Hpingbot: A New Botnet Family Based on Pastebin Payload Delivery Chain and Hping3 DDoS Module

    Friday, July 11, 2025 In: Threat Research Print

    Date: 07/11/2025

    Severity: High

    Summary

    Hpingbot is a newly discovered, cross-platform botnet family written in Go, actively spreading since June 2025. Designed for Windows, Linux, and IoT devices, it supports multiple architectures including amd64, ARM, MIPS, and 80386. Unlike variants based on Mirai or Gafgyt, Hpingbot is built from scratch, showing advanced innovation and efficiency. It leverages Pastebin for payload delivery and hping3 for launching stealthy and low-cost DDoS attacks. While the Windows version doesn’t directly use hping3, its high activity suggests a focus on downloading and executing additional payloads. This indicates a broader strategy by threat actors to use Hpingbot as an infrastructure foothold for deploying other malicious components—mirroring trends seen in recent APT and ransomware operations.

    Indicators of Compromise (IOC) List 

    Url/Domain

    priority.ovh

    fuse-flix.cyou

    mildmarkets.shop

    traveldatavisualize.cam

    variety-fx.fun

    watts-residential-dwellings.online

    http://93.123.118.21

    http://94.156.181.41

    http://93.123.118.21/cARM-386

    http://93.123.118.21/cARM-amd64

    http://93.123.118.21/cARM-arm

    http://93.123.118.21/cARM-arm64

    http://93.123.118.21/cARM-mips

    http://93.123.118.21/cARM-mips-softfloat

    http://93.123.118.21/cARM-mips64

    http://93.123.118.21/cARM-mips64le

    http://93.123.118.21/cARM-mipsle

    http://93.123.118.21/cARM-mipsle-softfloat

    http://93.123.118.21/payload.sh

    http://93.123.118.21/sshell.service

    http://93.123.118.21:3128

    http://93.123.118.21:80

    https://93.123.118.21:3128

    http://94.156.181.41/cARM-amd64

    http://94.156.181.41/payload.sh

    http://128.0.118.18

    IP Address

    193.32.162.210

    45.139.113.61

    93.123.118.21

    94.156.181.41

    Hash

    F33E6976E3692CB3E56A4CC9257F5AAE

    f7439ac02ad27669215da8a17af9099e8850ad6f

    3359037b5a331ecf79ab9aa114f673e96a227a038fdb377badfbe16b5eaa4e7f

    14ef1c4596c308f3d9fe288a0ec30c4984092efddf91465e03f04a6be7a5043c

    25e9dabe99a5f4143b34baa46145b6708600906230c99f79271243e1418569e2

    50f713385488812c5354f1758c57d66440edd4718eb84709d70766aad23ec04a

    f6831fadfd579c60e6e8a83c0e18cff97ee70f63d83ccf38aed65ff15f65c8ff

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://93.123.118.21:3128" or siteurl like "http://93.123.118.21:3128" or url like "http://93.123.118.21:3128" or domainname like "http://93.123.118.21/cARM-mips-softfloat" or siteurl like "http://93.123.118.21/cARM-mips-softfloat" or url like "http://93.123.118.21/cARM-mips-softfloat" or domainname like "http://93.123.118.21/cARM-mips64le" or siteurl like "http://93.123.118.21/cARM-mips64le" or url like "http://93.123.118.21/cARM-mips64le" or domainname like "mildmarkets.shop" or siteurl like "mildmarkets.shop" or url like "mildmarkets.shop" or domainname like "http://93.123.118.21/cARM-amd64" or siteurl like "http://93.123.118.21/cARM-amd64" or url like "http://93.123.118.21/cARM-amd64" or domainname like "http://93.123.118.21/cARM-mips" or siteurl like "http://93.123.118.21/cARM-mips" or url like "http://93.123.118.21/cARM-mips" or domainname like "http://93.123.118.21/cARM-mips64" or siteurl like "http://93.123.118.21/cARM-mips64" or url like "http://93.123.118.21/cARM-mips64" or domainname like "variety-fx.fun" or siteurl like "variety-fx.fun" or url like "variety-fx.fun" or domainname like "http://93.123.118.21/payload.sh" or siteurl like "http://93.123.118.21/payload.sh" or url like "http://93.123.118.21/payload.sh" or domainname like "http://93.123.118.21:80" or siteurl like "http://93.123.118.21:80" or url like "http://93.123.118.21:80" or domainname like "http://94.156.181.41/payload.sh" or siteurl like "http://94.156.181.41/payload.sh" or url like "http://94.156.181.41/payload.sh" or domainname like "http://128.0.118.18" or siteurl like "http://128.0.118.18" or url like "http://128.0.118.18" or domainname like "http://93.123.118.21/cARM-386" or siteurl like "http://93.123.118.21/cARM-386" or url like "http://93.123.118.21/cARM-386" or domainname like "fuse-flix.cyou" or siteurl like "fuse-flix.cyou" or url like "fuse-flix.cyou" or domainname like "http://94.156.181.41" or siteurl like "http://94.156.181.41" or url like "http://94.156.181.41" or domainname like "http://93.123.118.21/sshell.service" or siteurl like "http://93.123.118.21/sshell.service" or url like "http://93.123.118.21/sshell.service" or domainname like "http://93.123.118.21" or siteurl like "http://93.123.118.21" or url like "http://93.123.118.21" or domainname like "traveldatavisualize.cam" or siteurl like "traveldatavisualize.cam" or url like "traveldatavisualize.cam" or domainname like "priority.ovh" or siteurl like "priority.ovh" or url like "priority.ovh" or domainname like "watts-residential-dwellings.online" or siteurl like "watts-residential-dwellings.online" or url like "watts-residential-dwellings.online" or domainname like "http://93.123.118.21/cARM-arm" or siteurl like "http://93.123.118.21/cARM-arm" or url like "http://93.123.118.21/cARM-arm" or domainname like "http://93.123.118.21/cARM-arm64" or siteurl like "http://93.123.118.21/cARM-arm64" or url like "http://93.123.118.21/cARM-arm64" or domainname like "http://93.123.118.21/cARM-mipsle" or siteurl like "http://93.123.118.21/cARM-mipsle" or url like "http://93.123.118.21/cARM-mipsle" or domainname like "http://93.123.118.21/cARM-mipsle-softfloat" or siteurl like "http://93.123.118.21/cARM-mipsle-softfloat" or url like "http://93.123.118.21/cARM-mipsle-softfloat" or domainname like "https://93.123.118.21:3128" or siteurl like "https://93.123.118.21:3128" or url like "https://93.123.118.21:3128" or domainname like "http://94.156.181.41/cARM-amd64" or siteurl like "http://94.156.181.41/cARM-amd64" or url like "http://94.156.181.41/cARM-amd64"

    Detection Query 2 : 

    dstipaddress IN ("45.139.113.61","94.156.181.41","193.32.162.210","93.123.118.21") or srcipaddress IN ("45.139.113.61","94.156.181.41","193.32.162.210","93.123.118.21")

    Detection Query 3 :

    md5hash IN ("F33E6976E3692CB3E56A4CC9257F5AAE")

    Detection Query 4 :

    hash IN ("f7439ac02ad27669215da8a17af9099e8850ad6f")

    Detection Query 5 :

    sha256hash IN ("50f713385488812c5354f1758c57d66440edd4718eb84709d70766aad23ec04a","3359037b5a331ecf79ab9aa114f673e96a227a038fdb377badfbe16b5eaa4e7f","25e9dabe99a5f4143b34baa46145b6708600906230c99f79271243e1418569e2","14ef1c4596c308f3d9fe288a0ec30c4984092efddf91465e03f04a6be7a5043c","f6831fadfd579c60e6e8a83c0e18cff97ee70f63d83ccf38aed65ff15f65c8ff")

    Reference:    

    https://nsfocusglobal.com/hpingbot-a-new-botnet-family-based-on-pastebin-payload-delivery-chain-and-hping3-ddos-module/ 

    https://otx.alienvault.com/pulse/686971887c6b213e0ff24457


    Tags

    MalwareHpingbotBotnetPastebinDDoS Attacks

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.