This sounds unbelievable but it is true - bot applications have an inbuilt browser. They automate things using this inbuilt browser.
There are Ways to Embed Firefox
It seems it is totally possible to embed Firefox within an application. Firefox being open source provides methods such as JavaXPCOM. In the words of Firefox - " With JavaXPCOM, a developer can talk to XPCOM or embed Gecko from a Java application ".
Or else a dedicated bot developer can accordingly compile Gecko's (browser engine in Firefox) source files and use it. Difficult but certainly not unachievable.
Now embedding a browser inside an application is something that an average developer cannot do. It is definitely a complex thing. But once done, controlling the embedded browser from the application would be fairly simple.
Very Stable and Undetectable as compared to Headless Browsers
Headless browsers are becoming very popular in the creation of bots. But it has been only 3-5 years since their development started — they use outdated versions of browser engines and are pretty unstable. The most popular headless browser PhantomJS has serious memory leaks. It is said that it works well, but has to be restarted after loading 50 pages or so, otherwise it just crashes. Also there are methods through which a web server can identify PhantomJS. It can be attributed to the fact that although PhantomJS uses a browser's source files, but itself is not a real browser.
Firefox is a very stable browser. The automated software using inbuilt Firefox thus becomes very stable too. It can automate for hours and hours without needing to get restarted. In this case a very recent version of a real Firefox browser is being used — automation is almost undetectable to the web server.
An Embedded Browser is Lethal
This is definitely not a good news for web servers. Big companies such as Google, Facebook, Amazon can invest time and money and resources over this — they can stop such bots to a good degree. But smaller companies have literally no hope - they are just at the mercy of these bots.
The only hope is big corporations solving this problem, and making the solution public.