Potential Hello-World Scraper Botnet Activity
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
Sigma rule (View on GitHub)
1title: Potential Hello-World Scraper Botnet Activity
2id: 1712bafe-be05-4a0e-89d4-17a3ed151bf5
3status: experimental
4description: |
5 Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
6references:
7 - https://www.greynoise.io/blog/new-scraper-botnet-concentrated-in-taiwan
8 - https://viz.greynoise.io/tags/hello-world-scraper-botnet?days=30
9author: Joseph A. M.
10date: 2025-08-02
11tags:
12 - attack.reconnaissance
13 - attack.t1595
14logsource:
15 category: proxy
16detection:
17 selection:
18 c-useragent: 'Hello-World/1.0'
19 cs-method: 'GET'
20 condition: selection
21falsepositives:
22 - Legitimate network monitoring or vulnerability scanning tools that may use this generic user agent.
23 - Internal development or testing scripts. Consider filtering by source IP if this is expected from certain systems.
24level: medium
References
-
GreyNoise has identified a previously untracked variant of a scraper botnet, detectable through a globally unique network fingerprint. To detect it, GreyNoise analysts created a signature using JA4+, the suite of JA4 signatures used to fingerprint network traffic.
Read More -
At GreyNoise, we collect and analyze untargeted, widespread, and opportunistic scan and attack activity that reaches every server directly connected to the Internet.
Read More
Related rules
- PUA - PingCastle Execution
- PUA - PingCastle Execution From Potentially Suspicious Parent
- Access of Sudoers File Content
- PUA - Advanced IP/Port Scanner Update Check
- PUA - Crassus Execution