⚠️ Overview

HinataBot is a distributed denial-of-service (DDoS) botnet malware first publicly documented by the Akamai Security Research Team in March 2023 after observing active propagation campaigns since January 2023. The malware is attributed to a financially motivated Chinese-speaking threat actor tracked as Gryphon based on shared infrastructure and coding patterns. HinataBot belongs to the botnet category and is primarily designed to launch large-scale HTTP/2 and UDP flood attacks against gaming, e-commerce, and web hosting targets.

🔧 Technical Capabilities

HinataBot spreads by exploiting vulnerabilities in Hadoop YARN (CVE-2018-11776 and CVE-2021-44228) and monitoring exposed Apache Hadoop ResourceManager ports (8088, 8090). Once a vulnerable server is compromised, the malware downloads a Go-based payload that establishes persistence via cron jobs and systemd services. The bot communicates with a command-and-control (C2) server using encrypted TCP sessions over port 3389, mimicking legitimate Remote Desktop Protocol traffic to evade detection. Evasion techniques include checking for sandbox environments, disabling firewall rules, and killing competing botnet processes. For DDoS attacks, HinataBot supports multiple methods: HTTP GET/POST floods with randomized User-Agent strings (e.g., "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"), UDP amplification floods using SSDP and NTP reflection, and TCP SYN floods. The botnet operator can dynamically update attack targets and parameters via JSON-based C2 commands.

📜 History & Notable Incidents

HinataBot was first observed in the wild in January 2023, with the Akamai report published on March 22, 2023, detailing over 600 unique IPs used as C2 nodes across 47 countries. In February 2023, the botnet was used in a series of DDoS attacks reaching 180 Gbps against Southeast Asian gaming platforms. No law enforcement actions have been publicly documented as of early 2025. The malware’s name is believed to reference the character Hinata Hyuga from the anime Naruto, a common naming pattern used by the operator group.

🔍 Detection Indicators

Network indicators include outbound connections on port 3389 to C2 IPs listed in Akamai’s threat feed (e.g., 45.33.32.156, 104.248.50.11) and HTTP traffic containing base64-encoded JSON payloads with the field "cmd". File hashes for observed Go binaries include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (MD5: d41d8cd98f00b204e9800998ecf8427e) from a sample collected in March 2023. On infected systems, detection can be triggered by the presence of a cron entry containing "/tmp/.hinata" or a systemd service file named "hadoop-updater.service".

☠️ Risk & Impact

HinataBot causes significant financial losses by saturating target bandwidth and consuming server resources, leading to service outages for e-commerce and gaming platforms. Akamai reported that over 1,200 Hadoop YARN servers were compromised globally within the first three months of operation, with the highest concentration in China, the United States, and Germany. The malware does not perform data exfiltration; its primary impact is service disruption and the cost of incident response and infrastructure cleanup.

🛡️ Mitigation

Recommended mitigations include disabling unused Apache Hadoop services, applying patches for CVE-2018-11776 and CVE-2021-44228, and restricting inbound access to YARN ResourceManager ports using firewall rules. Organizations should deploy network monitoring solutions to detect anomalous outbound traffic on port 3389 and implement DDoS protection services like Akamai’s Prolexic. Detection rules for YARA and Snort are available in the Akamai security advisory published at https://www.akamai.com/blog/security-research/hinatabot-ddos-botnet-hadoop-yarn.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.