Cybersecurity researchers have uncovered a classy scraper botnet comprising greater than 3,600 distinctive gadgets that has been systematically focusing on techniques throughout the US and United Kingdom since April 2025.
The malware marketing campaign represents a big escalation in automated internet scraping assaults, leveraging a globally distributed infrastructure with a regarding focus of compromised gadgets in Taiwan.
The botnet operates by a deceptively easy method, using the user-agent string “Hiya-World/1.0” whereas executing repeated GET requests throughout ports 80-85 in an evenly distributed sample.
Regardless of the seemingly primary user-agent identifier, the true complexity lies within the malware‘s behavioral fingerprinting, which makes conventional detection strategies insufficient for figuring out the menace.
GreyNoise analysts recognized this beforehand untracked variant by superior community fingerprinting strategies, shifting past typical signature-based detection to investigate the precise conduct of contaminated gadgets.
The analysis crew developed a classy detection methodology utilizing JA4+ signatures, making a meta-signature that captures the botnet’s distinctive community conduct patterns.
The geographic distribution reveals a troubling focus, with 1,934 IP addresses originating from Taiwanese networks, representing 54% of the entire botnet infrastructure.
Supply nations (Supply – GreyNoise)
This clustering suggests both widespread compromise of a typical expertise deployed throughout Taiwan or exploitation of a shared vulnerability affecting native techniques.
Superior Detection By Behavioral Evaluation
The breakthrough in figuring out this botnet got here by implementing JA4+ signature evaluation, which mixes JA4H (HTTP fingerprint) and JA4T (TCP fingerprint) applied sciences.
The JA4H element captures how HTTP headers are ordered and formatted, whereas JA4T encodes the particular method through which gadgets set up community connections.
This behavioral method creates a detection signature that can’t be simply spoofed or evaded, because it depends on basic community conduct fairly than simply manipulated identifiers.
Consumer-Agent: Hiya-World/1.0
Ports: 80-85 (distributed)
Technique: GET requests
Sample: Repeated, systematic focusing on
Among the many recognized IP addresses, 1,359 have been categorised as malicious, with an extra 122 marked as suspicious, indicating the botnet’s energetic menace profile.
Examine reside malware conduct, hint each step of an assault, and make sooner, smarter safety choices -> Attempt ANY.RUN now
