GreyNoise has identified a previously untracked variant of a scraper botnet, detectable through a globally unique network fingerprint. While the botnet uses a simple and easily spoofed user-agent string — Hello-World/1.0 — its real signature lies in the behavior of the devices sending the traffic. 

To detect it, GreyNoise analysts created a signature using JA4+, the suite of JA4 signatures used to fingerprint network traffic. This approach allows analysts to detect traffic based not on what it claims to be, but how it behaves — making it difficult to evade or spoof. 

The signature includes: 

  • JA4H (HTTP fingerprint): Captures how HTTP headers are ordered and formatted.
  • JA4T (TCP fingerprint): Encodes how a device establishes network connections.

These behavioral fingerprints form a meta-signature that is globally unique to this botnet variant. 

Key Characteristics

  • First observed: April 19, 2025.
  • Traffic pattern: Repeated GET requests over ports 80-85, evenly distributed. 
  • User-agent: Hello-World/1.0

GreyNoise has detected over 3,600 unique IPs matching this signature, geolocated around the world: 

Of these IPs: 

  • 1,359 (38%) are classified as malicious.
  • 122 (3%) are suspicious.
  • 2,114 (59%) are not associated with other known activity. 
  • Only 1 benign IP was observed.

Targeted systems are predominantly located in the United States and United Kingdom. 

Concentration in Taiwan

Geographic analysis shows a clear concentration of this botnet’s infrastructure in Taiwan, with:

  • 1,934 IPs (54%) originating from Taiwanese networks.
  • Followed by Japan (315 IPs, 9%), Bulgaria (265 IPs, 7%), and France (111 IPs, 3%).

The dominance of Taiwanese IP space could suggest:

  • A common technology or service deployed widely in Taiwan has been compromised.
  • Or that local exposure to a shared vulnerability is driving the clustering. 

What Defenders Should Do

GreyNoise users can track this botnet variant in the Visualizer or via API. We recommend defenders: 

  • Block all IPs participating in this botnet variant to prevent automated scraping activity.
  • Monitor internal traffic for devices reaching out to or from these IPs.
  • Track similar JA4+ signatures (more info here), which may indicate related variants or campaigns. 

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

This analysis was led by GreyNoise Deception Engineer Towne Besel, who developed the detection signature and conducted the underlying research.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account