implementing JA4+ signature analysis, which combines JA4H (HTTP fingerprint) and JA4T (TCP fingerprint) technologies. This behavioral approach creates a detection signature that cannot be easily spoofed or evaded, as it relies on fundamental network behavior rather than easily manipulated identifiers. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware campaign represents a significant escalation in automated web scraping attacks, leveraging a globally distributed infrastructure with a concerning concentration of compromised devices in Taiwan. Despite the seemingly basic user-agent identifier, the true complexity lies in the malware‘s behavioral fingerprinting, which makes traditional detection methods inadequate for identifying the threat. The JA4H component captures how HTTP headers are ordered and formatted, while JA4T encodes the specific manner in which devices establish network connections. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The geographic distribution reveals a troubling concentration, with 1,934 IP addresses originating from Taiwanese networks, representing 54% of the total botnet infrastructure. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. This clustering suggests either widespread compromise of a common technology deployed across Taiwan or exploitation of a shared vulnerability affecting local systems. Among the identified IP addresses, 1,359 have been classified as malicious, with an additional 122 marked as suspicious, indicating the botnet’s active threat profile.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Jul 2025 11:05:11 +0000