Potential Hello-World Scraper Botnet Activity

Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.

Sigma rule (View on GitHub)

 1title: Potential Hello-World Scraper Botnet Activity
 2id: 1712bafe-be05-4a0e-89d4-17a3ed151bf5
 3status: experimental
 4description: |
 5        Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
 6references:
 7    - https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
 8    - https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
 9author: Joseph A. M.
10date: 2025-08-02
11tags:
12    - attack.reconnaissance
13    - attack.t1595
14logsource:
15    category: proxy
16detection:
17    selection:
18        c-useragent: 'Hello-World/1.0'
19        cs-method: 'GET'
20    condition: selection
21falsepositives:
22    - Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
23    - Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.
24level: medium

References

Related rules

to-top