.jpg?w=696&resize=696,0&ssl=1 "Botnet Surge")
Cybersecurity researchers at GreyNoise have uncovered a previously untracked scraper botnet variant that has compromised over 3,600 devices worldwide, with attacks primarily targeting systems in the United States and the United Kingdom.
The botnet, first observed on April 19, 2025, employs sophisticated evasion techniques that make traditional detection methods ineffective.
Advanced Detection Through Behavioral Fingerprinting
While the botnet employs a deceptively simple user-agent string, “Hello-World/1.0,” that could easily be spoofed, GreyNoise analysts have developed a more sophisticated detection approach using JA4+ signatures.
This method focuses on behavioral patterns rather than easily manipulated identifiers, creating a globally unique network fingerprint for the botnet variant.
The detection signature combines two key components: JA4H (HTTP fingerprint), which captures how HTTP headers are ordered and formatted, and JA4T (TCP fingerprint), which encodes how devices establish network connections.
This behavioral approach makes the botnet extremely difficult to evade or spoof, as it would require attackers to alter their underlying network behavior completely.
The botnet operates through repeated GET requests distributed evenly across ports 80-85, creating a distinctive traffic pattern that security analysts can monitor.
Of the 3,600 identified IP addresses, 1,359 (38%) are classified as malicious, 122 (3%) as suspicious, and 2,114 (59%) show no association with other known malicious activity. Notably, only one benign IP was observed among the entire dataset.
Geographic Concentration Reveals Infrastructure Patterns
Geographic analysis reveals a striking concentration of botnet infrastructure in Taiwan, accounting for 1,934 IPs or 54% of all identified addresses.
Japan follows with 315 IPs (9%), Bulgaria with 265 IPs (7%), and France with 111 IPs (3%).
This concentration suggests either that a widely deployed technology or service in Taiwan has been compromised or that local exposure to a shared vulnerability is driving the clustering of infected devices.
The targeting pattern shows a clear focus on systems located in the United States and the United Kingdom, despite the botnet’s infrastructure being primarily based in Asia and Europe.
This geographic dispersion between attack infrastructure and targets indicates a coordinated campaign designed to maximize impact while minimizing detection.
Defensive Recommendations
GreyNoise recommends that defenders immediately block all IPs participating in this botnet variant to prevent automated scraping activities.
Organizations should monitor internal traffic for devices communicating with these identified IP addresses and implement tracking for similar JA4+ signatures that may indicate related variants or campaigns.
The company is developing an enhanced dynamic IP blocklist to help defenders respond more quickly to emerging threats, such as this botnet variant.
.jpg?resize=1600,900&ssl=1&description=Botnet Surge - Cybersecurity researchers at GreyNoise have uncovered a previously untracked scraper botnet variant that has compromised){kind=link}