Hubbry Logo
BotnetBotnetMain
Open search
Botnet
Community hub
Botnet
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Botnet
Botnet
Botnet
View on Wikipedia
from Wikipedia

Stacheldraht botnet diagram showing a DDoS attack (Note this is also an example of a type of client–server model of a botnet.)

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data,[1] send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software.[2] The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Overview

[edit]

A botnet is a logical collection of Internet-connected devices, such as computers, smartphones or Internet of things (IoT) devices whose security have been breached and control ceded to a third party. Each compromised device, known as a "bot," is created when a device is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols, such as Internet Relay Chat (IRC) and Hypertext Transfer Protocol (HTTP).[3][4]

Operating, building, or using a botnet to access or control devices without their owners’ authorization is illegal in most jurisdictions and is regularly prosecuted as hacking, fraud, or related cyber-crime. Law enforcement and private parties also use legal tools to disrupt botnets, but those takedowns raise separate legal and constitutional issues. [5] [6] [7]

Botnets are increasingly rented out by cyber criminals as commodities for a variety of purposes,[8] including as booter/stresser services.

Architecture

[edit]

Botnet architecture has evolved over time in an effort to evade detection and disruption. Traditionally, bot programs are constructed as clients which communicate via existing servers. This allows the bot herder (the controller of the botnet) to perform all control from a remote location, which obfuscates the traffic.[9] Many recent botnets now rely on existing peer-to-peer networks to communicate. These P2P bot programs perform the same actions as the client–server model, but they do not require a central server to communicate.

Client–server model

[edit]
A network based on the client–server model, where individual clients request services and resources from centralized servers

The first botnets on the Internet used a client–server model to accomplish their tasks.[10] Typically, these botnets operate through Internet Relay Chat networks, domains, or websites. Infected clients access a predetermined location and await incoming commands from the server. The bot herder sends commands to the server, which relays them to the clients. Clients execute the commands and report their results back to the bot herder.

In the case of IRC botnets, infected clients connect to an infected IRC server and join a channel pre-designated for C&C by the bot herder. The bot herder sends commands to the channel via the IRC server. Each client retrieves the commands and executes them. Clients send messages back to the IRC channel with the results of their actions.[9]

Peer-to-peer

[edit]
A peer-to-peer (P2P) network in which interconnected nodes ("peers") share resources among each other without the use of a centralized administrative system

In response to efforts to detect and decapitate IRC botnets, bot herders have begun deploying malware on peer-to-peer networks. These bots may use digital signatures so that only someone with access to the private key can control the botnet,[11] such as in Gameover ZeuS and the ZeroAccess botnet.

Newer botnets fully operate over P2P networks. Rather than communicate with a centralized server, P2P bots perform as both a command distribution server and a client which receives commands.[12] This avoids having any single point of failure, which is an issue for centralized botnets.

In order to find other infected machines, P2P bots discreetly probe random IP addresses until they identify another infected machine. The contacted bot replies with information such as its software version and list of known bots. If one of the bots' version is lower than the other, they will initiate a file transfer to update.[11] This way, each bot grows its list of infected machines and updates itself by periodically communicating to all known bots.

Core components

[edit]

A botnet's originator (known as a "bot herder" or "bot master") controls the botnet remotely. This is known as the command-and-control (C&C). The program for the operation must communicate via a covert channel to the client on the victim's machine (zombie computer).

Control protocols

[edit]

IRC is a historically favored means of C&C because of its communication protocol. A bot herder creates an IRC channel for infected clients to join. Messages sent to the channel are broadcast to all channel members. The bot herder may set the channel's topic to command the botnet. For example, the message :herder!herder@example.com TOPIC #channel DDoS www.victim.com from the bot herder alerts all infected clients belonging to #channel to begin a DDoS attack on the website www.victim.com. An example response :bot1!bot1@compromised.net PRIVMSG #channel I am DDoSing www.victim.com by a bot client alerts the bot herder that it has begun the attack.[11]

Some botnets implement custom versions of well-known protocols. The implementation differences can be used for detection of botnets. For example, Mega-D features a slightly modified Simple Mail Transfer Protocol (SMTP) implementation for testing spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.[13]

Zombie computer

[edit]

In computer science, a zombie computer is a computer connected to the Internet that has been compromised by a hacker, computer virus or trojan horse and can be used to perform malicious tasks under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks (DDoS). Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies. A coordinated DDoS attack by multiple botnet machines also resembles a zombie horde attack.[14]

The process of stealing computing resources as a result of a system being joined to a "botnet" is sometimes referred to as "scrumping".[15]

Command and control

[edit]

Botnet command and control (C&C) protocols have been implemented in a number of ways, from traditional IRC approaches to more sophisticated versions.

Telnet

[edit]

Telnet botnets use a simple C&C botnet protocol in which bots connect to the main command server to host the botnet. Bots are added to the botnet by using a scanning script, which runs on an external server and scans IP ranges for telnet and SSH server default logins. Once a login is found, the scanning server can infect it through SSH with malware, which pings the control server.

IRC

[edit]

IRC networks use simple, low bandwidth communication methods, making them widely used to host botnets. They tend to be relatively simple in construction and have been used with moderate success for coordinating DDoS attacks and spam campaigns while being able to continually switch channels to avoid being taken down. However, in some cases, merely blocking of certain keywords has proven effective in stopping IRC-based botnets. The RFC 1459 (IRC) standard is popular with botnets. The first known popular botnet controller script, "MaXiTE Bot" was using IRC XDCC protocol for private control commands.

One problem with using IRC is that each bot client must know the IRC server, port, and channel to be of any use to the botnet. Anti-malware organizations can detect and shut down these servers and channels, effectively halting the botnet attack. If this happens, clients are still infected, but they typically lie dormant since they have no way of receiving instructions.[11] To mitigate this problem, a botnet can consist of several servers or channels. If one of the servers or channels becomes disabled, the botnet simply switches to another. It is still possible to detect and disrupt additional botnet servers or channels by sniffing IRC traffic. A botnet adversary can even potentially gain knowledge of the control scheme and imitate the bot herder by issuing commands correctly.[16]

P2P

[edit]

Since most botnets using IRC networks and domains can be taken down with time, hackers have moved to P2P botnets with C&C to make the botnet more resilient and resistant to termination.

Some have also used encryption as a way to secure or lock down the botnet from others, most of the time when they use encryption it is public-key cryptography and has presented challenges in both implementing it and breaking it.

Domains

[edit]

Many large botnets tend to use domains rather than IRC in their construction (see Rustock botnet and Srizbi botnet). They are usually hosted with bulletproof hosting services. This is one of the earliest types of C&C. A zombie computer accesses a specially designed webpage or domain(s) which serves the list of controlling commands. The advantages of using web pages or domains as C&C is that a large botnet can be effectively controlled and maintained with very simple code that can be readily updated.

Disadvantages of using this method are that it uses a considerable amount of bandwidth at large scale, and domains can be quickly seized by government agencies with little effort. If the domains controlling the botnets are not seized, they are also easy targets to compromise with denial-of-service attacks.

Fast-flux DNS can be used to make it difficult to track down the control servers, which may change from day to day. Control servers may also hop from DNS domain to DNS domain, with domain generation algorithms being used to create new DNS names for controller servers.

Some botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that harbors the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the botnet executable). Removing such services can cripple an entire botnet.

Others

[edit]

Calling back to popular sites[17] such as GitHub,[18] Twitter,[19][20] Reddit,[21] Instagram,[22] the XMPP open source instant message protocol[23] and Tor hidden services[24] are popular ways of avoiding egress filtering to communicate with a C&C server.[25]

Construction

[edit]

Traditional

[edit]

This example illustrates how a botnet is created and used for malicious gain.

  1. A hacker purchases or builds a Trojan and/or exploit kit and uses it to start infecting users' computers, whose payload is a malicious application—the bot.
  2. The bot instructs the infected PC to connect to a particular command-and-control (C&C) server. (This allows the botmaster to keep logs of how many bots are active and online.)
  3. The botmaster may then use the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit.
  4. Depending on the quality and capability of the bots, the value is increased or decreased.

Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.[26]

Computers can be co-opted into a botnet when they execute malicious software. This can be accomplished by luring users into making a drive-by download, exploiting web browser vulnerabilities, or by tricking the user into running a Trojan horse program, which may come from an email attachment. This malware will typically install modules that allow the computer to be commanded and controlled by the botnet's operator. After the software is downloaded, it will call home (send a reconnection packet) to the host computer. When the re-connection is made, depending on how it is written, a Trojan may then delete itself or may remain present to update and maintain the modules.

Others

[edit]

In some cases, a botnet may be temporarily created by volunteer hacktivists, such as with implementations of the Low Orbit Ion Cannon as used by 4chan members during Project Chanology in 2010.[27]

China's Great Cannon of China allows the modification of legitimate web browsing traffic at internet backbones into China to create a large ephemeral botnet to attack large targets such as GitHub in 2015.[28]

Common uses

[edit]
  • Distributed denial-of-service attacks are one of the most common uses for botnets, in which multiple systems submit as many requests as possible to a single Internet computer or service, overloading it and preventing it from servicing legitimate requests. An example is an attack on a victim's server. The victim's server is bombarded with requests by the bots, attempting to connect to the server, therefore, overloading it. Google fraud czar Shuman Ghosemajumder has said that these types of attacks causing outages on major websites will continue to occur regularly due the use of botnets as a service.[29]
  • Spyware is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential corporate information. Several targeted attacks on large corporations aimed to steal sensitive information, such as the Aurora botnet.[30]
  • E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious.
  • Click fraud occurs when the user's computer visits websites without the user's awareness to create false web traffic for personal or commercial gain.[31]
  • Ad fraud is often a consequence of malicious bot activity, according to CHEQ, Ad Fraud 2019, The Economic Cost of Bad Actors on the Internet.[32] Commercial purposes of bots include influencers using them to boost their supposed popularity, and online publishers using bots to increase the number of clicks an ad receives, allowing sites to earn more commission from advertisers.
  • Credential stuffing attacks use botnets to log in to many user accounts with stolen passwords, such as in the attack against General Motors in 2022.[33]
  • Bitcoin mining was used in some of the more recent botnets have which include bitcoin mining as a feature in order to generate profits for the operator of the botnet.[34][35]
  • Self-spreading functionality, to seek for pre-configured command-and-control (CNC) pushed instruction contains targeted devices or network, to aim for more infection, is also spotted in several botnets. Some of the botnets are utilizing this function to automate their infections.

Market

[edit]

The botnet controller community constantly competes over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.[36]

While botnets are often named after the malware that created them, multiple botnets typically use the same malware but are operated by different entities.[37]

Phishing

[edit]

Botnets can be used for many electronic scams. These botnets can be used to distribute malware such as viruses to take control of a regular users computer/software[38] By taking control of someone's personal computer they have unlimited access to their personal information, including passwords and login information to accounts. This is called phishing. Phishing is the acquiring of login information to the "victim's" accounts with a link the "victim" clicks on that is sent through an email or text.[39] A survey by Verizon found that around two-thirds of electronic "espionage" cases come from phishing.[40]

Countermeasures

[edit]

The geographic dispersal of botnets means that each recruit must be individually identified/corralled/repaired and limits the benefits of filtering.

Computer security experts have succeeded in destroying or subverting malware command and control networks, by, among other means, seizing servers or getting them cut off from the Internet, denying access to domains that were due to be used by malware to contact its C&C infrastructure, and, in some cases, breaking into the C&C network itself.[41][42][43] In response to this, C&C operators have resorted to using techniques such as overlaying their C&C networks on other existing benign infrastructure such as IRC or Tor, using peer-to-peer networking systems that are not dependent on any fixed servers, and using public key encryption to defeat attempts to break into or spoof the network.[44]

Norton AntiBot was aimed at consumers, but most target enterprises and/or ISPs. Host-based techniques use heuristics to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, null-routing DNS entries, or completely shutting down IRC servers. BotHunter is software, developed with support from the U.S. Army Research Office, that detects botnet activity within a network by analyzing network traffic and comparing it to patterns characteristic of malicious processes.

Researchers at Sandia National Laboratories are analyzing botnets' behavior by simultaneously running one million Linux kernels—a similar scale to a botnet—as virtual machines on a 4,480-node high-performance computer cluster to emulate a very large network, allowing them to watch how botnets work and experiment with ways to stop them.[45]

Detecting automated bot becomes more difficult as newer and more sophisticated generations of bots get launched by attackers. For example, an automated attack can deploy a large bot army and apply brute-force methods with highly accurate username and password lists to hack into accounts. The idea is to overwhelm sites with tens of thousands of requests from different IPs all over the world, but with each bot only submitting a single request every 10 minutes or so, which can result in more than 5 million attempts per day.[46] In these cases, many tools try to leverage volumetric detection, but automated bot attacks now have ways of circumventing triggers of volumetric detection.

One of the techniques for detecting these bot attacks is what's known as "signature-based systems" in which the software will attempt to detect patterns in the request packet. However, attacks are constantly evolving, so this may not be a viable option when patterns cannot be discerned from thousands of requests. There is also the behavioral approach to thwarting bots, which ultimately tries to distinguish bots from humans. By identifying non-human behavior and recognizing known bot behavior, this process can be applied at the user, browser, and network levels.

The most capable method of using software to combat against a virus has been to utilize honeypot software in order to convince the malware that a system is vulnerable. The malicious files are then analyzed using forensic software.

On 15 July 2014, the Subcommittee on Crime and Terrorism of the Committee[47] on the Judiciary, United States Senate, held a hearing on the threats posed by botnets and the public and private efforts to disrupt and dismantle them.[48]

The rise in vulnerable IoT devices has led to an increase in IoT-based botnet attacks. To address this, a novel network-based anomaly detection method for IoT called N-BaIoT was introduced. It captures network behavior snapshots and employs deep autoencoders to identify abnormal traffic from compromised IoT devices. The method was tested by infecting nine IoT devices with Mirai and BASHLITE botnets, showing its ability to accurately and promptly detect attacks originating from compromised IoT devices within a botnet.[49]

Additionally, comparing different ways of detecting botnets is really useful for researchers. It helps them see how well each method works compared to others. This kind of comparison is good because it lets researchers evaluate the methods fairly and find ways to make them better.[50]

Historical list of botnets

[edit]

The first botnet was first acknowledged and exposed by EarthLink during a lawsuit with notorious spammer Khan C. Smith[51] in 2001. The botnet was constructed for the purpose of bulk spam, and accounted for nearly 25% of all spam at the time.[52]

Around 2006, to thwart detection, some botnets were scaling back in size.[53]

The following is a non-exhaustive list of some historical botnets.

Date created Date dismantled Name Estimated no. of bots Spam capacity (bn/day) Aliases
1999 !a 999,999,999 100000 !a
2002 MaXiTE 500-1000 servers 0 MaXiTE XDCC Bot, MaXiTE IRC TCL Script, MaxServ
Unknown[54] (no later than 2004[55]) Marina Botnet 6,215,000[54] 92
Torpig 180,000[56] Sinowal, Anserin
Storm 160,000[57] 3 Nuwar, Peacomm, Zhelatin
2006 (around) 2011 (March) Rustock 150,000[58] 30 RKRustok, Costrat
Donbot 125,000[59] 0.8 Buzus, Bachsoy
2007 (around) Cutwail 1,500,000[60] 74 Pandex, Mutant (related to: Wigon, Pushdo)
2007 Akbot 1,300,000[61]
2007 (March) 2008 (November) Srizbi 450,000[62] 60 Cbeplay, Exchanger
2008 (around) Sality 1,000,000[63] Sector, Kuku
2008 (around) 2009-Dec Mariposa 12,000,000[64]
2008 (around) Kraken 495,000[65] 9 Kracken
2008 (November) Conficker 10,500,000+[66] 10 DownUp, DownAndUp, DownAdUp, Kido
2008 (November) 2010 (March) Waledac 80,000[67] 1.5 Waled, Waledpak
Onewordsub 40,000[68] 1.8
Nucrypt 20,000[68] 5 Loosky, Locksky
Wopla 20,000[68] 0.6 Pokier, Slogger, Cryptic
2008 (around) Asprox 15,000[69] Danmec, Hydraflux
0 Spamthru 12,000[68] 0.35 Spam-DComServ, Covesmer, Xmiler
2008 (around) Gumblar
2009 (May) November 2010 (not complete) BredoLab 30,000,000[70] 3.6 Oficla
2009 (Around) 2012-07-19 Grum 560,000[71] 39.9 Tedroo
Mega-D 509,000[72] 10 Ozdok
2009 (August) Festi 250,000[73] 2.25 Spamnost
2010 (March) Vulcanbot
2010 (around) TDL4 4,500,000[74] TDSS, Alureon
Zeus 3,600,000 (US only)[75] Zbot, PRG, Wsnpoem, Gorhax, Kneber
2010 (Several: 2011, 2012) Kelihos 300,000+ 4 Hlux
2011 or earlier 2015-02 Ramnit 3,000,000[76]
2012 (Around) Chameleon 120,000[77] None
2014 Necurs 6,000,000
2016 (August) Mirai 380,000 None
2022 Mantis[78] 5000
August 2025 Rapper Bot[79] 20,000+
  • Researchers at the University of California, Santa Barbara took control of a botnet that was six times smaller than expected. In some countries, it is common that users change their IP address a few times in one day. Estimating the size of the botnet by the number of IP addresses is often used by researchers, possibly leading to inaccurate assessments.[80]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Botnet

View on Grokipedia
from Grokipedia
A botnet is a network of devices, such as computers, servers, or (IoT) gadgets, that have been infected with and remotely commandeered by a malicious operator known as a bot herder, enabling coordinated cyberattacks without the owners' . These networks derive their name from the portmanteau of "" and "network," reflecting the automated, zombie-like behavior of the compromised "bots" that execute commands from a central . Botnets typically operate through one of two primary architectures: a centralized client-server model, where bots communicate directly with command-and-control (C2) servers for instructions, or a decentralized (P2P) structure that distributes control across the bots themselves to enhance resilience against takedowns. Infection often occurs via phishing emails, drive-by downloads, or exploitation of software vulnerabilities, allowing herders to amass vast armies—sometimes millions of devices—for scalable operations. Primarily deployed for distributed denial-of-service (DDoS) attacks that overwhelm targets with traffic, botnets also facilitate spam campaigns, , cryptocurrency mining, and , posing persistent threats to infrastructure, financial systems, and individual . Notable examples include the Mirai botnet, which in 2016 hijacked IoT devices to launch record-scale DDoS assaults disrupting major services, underscoring botnets' evolution toward exploiting weakly secured consumer hardware. Despite mitigation efforts like C2 server seizures, botnets remain prolific due to their low-cost assembly and adaptability, with ongoing variants targeting both traditional endpoints and emerging edge devices.

Definition and Fundamentals

Core Concept and Characteristics

A botnet is a network of internet-connected devices, such as computers, servers, mobile devices, and (IoT) endpoints, that have been infected with enabling by a malicious known as the bot herder or botmaster. These devices, referred to as bots or zombies, operate covertly without the knowledge of their legitimate owners, executing commands issued by the herder to perform coordinated malicious activities. The term "botnet" derives from "robot network," reflecting the automated, programmable nature of the infected hosts that function like software robots under centralized or distributed direction. Central to a botnet's operation is the command-and-control (C2) infrastructure, which facilitates communication between the bot herder and the bots, often through protocols like HTTP, IRC, or overlays to evade detection. Infection typically occurs via drive-by downloads, emails, exploit kits targeting software vulnerabilities, or compromised legitimate software, allowing to establish persistence on the host and phone home to C2 servers. Key characteristics include scalability, where botnets can encompass thousands to millions of nodes for amplified effects; resilience against takedowns through redundant C2 channels or decentralized architectures; and for the herder, as actions are distributed across unwitting victims' IP addresses, complicating attribution and mitigation. Botnets prioritize stealth, employing techniques like hiding, encrypted traffic, or fast-flux DNS to mask C2 endpoints and avoid antivirus detection. Botnets enable a range of cyber threats, including distributed denial-of-service (DDoS) attacks that overwhelm targets with traffic floods, spam dissemination exceeding billions of emails daily from large networks, via harvested data, and mining hijacking host resources. Their distributed structure provides economic advantages to attackers, leveraging the computational power and bandwidth of compromised devices at minimal cost, often monetized through cybercrime-as-a-service models where botnets are rented for specific operations. Despite law enforcement disruptions, such as the 2010 takedown of the Mariposa botnet affecting over 12 million machines, botnets persist due to their adaptive evolution and the expanding from unsecured IoT proliferation.

Scale and Impact Metrics

Botnets vary widely in scale, with modern variants often comprising hundreds of thousands to tens of millions of compromised devices, primarily IoT endpoints, servers, and endpoints vulnerable to exploits like weak credentials or unpatched . In , the average botnet size reached approximately 38,000 devices, though outliers like BadBox 2.0 infected over 10 million IoT devices globally, enabling persistent command-and-control operations. The botnet stood as the largest tracked by infrastructure metrics that year, leveraging propagation across unsecured devices. Detection reports from cybersecurity firms indicate the peak botnet in encompassed 227,000 devices, a near doubling from 2023's largest at 136,000, reflecting increased exploitation of IoT growth. ![Stachledraht DDoS Attack diagram showing botnet-orchestrated flooding][float-right]
DDoS attacks powered by botnets have escalated in volumetric intensity, with peaks shattering prior records; for instance, the Aisuru botnet generated a 6.35 terabits per second (Tbps) assault in May 2025, followed by surges exceeding 11.5 Tbps later that year, overwhelming U.S. ISPs through hijacked residential and IoT bandwidth. Historical benchmarks include the 2016 Mirai botnet, which at its height controlled around 600,000 devices to unleash DDoS floods up to 1 Tbps, disrupting major DNS providers like Dyn and cascading outages across services such as and . Other variants like facilitated financial fraud totaling over $120 million by 2010 through on infected banking endpoints. Financial repercussions from botnet-enabled disruptions are severe, with DDoS downtime averaging $6,130 per minute for affected businesses due to halted operations and recovery efforts. entities report losses exceeding $100,000 per hour during peak attacks, compounded by SLA penalties and forensic costs. Beyond DDoS, botnets drive spam dissemination—Cutwail once propagated 74 billion emails daily—and delivery, contributing to broader economics estimated in billions annually, though attribution isolates botnet-specific vectors like Emotet's modular payloads to targeted sectors such as healthcare.
Notable BotnetPeak Infected DevicesPrimary Impact MetricYear
Mirai~600,000DDoS up to 1 Tbps2016
ZeusMillions (est.)$120M+ banking fraud2007–2010
BadBox 2.0>10 millionPersistent C2 on IoT2024–2025
AisuruUndisclosed (large-scale)6.35+ Tbps DDoS2025

Historical Development

Origins and Early Examples (1990s–2000s)

Botnets originated in the late as extensions of automated scripts and IRC bots initially designed for benign channel management, evolving into malicious networks of compromised computers controlled remotely for coordinated attacks. Early malicious botnets leveraged vulnerabilities in systems, using client-server architectures where "masters" issued commands to "agents" or "zombies" on infected hosts to execute distributed denial-of-service (DDoS) floods. These tools marked a shift from single-source DoS attacks to distributed ones, amplifying impact through sheer volume of traffic from multiple sources. One of the earliest documented DDoS botnets was Trin00 (also known as Trinoo), released in 1999, which coordinated UDP floods from compromised Unix machines against targets like the in August 1999, rendering services unavailable for hours. Trin00 operated via a master-slave model, with masters communicating commands over TCP to slaves that then flooded targets with UDP packets, demonstrating the scalability of botnet-orchestrated attacks. Shortly after, the Tribe Flood Network (TFN) emerged in 1999, extending capabilities to include TCP SYN floods, ICMP echo floods, and Smurf attacks, while obfuscating attack origins through encrypted communications and spoofed IP addresses. Stacheldraht, distributed in late 1999, built on Trin00 and TFN by integrating their features into a more resilient framework, adding automated updates, TCP-based handler-agent controls, and resistance to filtering via ICMP tunneling for command dissemination. Developed by a using the pseudonym "Thomas Stacheldraht" from the Austrian group TESO, it enabled larger-scale DDoS operations and was detected in isolated incidents by mid-2000. Concurrently, Windows-targeted like SubSeven (1999) and PrettyPark (1999) formed rudimentary botnets; SubSeven acted as a Trojan for remote access and DDoS participation, while PrettyPark spread via email attachments to harvest passwords and email addresses for spam relays. By 2000, botnets expanded beyond DDoS to spam distribution, exemplified by the EarthLink Spammer botnet, which hijacked thousands of machines to disseminate bulk unsolicited emails, highlighting the economic motivations emerging alongside hacktivist or experimental uses. These early examples, primarily Unix-based for DDoS and shifting to Windows for broader infection vectors, laid the groundwork for botnet architectures by exploiting unpatched systems and weak network security, with attacks peaking in scale during the 2000 Yahoo! DDoS incident involving similar tools. The prevalence of publicly available source code for these tools facilitated rapid proliferation among attackers, underscoring the need for improved host hardening and traffic monitoring in the era's nascent cybersecurity landscape.

Expansion in the 2010s

The marked a period of rapid expansion for botnets, driven by the proliferation of internet-connected devices and advancements in resilience, enabling larger scales and more diverse targets beyond traditional PCs. Early in the decade, botnets like Mariposa controlled nearly 12 million infected hosts primarily for data theft and banking , demonstrating the potential for massive through widespread vulnerabilities in operating systems. Growth metrics indicated explosive increases, with unique botnet victims peaking at a 654% rise in 2010 alone, reflecting incremental weekly expansions averaging 8%. Botnets evolved architecturally to evade , with (P2P) models gaining prominence, as seen in (), a variant of the family that operated from around 2011 until its disruption in 2014. GOZ utilized () and P2P command-and-control to steal banking credentials and facilitate like , resulting in millions of dollars in global losses. Operation Tovar, a multinational effort led by the FBI and involving , disrupted GOZ on June 2, 2014, by sinking its infrastructure and redirecting infected traffic, though the operation highlighted the challenges of fully eradicating resilient P2P networks. The latter half of the decade saw a pivotal shift toward (IoT) devices, exploiting weak default credentials and insecure , which amplified botnet firepower for distributed denial-of-service (DDoS) attacks. The Mirai botnet, emerging in 2016, infected hundreds of thousands of IoT devices such as cameras and routers, culminating in a massive DDoS assault on DNS provider Dyn on October 21, 2016, that peaked at over 1 Tbps and disrupted access to major sites including and . Mirai's leak further fueled variants and copycats, like Reaper in 2017, underscoring how IoT expansion enabled unprecedented attack volumes while traditional PC botnets like Kelihos persisted with up to 300,000 nodes for spam and distribution until 2017. This era's botnet growth was compounded by the rise of ransomware-as-a-service and ad fraud schemes, with networks like Methbot reportedly generating $3-5 million monthly through video ad manipulation.

Recent Evolutions (2020–2025)

During the early 2020s, botnets evolved toward greater resilience and scale, with variants of the Mirai malware continuing to dominate by exploiting vulnerabilities in Internet of Things (IoT) devices such as routers, cameras, and industrial equipment to orchestrate massive distributed denial-of-service (DDoS) attacks. These variants, including those leveraging zero-day flaws like the one in AVTECH CCTV cameras discovered in August 2024, enabled attacks reaching unprecedented volumes, such as the 5.6 terabits per second (Tbps) DDoS mitigated by Cloudflare in January 2025 and the record 7.3 Tbps assault in May 2025. By Q1 2025, Layer 3-4 DDoS attacks surged 110% year-over-year, fueled by botnets exceeding 1.33 million devices targeting sectors like fintech and telecommunications. A notable shift involved botnets expanding into mobile and consumer IoT ecosystems, exemplified by the BadBox 2.0 network, which compromised over 10 million uncertified Android-based devices—including streaming TV boxes—between 2022 and 2025 for , traffic spoofing, and residential proxy operations, as well as SuperBox Android TV devices compromised by pre-installed backdoors associated with the Kimwolf botnet, which turn the devices into residential proxy nodes routing third-party traffic through users' home networks without consent via factory-installed malware rather than post-purchase exploits. In July 2025, initiated legal action against 25 China-based operators, collaborating with partners like to disrupt the botnet's infrastructure and prevent further monetization of invalid traffic. This reflected broader trends where botnets increasingly targeted weakly secured consumer hardware, contributing to 29% of observed in 2024 and enabling activities beyond DDoS, such as malware delivery and espionage. Law enforcement responses intensified, with Operation Endgame in May 2024 marking the largest coordinated global action against botnets, involving over a dozen countries in disrupting families like IcedID, , and Pikabot used for initial access, leading to arrests, server seizures, and infrastructure takedowns. A follow-up phase in May 2025 extended these efforts to kill chains, while U.S. authorities disrupted state-affiliated botnets, including a Russian GRU-controlled network in April 2022 capable of and disruption. These operations highlighted botnets' role in state-sponsored and ecosystems, prompting advancements in detection amid rising IoT vulnerabilities.

Technical Architecture

Client-Server Model

In the client-server model of botnet architecture, infected hosts function as clients that connect to a centralized command-and-control (C&C) server operated by the botnet controller, enabling the issuance of directives for coordinated malicious activities such as distributed denial-of-service (DDoS) attacks or . The C&C server acts as the botmaster, transmitting commands to bots while receiving status updates or harvested from them, often through protocols like Internet Relay Chat (IRC) in early implementations or HTTP in later variants to evade detection by mimicking legitimate . This architecture, prevalent in first-generation botnets dating back to the late , relies on a hierarchical structure where the single or limited number of C&C servers serve as the primary point of coordination, allowing efficient management of large numbers of compromised devices but introducing a critical : disruption of the server can dismantle the entire network. For instance, the botnet, active in the mid-2000s, utilized UDP 447 communications to a domain-resolved C&C server for command dissemination. actions, such as server seizures or domain sinkholing, have repeatedly exploited this central dependency, as seen in the takedown efforts against Mariposa in 2009, which controlled over 12 million bots via centralized servers. Despite the rise of more resilient alternatives, client-server models persist in certain operations due to their simplicity in setup and control, particularly for rapid-deployment DDoS botnets where bots periodically poll the server for instructions without maintaining persistent connections. Cybersecurity analyses indicate that these botnets often employ (DGAs) or fast-flux DNS to obscure C&C locations, though such measures still centralize authority and remain susceptible to and international cooperation in server neutralization.

Peer-to-Peer Model

In the (P2P) botnet model, (C&C) functions are decentralized, with no reliance on central servers. Each infected host, or bot, serves as both a client and a server, enabling direct communication among peers to exchange commands, updates, and infection data. This architecture contrasts with client-server models by distributing C&C across the network, where bots maintain lists of peer nodes discovered via protocols such as or Overnet for routing messages without a fixed . The P2P structure provides resilience against takedown efforts, as the absence of a prevents complete disruption through server seizures or domain blocks. Commands from the botmaster, often injected via select super-peers or initial infection vectors, propagate laterally through gossip protocols or distributed hash tables (DHTs), ensuring network persistence even if subsets of bots are removed. This allows botnets to grow exponentially, with each new bot contributing to the overlay network's robustness, though it introduces challenges like higher overhead from peer maintenance and potential for infiltration via fake nodes. Early examples include the botnet, which emerged in January 2007 and leveraged the Overnet P2P protocol for C&C, enabling spam distribution and DDoS attacks while evading centralized shutdowns until peer protocol aided partial mitigation. The variant, active from around 2011, combined P2P communication with for peer discovery, facilitating financial operations until an international operation disrupted it on June 30, 2014, by sinkholing communications. More recently, FritzFrog, a Linux-focused P2P botnet detected in September 2022, has targeted SSH servers since at least January 2020 for and backdoor persistence, using a custom P2P overlay for decentralized control resistant to single-node failures. These cases demonstrate how P2P models sustain operations amid actions, though vulnerabilities in peer selection and traffic patterns enable detection via behavioral .

Hybrid and Emerging Architectures

Hybrid botnets integrate centralized command-and-control (C&C) servers with (P2P) communication protocols among infected hosts, balancing efficient top-down command issuance with decentralized resilience against disruption. In this architecture, a subset of bots—often designated as "supernodes" or core peers—connects to for receiving directives, which are then relayed laterally through P2P overlays to the broader botnet, mitigating the inherent in pure client-server models while retaining operator oversight. This design enhances survivability, as takedown of central servers prompts automatic failover to P2P propagation, though it increases detection risks from anomalous peer traffic patterns. A notable example is the (GOZ) botnet, active primarily from 2011 to 2014 but illustrative of hybrid principles, which featured a three-layer structure: for C&C resilience, P2P command sharing among bots, and encrypted peer communications to evade monitoring. More recent implementations, such as those proposed in academic designs, eliminate single failure points by layering hybrid controls, where bots dynamically elect leaders for localized C&C in the absence of external servers. These architectures have been analyzed in simulations showing superior persistence compared to traditional models, with command latency reduced by up to 40% through selective P2P routing. Emerging architectures since 2020 increasingly incorporate IoT-specific hybrids, exploiting the heterogeneity of devices like routers and cameras in multi-tiered setups: low-tier bots handle propagation via weak protocols (e.g., brute-forcing), mid-tier nodes aggregate data P2P-style, and high-tier elements interface with ephemeral cloud-based C&C for . FritzFrog, detected in 2020 and persisting into 2022, exemplifies advanced P2P-hybrid evolution written in Go, using SSH for peer bootstrapping and decentralized key distribution across compromised servers, infecting over 3,000 hosts by mid-2022 without reliance on fixed C&C. By 2025, trends indicate integration of AI-driven adaptability, where bots employ for real-time topology reconfiguration—such as dynamic supernode selection based on network —to counter defensive heuristics, marking a shift toward self-healing networks capable of evading takedowns like those disrupting 15 million devices in 2024.

Key Components

Infected Hosts (Zombies/Bots)

Infected hosts in a botnet, termed or bots, consist of computing devices compromised by that grants unauthorized remote access and control to a central operator known as the bot herder. These devices execute directives such as launching distributed denial-of-service (DDoS) attacks, disseminating spam, or harvesting sensitive data, typically without alerting the legitimate owner through stealthy persistence mechanisms that mimic normal operations. Compromised hosts maintain bidirectional communication with command-and-control (C&C) servers via protocols like HTTP or IRC, polling for instructions at intervals to minimize detection while conserving resources. They often incorporate self-propagation capabilities, scanning networks for vulnerable peers to expand the botnet autonomously. Behavioral traits include suppressed error reporting, altered system logs to evade antivirus detection, and modular payloads that adapt tasks dynamically, such as credential theft or mining. Historically dominated by personal computers and servers, infected hosts now encompass a broad spectrum of endpoints due to the proliferation of connected devices with weak default , including mobile phones, routers, IP cameras, smart televisions, and industrial sensors. IoT devices, in particular, represent a prime target owing to hardcoded credentials, unpatched , and limited processing power for security updates, enabling rapid mass infections. The scale of infections varies by botnet architecture and campaign, with early examples like the 2000s Rustock botnet enslaving millions of Windows PCs for spam, while modern IoT-focused variants achieve comparable numbers through exploit chains targeting unsegmented networks. The 2016 Mirai botnet, for instance, commandeered over 600,000 vulnerable IoT devices to generate DDoS traffic exceeding 1 Tbps. By 2025, incidents such as the BadBox 2.0 campaign compromised more than 10 million devices, primarily Android-based smart TVs and set-top boxes, underscoring the escalating volume driven by supply-chain vulnerabilities in .

Command and Control Infrastructure

The (C&C) infrastructure in a botnet facilitates communication between operators and compromised devices, allowing the issuance of instructions for tasks such as distributed denial-of-service (DDoS) attacks, , or spam distribution. Bots typically connect outbound to C&C servers using standard protocols to blend with legitimate traffic and evade firewalls. Centralized C&C architectures rely on one or more dedicated servers that bots query at intervals for updates, often via HTTP for its ubiquity or IRC for simplicity in early designs. This client-server model enables straightforward management and scalability but introduces single points of failure; seizure of the primary server, as occurred with the Mariposa botnet's takedown in 2009, can collapse the network. To mitigate this, operators deploy redundant servers across jurisdictions with lax enforcement, known as . Evasion techniques enhance C&C durability, including fast-flux DNS, which cycles IP addresses bound to a domain every few minutes across a pool of proxies or compromised hosts, complicating blacklisting efforts. First observed in the botnet in 2007, fast flux has persisted in operations like those targeting financial through 2025. (DGAs) provide another layer, where bots and controllers use seeded pseudorandom functions to generate daily lists of thousands of domains; only select ones are registered and used for rendezvous, rendering prediction infeasible without reverse-engineering the algorithm. DGAs appeared in botnets like in 2008 and continue in variants exploiting IoT devices as of 2024. Peer-to-peer (P2P) C&C architectures decentralize control, eliminating central servers by having bots commands among peers via overlay networks. This model, exemplified by the botnet disrupted in 2014, resists takedowns since no single node holds full authority, though it demands more bandwidth from infected hosts and complicates command propagation. P2P systems often incorporate and key exchanges for secure messaging, with discovery via DHTs or hardcoded seeds. Hybrid approaches combine centralized primaries with P2P fallbacks, as seen in some botnets post-2020, balancing efficiency and resilience. Communication protocols prioritize stealth and reliability; HTTP/HTTPS dominates modern botnets for masquerading as web traffic, while custom binary protocols over TCP reduce overhead in P2P setups. Operators may leverage public infrastructure like or cloud services for C&C to further obscure operations, though this risks platform bans. Disrupting resilient C&C requires sinkholing domains, legal seizures, or botnet herding to redirect traffic, techniques applied against Mirai variants in 2016 and ongoing IoT botnets through 2025.

Communication Protocols

Botnets rely on communication protocols to enable (C&C) to disseminate instructions to infected hosts, coordinating activities such as distributed denial-of-service (DDoS) attacks, , or propagation. These protocols vary in centralization, stealth, and resilience, with evolution driven by the need to counter detection and disruption efforts by security researchers and . Early protocols favored simplicity and real-time control, while later ones prioritized and traffic to withstand takedowns. Internet Relay Chat (IRC) was among the first protocols adopted for botnet C&C, emerging with malware like PrettyPark in 1999. In IRC-based systems, bots establish persistent connections to IRC servers, join designated channels, and parse commands issued by the botmaster in chat messages, often using or scripted triggers. This setup allowed low-latency, bidirectional communication suitable for dynamic operations, as seen in botnets like Dorkbot active as late as 2015. However, IRC's centralized server dependency and distinctive chat-pattern traffic made it vulnerable to server seizures and signature-based detection, prompting a decline in prevalence by the mid-2000s. Hypertext Transfer Protocol () supplanted IRC for many botnets due to its ability to masquerade as legitimate . Bots periodically poll C&C servers via HTTP GET or POST requests to retrieve encrypted command payloads from dynamic web pages or APIs, reducing inbound connections that could alert intrusion detection systems. The Zeus banking trojan, identified in July 2007, exemplified this approach, employing for command fetching alongside techniques like (DGAs) and fast flux DNS to rotate C&C endpoints rapidly. Advantages include evasion of port-specific blocks and scalability for large botnets, though polling intervals create detectable behavioral anomalies, such as synchronized high-volume requests from diverse IPs, and centralized servers remain single points of failure if located. Peer-to-peer (P2P) protocols mark a shift to decentralized C&C, where bots form overlay networks using distributed hash tables (DHTs) or unstructured gossiping to propagate commands without fixed servers. Pioneered in Nugache around 2006 and refined in the Storm worm of 2007, P2P enables bots to relay instructions peer-to-peer, achieving fault tolerance as no single node controls the network; infected hosts maintain peer lists for self-healing. Gameover Zeus, a P2P variant of Zeus identified in September 2011, stole banking credentials across millions of hosts until its disruption in June 2014 via sinkholing and peer list manipulation. This model's resilience stems from its resistance to centralized takedowns, but implementation complexity, elevated bandwidth overhead from peer discovery, and unique P2P traffic signatures pose detection risks. Domain Name System (DNS) protocols serve as a covert, low-bandwidth alternative for C&C, particularly in restricted environments. Bots encode queries to algorithmically generated domains, parsing command data from DNS responses such as TXT records or subdomains, as implemented in Feederbot. Fast flux variants, common since the early , rapidly cycle IP mappings for C&C hosts to evade blacklisting. This method's stealth arises from mimicking essential DNS resolution traffic, which is difficult to block without disrupting legitimate services, but limitations include low throughput for complex payloads and vulnerability to DNS sinkholing by registrars. Hybrid protocols, combining elements like HTTP with P2P fallbacks or DNS for , have emerged to balance reliability and evasion, as observed in post-2014 botnets adapting to enforcement operations.

Recruitment and Construction

Infection Mechanisms

Botnets primarily infect hosts through designed to compromise devices and establish , often exploiting user behavior, software flaws, or weak configurations. Initial infection vectors include social engineering tactics such as emails that deliver via malicious attachments or hyperlinks, prompting users to unwittingly execute the . Drive-by downloads represent another prevalent method, where visiting compromised websites triggers automatic exploitation of browser or plugin vulnerabilities, installing botnet without explicit user consent. Automated propagation techniques further amplify infections, particularly through vulnerability exploitation and network scanning. Malware may leverage unpatched software flaws to self-replicate in a worm-like manner, scanning for susceptible systems and injecting code to enlist new bots. For instance, Internet of Things (IoT) botnets like Mirai, which emerged in 2016, systematically probe the internet for devices with exposed Telnet or SSH ports, attempting brute-force logins using default credentials or common weak passwords to infect and commandeer them. This scanning often employs horizontal (random IP probing) or vertical (targeted port sweeps) strategies to maximize reach while minimizing detection. Evolving tactics incorporate blended approaches, such as embedding in legitimate software downloads or leveraging compromises to distribute infected updates, including pre-installed backdoors in consumer devices like SuperBox Android streaming boxes that embed botnet capabilities at the manufacturing or distribution stage to hijack internet connections for residential proxy services without user awareness or personal data theft. Historical examples, like the botnet active around 2007, relied heavily on campaigns with deceptive subject lines to propagate, demonstrating how attackers adapt delivery to evade filters. In resource-constrained environments like IoT networks, infections frequently stem from factory-default settings and lack of updates, enabling rapid horizontal spread across millions of devices. These mechanisms underscore the causal role of human oversight and systemic vulnerabilities in enabling botnet growth, with empirical data from operations revealing infection rates tied directly to unmitigated exposure vectors.

Propagation Strategies

Botnets expand through diverse propagation strategies that exploit , software weaknesses, and network discoverability to infect new hosts. These tactics often combine initial compromise vectors with self-replicating mechanisms, enabling rapid scaling from a seed infection to thousands or millions of bots. Empirical analyses of botnet families reveal patterns such as for endpoint delivery and automated scanning for opportunistic takeover, with propagation rates influenced by factors like target density and patch compliance. Social engineering remains a cornerstone method, particularly via campaigns that deliver through deceptive emails containing attachments or links. Victims are tricked into executing payloads, such as trojanized documents or executables, which install the bot and establish command-and-control (C2) connections. For example, the Zeus banking trojan primarily spread through such vectors, compromising over 1 million machines by 2010 via email-delivered exploits targeting financial data theft kits. This approach leverages user trust in familiar sources, achieving infection rates dependent on click-through behaviors rather than technical defenses. Vulnerability exploitation targets unpatched systems, using known or zero-day flaws to gain unauthorized access without user interaction. Early IRC-based botnets like SDBot and Agobot propagated by scanning for backdoors on ports such as TCP 2745 or exploiting Windows vulnerabilities including DCOM RPC and LSASS buffer overflows, with over 4,000 SDBot variants documented by 2004. More recent variants employ drive-by downloads from compromised websites or , where benign ads redirect to exploit kits that probe for browser or plugin weaknesses. These methods favor high-volume, low-effort scans over targeted attacks, prioritizing susceptible endpoints in enterprise or consumer networks. Automated network scanning enables worm-like self-propagation, as exemplified by the Mirai IoT botnet, which from August 2016 scanned billions of IPv4 addresses daily for devices with open ports (TCP 23/2323). Bots brute-forced default credentials—such as "admin:admin" on over 60 common usernames/password pairs—to infect routers, cameras, and DVRs, amassing over 600,000 bots within days and enabling DDoS attacks peaking at 1.2 Tbps. This strategy exploits the proliferation of insecure embedded devices, using infected hosts to distribute scanning loads and evade rate-limiting, though it generates detectable traffic anomalies. Password guessing and shared media propagation, including P2P file sharing of infected content, supplement these efforts in hybrid models.

Evasion Techniques During Buildup

During the buildup phase of a botnet, attackers prioritize stealth to infect and propagate across hosts without triggering antivirus signatures, intrusion detection systems, or behavioral analysis tools, allowing the accumulation of a large before activation. This involves employing code methods such as packing and to disguise malicious payloads, evading static signature-based detection common in software. For instance, techniques like (XOR) operations or flattening alter the malware's binary structure dynamically, complicating and automated scanning during initial deployment. Polymorphic and metamorphic transformations further enhance evasion by generating variant code instances for each infection, ensuring no two samples match known hashes or patterns in threat intelligence databases. Anti- mechanisms, including detection and environment checks for virtual machines or sandboxes, halt execution if tools are present, preventing researchers or software from unpacking the during propagation. In the Mirai botnet, for example, such and anti-debugging were used to obscure scanning and infection routines targeting IoT devices, enabling rapid yet undetected spread in 2016. Propagation strategies during buildup often incorporate low-volume, targeted scanning or worm-like with built-in delays to mimic benign network activity and avoid anomaly-based detection thresholds in firewalls or network monitors. Attackers may leverage exploit kits delivered via drive-by downloads or , bundled with droppers that unpack payloads only after confirming a non-analysis environment, minimizing forensic footprints. is ensured through rootkit-like hiding of processes and registry modifications post-infection, allowing reinfection if initial removal occurs, as observed in early botnets like which pioneered such modular evasion in the mid-2000s. These techniques collectively delay detection, with research indicating that obfuscated botnet can evade up to 90% of signature-based tools in initial stages, though behavioral heuristics increasingly counter them. Dynamic adaptation, such as runtime code mutation, extends this window, adapting to observed defenses during ongoing .

Primary Uses

Criminal Applications

Botnets are predominantly exploited by cybercriminals for distributed denial-of-service (DDoS) attacks, which overwhelm targets with traffic to payments or disrupt services. In September 2016, the Mirai botnet, comprising compromised devices, launched a DDoS on DNS provider Dyn, peaking at 1.2 terabits per second and causing widespread internet outages across the . This incident demonstrated botnets' capacity for , as operators rented access via "booter" or "stresser" services advertised on underground forums. Such attacks often target financial institutions, gaming platforms, or rivals, with perpetrators demanding ransoms to halt the . Another core criminal application involves mass dissemination of spam and campaigns, enabling and propagation. The Necurs botnet, active since at least 2012 and operated by Russian-based criminals, infected millions of Windows machines to send billions of spam emails daily, facilitating scams, pump-and-dump , and distribution of banking trojans like . Necurs controllers leased botnet segments to affiliates for targeted , harvesting credentials and financial data from victims. via botnets typically involves deceptive emails with malicious links or attachments that expand the network or steal sensitive information, evading detection through distributed IP addresses. Botnets also support financial theft through information-stealing and automated schemes. Early examples like the botnet, peaking at over 1 million bots by 2007, combined architecture with spam to deliver payloads for credential theft and ad . Criminals deploy keyloggers and form-grabbers via botnets to capture banking details, enabling unauthorized transactions; variants, for instance, powered global ATM skimming and wire operations in the late . These applications generate revenue through direct theft or selling stolen data on markets, underscoring botnets' role as infrastructure for scalable . Additionally, botnets facilitate residential proxy networks by hijacking consumer devices, such as Android TV streaming boxes like SuperBox equipped with pre-installed backdoors, to route third-party internet traffic through users' home networks without consent. These proxies support illicit activities including ad fraud, credential stuffing, and evading geographic restrictions or detection, leveraging residential IP addresses for anonymity while typically avoiding direct theft of user personal data.

State-Sponsored Operations

State-sponsored botnet operations serve national interests by enabling distributed denial-of-service (DDoS) attacks, proxying intrusions to obscure attribution, prepositioning for , and conducting against . These efforts exploit the scalability and deniability of botnets, often compromising consumer-grade devices like routers to minimize direct to the sponsoring . Attribution relies on technical indicators, such as signatures, command-and-control (C2) infrastructure, and operational patterns analyzed by cybersecurity agencies, though challenges persist due to shared tools across actors and state denials. Chinese state-sponsored groups, including those tracked as Volt Typhoon (also known as Flax Typhoon), have built botnets from small office/home office () routers and IoT devices to mask origins of hacks targeting sectors like communications, energy, and water utilities. Activities began at least by mid-2021, with actors maintaining persistent access for potential destructive payloads amid heightened US-China tensions. In December 2023, a US court-authorized operation neutralized a botnet of over 130,000 hijacked devices, primarily US-based, used to launder traffic for espionage. In September 2024, the FBI disrupted the Raptor Train botnet—comprising thousands of compromised global devices, including US endpoints—operated by People's Liberation Army-linked hackers since approximately 2020 for DDoS amplification, C2 proxying, and evasion of . These botnets automated log collection and task execution to support broader campaigns against allied networks. Russian military intelligence, specifically Unit 74455 of the , has commandeered botnets for and disruption. In February 2024, the Justice Department dismantled a botnet of roughly 35,000 EdgeOS routers, initially infected by non-state actors via malware exploiting default credentials, but repurposed by operators for port scanning, , and arbitrary command execution against targets including government and defense entities. This operation highlighted states' opportunistic use of criminal botnets to scale attacks without building from scratch. Earlier, the 2007 DDoS campaign against Estonian government, banking, and media sites—triggered by the relocation of a Soviet —involved coordinated botnet floods peaking at 1-2 million infected hosts across 175 jurisdictions, with forensics pointing to Russian-language sources and state-orchestrated elements, despite Moscow's denials. Iranian actors tied to the (IRGC) deployed botnets in , a DDoS offensive from September 2012 to early 2013 targeting major banks including , , and . Hackers from firms like ITSEC Team compromised devices worldwide to generate traffic floods, causing repeated site outages and estimated damages exceeding $10 million per institution through lost productivity and mitigation costs. In March 2016, the indicted seven IRGC-affiliated individuals for deploying custom DDoS tools via botnets, marking a rare prosecutorial attribution of state-sponsored financial disruption. North Korean Reconnaissance General Bureau-linked actors, designated Hidden Cobra, operate dedicated DDoS botnets using custom families to assault media, financial, and targets, often in retaliation for sanctions or policy actions. A June 2017 US-CERT alert identified including C2 servers in Asia hosting tools for bot herding and amplification, with campaigns traced to state-directed waves since at least 2011, such as attacks on South Korean banks. These botnets integrate with broader , funding operations through theft to sustain .

Economic Dimensions

Underground Markets and Leasing

Botnet operators frequently lease access to their networks via underground marketplaces, enabling cybercriminals to conduct distributed denial-of-service (DDoS) attacks, spam campaigns, and other illicit activities without building their own infrastructure. These markets operate primarily on the , where botmasters advertise services through forums and dedicated platforms, often using for anonymous transactions. Leasing models typically charge by duration, botnet size, or attack potency, with short-term rentals appealing to low-skill actors seeking quick disruptions. DDoS-for-hire services, powered by botnets, dominate these markets, with "booter" or "stresser" platforms providing on-demand access to compromised devices. For instance, as of 2021, such services offered attacks capable of overwhelming targets for as little as $5 per hour, scaling to hundreds of dollars for sustained or high-volume operations. More recent offerings in included botnet rentals starting at £78 (approximately $100 USD), suitable for mining, distribution, or targeted takedowns. Platforms like those leveraging the Rebirth botnet, identified in March , exemplify this commoditization, allowing renters to launch volumetric floods via infected IoT devices. Specific venues, such as Russian Market, facilitate botnet sales and leasing, with an average of 30,000 bots listed monthly in the first half of , often bundled with control panels for remote management. These markets lower , as lessees avoid the risks of botnet construction, though operators retain control to prevent abuse that could attract scrutiny. Pricing reflects supply dynamics, with virtual or emulated bots occasionally undercutting physical ones, though real-device networks command premiums for reliability in high-stakes attacks. Law enforcement disruptions, such as the U.S. Department of Justice's 2022 seizure of 48 booter sites, highlight the markets' resilience, as new services rapidly emerge to replace shuttered ones. Despite this, underground leasing persists due to the economic incentives: botnets generate revenue streams far exceeding construction costs, with operators profiting from volume over exclusivity. Cybersecurity analyses from firms like note that such commodified access has democratized cyber threats, shifting focus from elite hackers to opportunistic renters.

Monetization Models and Revenue Streams

Botnet operators primarily generate revenue by leasing access to their networks on underground markets or conducting illicit operations directly, such as distributed denial-of-service (DDoS) attacks, spam distribution, and . Leasing models often involve renting subsets of bots for specific tasks, with prices varying by botnet size, duration, and service type; for instance, DDoS-for-hire services can charge $5 to $7 per hour or $20 to $150 per attack, while full botnet rentals range from $30 to $4,800 monthly. These transactions occur on forums, where operators advertise capabilities like bot count and attack potency to attract clients seeking anonymous disruption services. DDoS-for-hire represents a core revenue stream, enabling low-barrier entry for attackers; operators profit by scaling attacks from rented bot armies, with a 30,000-bot network potentially yielding $26,000 monthly from such rentals. Spam and phishing campaigns form another pillar, leveraging bots for mass email distribution; a 10,000-bot setup can produce approximately $300,000 monthly through affiliate advertising or scam promotions. Financial fraud, including credential theft and bank account takeovers, offers high returns, with 30,000 bots enabling over $18 million monthly via stolen data exploitation or automated transfers. Emerging models include mining and traffic relaying, where infected devices perform computational tasks; for example, the Gayfemboy botnet, evolving from Mirai variants, mines while opening backdoors for further monetization, targeting IoT devices as of 2025. sustains ongoing income by simulating ad interactions, potentially profiting over $20 million monthly from large-scale operations. While initial botnet construction incurs costs—estimated at $16 million for a 10 million-device network including development and infection—monthly maintenance remains low relative to revenues, often under $0.10 per device for re-infections, allowing operators to achieve substantial net gains despite takedown risks.

Countermeasures

Detection and Analysis Methods

Detection of botnets typically involves monitoring for indicators of at the network, host, and behavioral levels, with methods categorized into signature-based, anomaly-based, and hybrid approaches. Signature-based detection relies on predefined patterns of known botnet or command-and-control (C&C) protocols, such as matching IRC commands or specific HTTP payloads associated with historical botnets like or , though this method struggles against polymorphic variants that alter code signatures to evade detection. Anomaly-based techniques, conversely, establish baselines of normal traffic or system behavior and flag deviations, such as irregular outbound connections from infected endpoints or synchronized low-volume queries to domains used by fast-flux C&C servers. Network traffic analysis forms a cornerstone of botnet detection, examining packet flows for characteristics like high entropy in (DGAs) employed by botnets such as , which generated over 50,000 pseudorandom domains daily in 2008 to obfuscate C&C resolution. Tools like Zeek (formerly Bro) or capture and dissect flows, identifying anomalies such as periodic beaconing—short, frequent connections from bots to herders—or unusual port scanning patterns indicative of phases. Peer-reviewed studies emphasize flow interval analysis, where classifies inter-packet timings; for instance, botnet traffic often exhibits tighter distributions compared to benign P2P file sharing due to centralized C&C orchestration. DNS-based methods, including sinkholing, redirect registered malicious domains to researcher-controlled servers, enabling enumeration of infected hosts; this technique disrupted the botnet in 2014, revealing over 1 million infections globally before court-ordered takedown. Host-level detection deploys (EDR) agents to monitor process trees, registry changes, and calls for signs of botnet loaders, such as persistent modules injecting into on Windows systems. Behavioral heuristics detect sandbox evasion attempts or resource exhaustion from cryptomining payloads in modern botnets like Mirai variants, which infected over 600,000 IoT devices by exploiting weak credentials in 2016. enhances these efforts through supervised models trained on labeled datasets from malware zoos, achieving detection rates above 95% for known families via features like n-gram analysis of payloads, though unsupervised methods like autoencoders better handle zero-day threats by clustering outliers in high-dimensional traffic spaces. Hybrid approaches combine these, as in of logs to trace infection chains, correlating endpoint anomalies with upstream network flows for causal attribution. Analysis of suspected botnets requires forensic techniques to dissect C&C infrastructure and artifacts. Static analysis examines binaries without execution, using tools like IDA Pro to reverse-engineer droppers and extract strings revealing hardcoded IPs or keys, as applied to the botnet's modular payloads in 2021 takedowns. Dynamic analysis sandboxes samples in controlled environments, observing runtime behaviors such as peer discovery in P2P botnets like ZeroAccess, which used protocols to maintain resilience against single-point failures. Graph-based analysis models botnet topologies by constructing communication graphs from data, identifying centralities that distinguish hierarchical C2 from decentralized structures; for example, highlights herder nodes in traffic datasets from captured botnets. Honeypots and darknets simulate vulnerable systems to lure infections, providing real-time samples for analysis; the Honeynet Project's deployments have yielded insights into over 100 botnet families since 2003, though results must account for potential researcher-induced biases in attracting only certain threat actors. Challenges in detection persist due to evasion tactics like and domain flux, necessitating ongoing adaptation; explainable AI models, such as SHAP-integrated random forests, improve transparency by attributing decisions to specific features like packet size variance, aiding validation in operational settings. Empirical evaluations on datasets like CTU-13, comprising labeled botnet traces from 2011 captures, report F1-scores exceeding 0.90 for ensemble classifiers, underscoring the efficacy of multi-method fusion over singular reliance on traffic volume thresholds, which yield high false positives in diverse enterprise networks.

Disruption and Takedown Strategies

Disruption strategies for botnets primarily target the command-and-control (C&C) infrastructure that coordinates infected devices, as severing this link renders the network inoperable without needing to remediate every individual bot. Common approaches include sinkholing, where malicious (DNS) queries are redirected to controlled servers operated by authorities or researchers, preventing bots from receiving updates or commands from operators. This technique manipulates network traffic by registering domains used by the botnet or exploiting DNS vulnerabilities, allowing defenders to monitor infections, gather on botnet size, and block further . Sinkholing has proven effective against centralized botnets but is less reliable against decentralized (P2P) variants, which lack single points of failure. Law enforcement takedowns often combine sinkholing with server seizures, domain registrations, and arrests, requiring international coordination due to botnets' global distribution. For instance, in Operation Endgame launched in May 2024, Europol and partners from multiple countries disrupted infrastructure for malware families including IcedID, SystemBC, and Bumblebee, seizing over 300 servers and arresting five suspects across Europe and the Americas. Similarly, the Gameover Zeus botnet, a P2P network responsible for stealing tens of millions of dollars via banking fraud, was disrupted in June 2014 through a U.S.-led multinational operation involving the FBI, Microsoft, and agencies from over 30 countries; efforts included sinkholing domains, issuing remediation software to victims, and indicting key operator Evgeniy Bogachev. The botnet takedown in January 2021 exemplified coordinated disruption, with , the FBI, and authorities from eight countries seizing C&C servers and sinkholing domains, halting a network that had infected over 1.6 million computers and facilitated hundreds of millions in damages through and distribution. However, resilience is a challenge, as reemerged in November 2021 under new operators, underscoring that takedowns often provide temporary relief unless paired with ongoing victim remediation and monitoring. Recent cases, such as the FBI's June 2024 dismantling of the 911 S5 botnet—which comprised 19 million devices used for and —relied on seizing U.S.-based and international asset forfeitures, generating over $100 million in illicit revenue for operators. Court-authorized operations, like the September 2024 disruption of the Flax Typhoon botnet linked to Chinese state actors, further demonstrate sinkholing's role in neutralizing threats targeting without direct device access. Challenges in these strategies include jurisdictional hurdles, encrypted or fast-flux C&C evasion, and the risk of incomplete disruptions allowing rapid rebuilding, as seen in resilient families like Mirai variants. Success metrics emphasize not just immediate downtime but long-term intelligence gains, with agencies prioritizing high-impact botnets tied to or state espionage over low-level threats.

International Law Enforcement Efforts

International law enforcement agencies have conducted numerous coordinated operations to dismantle botnet infrastructures, often involving seizure of command-and-control servers, domain disruptions, and arrests across multiple jurisdictions. These efforts typically rely on partnerships between national bodies like the U.S. (FBI), , , and , facilitated by shared intelligence and legal mutual assistance treaties. One landmark operation was the 2016 takedown of the Avalanche network, a botnet platform used for distributing and facilitating , which involved over 40 countries and resulted in the seizure of more than 39 servers, 2,000 domains, and 5,000 IP addresses, alongside four arrests. In 2021, the botnet—one of the most prolific distributors—was disrupted through a multinational effort led by Dutch, German, U.S., and other authorities, who replaced malicious servers with benign ones to redirect infected devices and gather intelligence, affecting millions of compromised hosts worldwide. More recent initiatives include Operation Endgame in May 2024, coordinated by with participation from 18 countries including the U.S., which targeted dropper malware families such as IcedID, SystemBC, Pikabot, Smokeloader, and ; this led to the takedown of over 100 servers, neutralization of 2,000 domains, and four arrests, significantly disrupting initial access brokers in cybercrime ecosystems. A follow-up phase, Operation Endgame 2.0 in 2025, extended efforts against strains like Qakbot, DanaBot, and , seizing additional infrastructure and issuing warrants for 20 suspects. In August 2023, the FBI-led disruption of the Qakbot botnet involved U.S., French, German, Dutch, and British authorities, seizing 52 servers, over 700 domains, and millions in , which had infected over 700,000 devices and enabled attacks. These operations often incorporate private sector collaboration, as seen in the 2013 ZeroAccess botnet takedown by , the FBI, , and financial institutions, which severed the botnet's communication affecting up to 1.9 million machines used for and mining. State-sponsored botnets have also faced international scrutiny, such as the 2024 U.S.-led disruption of the 911 S5 botnet, operated by a Chinese national and comprising over 19 million devices for proxy services and cyber espionage, resulting in the administrator's in . Despite successes, challenges persist due to jurisdictional hurdles and botnet resilience, with agencies emphasizing proactive sinkholing and to prevent rapid reconstitution.

Controversies and Challenges

Disruptions of botnets, particularly those involving remote access to infected devices or seizure of command-and-control (C&C) infrastructure, raise significant legal questions under domestic laws such as the U.S. Fourth Amendment, which prohibits unreasonable searches and seizures. Government-led operations often rely on court-authorized warrants under , amended in 2016 to permit remote searches of computers located outside judicial districts, enabling actions like the FBI's disruption of the Qakbot botnet in 2023, which neutralized over 700,000 infected devices through sinkholing and neutralization. However, executing commands on botnet nodes—such as deploying counter-—may constitute a "search" if data is acquired by authorities, potentially requiring to avoid constitutional violations, as analyzed in legal scholarship examining botnet takedowns. Civil actions by private entities, exemplified by Microsoft's Digital Crimes Unit, have pursued botnet disruptions through lawsuits seeking injunctions to seize domains and redirect traffic, as in the 2012 Zeus botnet takedown under Operation b71, which avoided criminal thresholds but built precedent for non-governmental interventions. These approaches sidestep some criminal warrant requirements but face challenges in proving standing and avoiding unauthorized hacking under laws like the (CFAA), which criminalizes unauthorized access even for defensive purposes. Internationally, disruptions encounter jurisdictional hurdles, as C&C servers often span multiple countries, complicating mutual legal assistance and leading to reliance on voluntary cooperation or alliances, as seen in the 2024 takedown of a PRC-linked botnet involving over 200,000 devices across 30 jurisdictions. Ethically, botnet disruptions risk to unwitting victims whose devices host bots, as aggressive tactics like remote can cause system instability or without user consent, prioritizing over individual autonomy. For instance, sinkholing C&C traffic may prevent attacks but leaves infected machines vulnerable to alternative controllers, potentially prolonging harm to owners unaware of infections, while ethical frameworks emphasize minimizing such through targeted remediation notifications. Vigilante efforts, such as private "white hat" botnets that preemptively infect vulnerable IoT devices to block malicious hijacking, amplify these concerns by operating outside legal oversight, often violating anti-hacking statutes and risking escalation of cyber conflicts without accountability. Critics argue that over-reliance on disruptive operations, rather than upstream prevention, raises proportionality issues, as short-term takedowns frequently fail to eradicate resilient botnets, leading to rapid resurgence and inefficient , as evidenced by repeated iterations of families like Mirai despite multiple interventions. Under data regimes like GDPR, disruptions must balance threat mitigation against rights, prohibiting disproportionate on infected endpoints without explicit safeguards. These tensions underscore the need for codified ethical guidelines in public-private partnerships, ensuring disruptions align with principles of necessity and minimal intrusion.

Attribution and Geopolitical Tensions

Attributing botnet operations to specific state actors remains technically challenging due to techniques such as command-and-control , the leasing of criminal botnets as proxies, and deliberate false-flag indicators designed to mislead investigators. State actors often exploit existing infrastructures or non-state cybercriminals to maintain , complicating forensic analysis that relies on indicators like IP addresses, code similarities, or operational patterns. These difficulties are exacerbated by jurisdictional barriers and the dual-use nature of botnets, which serve both criminal profit and state objectives like or disruption. Prominent examples include Chinese state-sponsored groups like Volt Typhoon, which US authorities attributed to the (PRC) for building a botnet of over 200,000 compromised small office/home office (SOHO) routers using to mask intrusions into sectors such as communications, energy, and water utilities. The FBI and partners disrupted this network on January 30, 2024, via a court-authorized operation that neutralized the without altering router configurations. Similarly, Flax Typhoon, another PRC-linked actor, operated a botnet of nearly 200,000 consumer devices for and potential disruption, which the US disrupted in September 2024; the group minimized signatures to evade detection. PRC officials have denied these attributions, claiming they stem from unsubstantiated US accusations amid broader bilateral frictions. Russian-linked operations have involved botnets for distributed denial-of-service (DDoS) attacks during geopolitical conflicts, such as the assault on Georgian websites, where a botnet of approximately 300,000 infected machines overwhelmed targets; attribution pointed to Kremlin-tolerated hacktivist groups rather than direct military control. Iranian actors, including those tied to the , have deployed botnets for retaliatory DDoS campaigns, exemplified by attacks on financial institutions from to 2013 using the McColo-facilitated botnet infrastructure. North Korean groups like Lazarus have incorporated botnet elements into financial cyber operations, though attributions focus more on bespoke than large-scale botnets. These attributions fuel geopolitical tensions by prompting escalatory responses, including sanctions on implicated entities and indictments of foreign operatives, as seen in charges against PRC nationals for Volt Typhoon activities. Public disclosures by agencies like CISA and the FBI aim to deter future operations but invite counter-narratives from accused states, which often accuse Western intelligence of fabricating to justify offensive cyber postures. Such disputes underscore the role of cyber attribution as a diplomatic instrument, where technical intersects with strategic signaling, yet persistent denials and proxy use limit under international norms.

Persistent Vulnerabilities and Future Risks

Botnets persist due to entrenched vulnerabilities in Internet-connected devices, including unpatched software flaws and default or weak credentials that enable straightforward compromise. IoT equipment, often deployed with minimal security hardening, remains a prime vector, as malware scanners exploit these weaknesses to assemble networks of millions of bots for sustained operations. Even after high-profile takedowns, such as those of Mirai infrastructure, variants rapidly reemerge by targeting similar entry points, demonstrating the difficulty in eradicating root causes like inadequate device updates. Recent examples highlight this durability: In January 2025, Akamai identified Aquabotv3, a Mirai-based variant exploiting CVE-2024-41710—a command injection flaw in SIP phones—alongside older vulnerabilities like CVE-2018-17532, to download payloads via shell scripts and execute DDoS attacks. The malware's "report_kill" mechanism notifies command-and-control (C2) servers of disruption signals, allowing operators to refine tactics and prolong botnet lifespan. These adaptations exploit the slow patching cycles in enterprise and hardware, where vendors prioritize functionality over . Looking ahead, botnets face amplified risks from architectural evolution, including (P2P) topologies that eliminate single points of failure and (DGAs) for dynamic C2 evasion. Integration of enables real-time adaptation, such as feature perturbation to bypass detection models, while expanding to cloud environments increases scale and impact on . The unchecked growth of IoT deployments—projected to exceed 75 billion devices by 2030—compounds these threats, as resource-constrained endpoints resist comprehensive monitoring and synthetic attack data strains defensive AI training. Without systemic shifts toward secure-by-design principles, botnets will likely sustain high-volume DDoS campaigns, , and distribution, outpacing fragmented global mitigation efforts.

References

  1. https://www.fortinet.com/resources/cyberglossary/what-is-botnet
  2. https://csrc.nist.gov/glossary/term/botnet
  3. https://www.paloaltonetworks.com/cyberpedia/what-is-botnet
  4. https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-botnet/
  5. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/botnets/
  6. https://www.sentinelone.com/cybersecurity-101/threat-intelligence/botnets/
  7. https://www.rapid7.com/fundamentals/botnet/
  8. https://www.cloudflare.com/learning/ddos/what-is-a-ddos-botnet/
  9. https://www.vectra.ai/topics/botnet
  10. https://cybernews.com/security/the-8-biggest-botnets-of-all-time/
  11. https://blog.barracuda.com/2025/03/21/top-threats-of-the-2024-botnet-landscape
  12. https://www.techtarget.com/searchsecurity/definition/botnet
  13. https://usa.kaspersky.com/resource-center/threats/botnet-attacks
  14. https://www.corero.com/what-is-a-botnet/
  15. https://www.okta.com/identity-101/botnet/
  16. https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/
  17. https://asimily.com/blog/the-top-internet-of-things-iot-cybersecurity-breaches-in-2025/
  18. https://stormwall.network/resources/blog/ddos-attack-statistics-2024
  19. https://www.recordedfuture.com/research/2024-malicious-infrastructure-report
  20. https://krebsonsecurity.com/2025/10/ddos-botnet-aisuru-blankets-us-isps-in-record-ddos/
  21. https://blog.xlab.qianxin.com/super-large-scale-botnet-aisuru-en/
  22. https://stellastra.com/biggest-botnets-world
  23. https://www.eccouncil.org/cybersecurity-exchange/ethical-hacking/the-biggest-botnet-attacks-to-date/
  24. https://www.innovationinbusiness.com/the-economics-of-ddos-attacks-and-their-prevention/
  25. https://hoploninfosec.com/how-hackers-profit-from-ddos-attacks
  26. https://www.cobalt.io/blog/fbi-dismantles-worlds-largest-botnet
  27. https://www.aic.gov.au/publications/tandi/tandi333
  28. https://www.sei.cmu.edu/documents/309/2001_019_001_52491.pdf
  29. https://www.radware.com/security/ddos-knowledge-center/ddos-chronicles/ddos-attacks-history/
  30. https://apps.dtic.mil/sti/tr/pdf/ADA396999.pdf
  31. https://www.fastly.com/learning/bots/what-is-the-history-of-bots
  32. https://www.anura.io/fraud-tidbits/understanding-botnets-origins-functions-and-detection
  33. https://www.fortinet.com/blog/threat-research/evolution-of-malware
  34. https://securemyorg.com/the-evolution-of-botnets/
  35. https://www.helpnetsecurity.com/2011/02/15/top-10-botnets-of-2010/
  36. https://www.fbi.gov/news/stories/gameover-zeus-botnet-disrupted
  37. https://www.justice.gov/archives/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
  38. https://blogs.microsoft.com/blog/2014/06/02/microsoft-helps-fbi-in-gameover-zeus-botnet-cleanup/
  39. https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
  40. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
  41. https://www.zdnet.com/article/a-decade-of-malware-top-botnets-of-the-2010s/
  42. https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  43. https://cyberscoop.com/cloudflare-biggest-ddos-attack-mirai-variant-botnet/
  44. https://www.akamai.com/blog/security-research/corona-mirai-botnet-infects-zero-day-sirt
  45. https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/
  46. https://qrator.net/blog/details/q1-2025-ddos-bots-and-bgp-incidents-statistics-and
  47. https://dailysecurityreview.com/security-spotlight/massive-1-33-million-device-botnet-drives-unprecedented-ddos-attacks-surge-in-q1-2025/
  48. https://blog.google/technology/safety-security/google-taking-legal-action-against-the-badbox-20-botnet/
  49. https://www.pcmag.com/news/google-this-malware-has-spread-to-over-10-million-android-devices
  50. https://thehackernews.com/2025/12/kimwolf-botnet-hijacks-18-million.html
  51. https://blog.xlab.qianxin.com/kimwolf-botnet-en/
  52. https://www.bitdefender.com/en-us/blog/hotforsecurity/google-sues-25-in-china-over-alleged-badbox-2-0-botnet-operation
  53. https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/
  54. https://siliconangle.com/2025/10/02/botnets-getting-smarter-dangerous/
  55. https://www.europol.europa.eu/operations-services-and-innovation/operations/operation-endgame
  56. https://krebsonsecurity.com/2024/05/operation-endgame-hits-malware-delivery-platforms/
  57. https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
  58. https://www.clickguard.com/blog/recent-botnet-attacks/
  59. https://www.trendmicro.com/vinfo/us/security/definition/command-and-control-%28c-c%29-server
  60. https://security.stackexchange.com/questions/204535/how-does-the-server-client-scheme-work-in-a-botnet
  61. https://logixconsulting.com/2022/03/07/client-server-vs-p2p-botnets-whats-the-difference/
  62. https://www.threatstop.com/blog/what-is-a-botnet
  63. https://www.datadome.co/guides/bot-protection/botnet-attack/
  64. https://heimdalsecurity.com/blog/command-and-control-servers-explained/
  65. https://www.eecs.ucf.edu/~czou/research/P2PBotnets-bookChapter.pdf
  66. https://www.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard.pdf
  67. https://arxiv.org/pdf/2207.12937
  68. https://www.cs.hunter.cuny.edu/~spock/pubs/malware08-dd-final.pdf
  69. https://pmc.ncbi.nlm.nih.gov/articles/PMC4095737/
  70. https://www.kaspersky.com/blog/hunting-the-hydra-why-gameover-zeus-botnet-is-here-to-stay/14982/
  71. https://www.akamai.com/blog/security/fritzfrog-a-new-generation-of-peer-to-peer-botnets
  72. https://markscanlon.co/papers/P2PBotnetInvestigationAReview.pdf
  73. https://www.usenix.org/event/hotbots07/tech/full_papers/wang/wang_html
  74. https://www.sciencedirect.com/science/article/pii/S1110866524000033
  75. https://blog.barracuda.com/2025/03/14/botnet-basics--defending-yourself-from-robot-networks
  76. https://ieeexplore.ieee.org/document/9847442
  77. http://www.eecs.ucf.edu/~czou/research/P2P-botnet-TDSC.pdf
  78. https://debuglies.com/2025/03/12/exclusive-report-cyber-onslaught-unveiled-the-march-2025-attacks-on-x-com-and-the-geopolitical-implications-of-iot-and-pc-devices-as-trojan-horses-in-state-sponsored-cyber-terrorism/
  79. https://www.webroot.com/us/en/resources/tips-articles/what-are-bots-botnets-and-zombies
  80. https://www.radware.com/cyberpedia/bot-management/botnet/
  81. https://www.checkpoint.com/cyber-hub/network-security/what-is-iot/iot-botnet/
  82. https://www.einfochips.com/blog/botnet-attacks-how-iot-devices-become-part-victim-of-such-attacks/
  83. https://www.a10networks.com/blog/5-most-famous-ddos-attacks/
  84. https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/command-and-control-cac-attack/
  85. https://www.varonis.com/blog/what-is-c2
  86. https://www.paloaltonetworks.com/cyberpedia/command-and-control-explained
  87. https://www.vulncheck.com/blog/understanding-command-control-infrastructure
  88. https://unit42.paloaltonetworks.com/fast-flux-101/
  89. https://asec.ahnlab.com/en/88008/
  90. https://www.cyberdefensemagazine.com/domain-generation-algorithms-dgas-and-fast-flux-dns-evasive-tactics-in-modern-malware/
  91. https://www.fortinet.com/resources/cyberglossary/command-and-control-attacks
  92. https://scythe.io/library/know-your-enemy-botnet-command-and-control-architectures
  93. https://www.sysdig.com/learn-cloud-native/what-is-a-command-and-control-server
  94. https://d-nb.info/1189431769/34
  95. https://www.zscaler.com/blogs/security-research/irc-botnets-alive-effective-evolving
  96. https://www.usenix.org/legacy/event/sruti05/tech/full_papers/cooke/cooke.pdf
  97. https://www.crowdstrike.com/en-us/cybersecurity-101/malware/zeus-malware/
  98. https://www.cse.lehigh.edu/~chuah/publications/atc11_botnet.pdf
  99. https://www.cisa.gov/news-events/alerts/2014/06/02/gameover-zeus-p2p-malware
  100. https://norbert-pohlmann.com/app/uploads/2015/08/279-On-Botnets-that-use-DNS-for-Command-and-Control-Prof-Norbert-Pohlmann.pdf
  101. https://spycloud.com/blog/botnets-information-stealers-malware/
  102. https://pages.cs.wisc.edu/~pb/botnets_final.pdf
  103. http://www.cs.umd.edu/projects/droot/botnet.pdf
  104. https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
  105. https://www.corero.com/mirai-botnet-ddos-attack-type/
  106. https://help.bitsighttech.com/hc/en-us/articles/360024401394-How-is-the-Botnet-Infections-Risk-Vector-Observed
  107. https://onlinelibrary.wiley.com/doi/10.1155/2021/6640499
  108. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
  109. https://ieeexplore.ieee.org/iel8/6287639/10820123/10924165.pdf
  110. https://www.infosecinstitute.com/resources/malware-analysis/simple-malware-obfuscation-techniques/
  111. https://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/
  112. https://onlinelibrary.wiley.com/doi/10.1155/2023/8227751
  113. https://iris.cnr.it/retrieve/c8af9fa9-4172-4fa2-9a86-18d019eb7f8b/prod_482082-doc_198344.pdf
  114. https://www.ijrte.org/wp-content/uploads/papers/v8i1/A1903058119.pdf
  115. https://commons.erau.edu/context/adfsl/article/1298/viewcontent/2014_BOTNET_FORENSIC_INVESTIGATION_TECHNIQUES_AND.pdf
  116. https://www.indusface.com/blog/botnet-detection-removal-best-practices/
  117. https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/
  118. https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
  119. https://news.microsoft.com/on-the-issues/2020/07/24/necurs-botnets-cybercrime-cyberattacks-spam/
  120. https://www.group-ib.com/resources/knowledge-hub/botnet/
  121. https://www.zscaler.com/zpedia/what-is-a-botnet
  122. https://verpex.com/blog/privacy-security/botnets-in-cybercrime
  123. https://datadome.co/guides/bot-protection/botnet-attack/
  124. https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
  125. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
  126. https://www.justice.gov/archives/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical
  127. https://www.fbi.gov/news/stories/fbi-director-announces-chinese-botnet-disruption-exposes-flax-typhoon-hacker-group-s-true-identity-at-aspen-cyber-summit
  128. https://arstechnica.com/security/2024/09/massive-china-state-iot-botnet-went-undetected-for-four-years-until-now/
  129. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
  130. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/article/3909590/nsa-and-allies-issue-advisory-about-prc-linked-actors-and-botnet-operations/
  131. https://cyberlaw.ccdcoe.org/wiki/Cyber_attacks_against_Estonia_%282007%29
  132. https://www.fbi.gov/news/stories/iranians-charged-with-hacking-us-financial-sector
  133. https://www.justice.gov/archives/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
  134. https://www.cisa.gov/news-events/alerts/2017/06/13/hidden-cobra-north-koreas-ddos-botnet-infrastructure
  135. https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/commodified-cybercrime-infrastructure-exploring-the-underground-services-market-for-cybercriminals
  136. https://dl.acm.org/doi/10.1145/3575808
  137. https://securelist.com/the-cost-of-launching-a-ddos-attack/77784/
  138. https://www.imperva.com/blog/cheap-and-nasty-how-for-100-low-skilled-ransom-ddos-extortionists-can-cripple-your-business/
  139. https://www.digit.fyi/botnet-prices-starting-at-78-on-dark-web-market/
  140. https://www.sysdig.com/blog/ddos-as-a-service-the-rebirth-botnet
  141. https://www.rapid7.com/blog/post/tr-inside-russian-market-uncovering-the-botnet-empire/
  142. https://www.researchgate.net/figure/n-the-botnet-underground-market-where-botnet-masters-are-price-takers-a-decreased-bot_fig2_228872254
  143. https://www.a10networks.com/blog/doj-charges-six-for-ddos-for-hire-services-kills-48-sites/
  144. https://orbit.dtu.dk/files/289728739/Survey_on_Botnet_Economics_3_.pdf
  145. https://jumpcloud.com/it-index/what-is-a-botnet
  146. https://www.technologyreview.com/2018/05/14/142895/inside-the-business-model-for-botnets/
  147. https://www.redshield.co/knowledge-base/the-hidden-economics-of-ddos-and-bot-attacks-how-to-tip-the-balance
  148. https://colortokens.com/blogs/monetized-botnets-ransomware-protection-microsegmentation/
  149. https://arxiv.org/abs/1804.10848
  150. https://www.sciencedirect.com/topics/computer-science/botnet-detection
  151. https://ieeexplore.ieee.org/document/10724496
  152. https://www.researchgate.net/publication/259117704_Botnet_detection_based_on_traffic_behavior_analysis_and_flow_intervals
  153. https://clickpatrol.com/botnet-detection-tools-techniques-and-how-to/
  154. https://www.sciencedirect.com/science/article/pii/S2542660525002422
  155. https://dl.acm.org/doi/10.1145/3675018.3675027
  156. https://www.nature.com/articles/s41598-025-90420-6
  157. https://www.hedgehogsecurity.co.uk/blog/what-is-a-takedown-and-how-does-it-work
  158. https://www.wired.com/story/what-is-sinkholing/
  159. https://www.twingate.com/blog/glossary/sinkholing
  160. https://www.bitsight.com/blog/the-value-of-sinkholing-its-in-the-numbers
  161. https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown
  162. https://www.techtarget.com/searchsecurity/news/366586973/Law-enforcement-conducts-largest-ever-botnet-takedown
  163. https://www.justice.gov/archives/opa/pr/emotet-botnet-disrupted-international-cyber-operation
  164. https://www.europol.europa.eu/media-press/newsroom/news/world%25E2%2580%2599s-most-dangerous-malware-emotet-disrupted-through-global-action
  165. https://unit42.paloaltonetworks.com/emotet-malware-summary-epoch-4-5/
  166. https://www.justice.gov/archives/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state
  167. https://www.netscout.com/blog/successful-global-botnet-takedowns
  168. https://wenke.gtisc.gatech.edu/papers/hydras.pdf
  169. https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem
  170. https://www.fbi.gov/news/press-releases/operation-endgame-coordinated-worldwide-law-enforcement-action-against-network-of-cybercriminals
  171. https://www.interpol.int/ar/1/1/2016/Avalanche-network-dismantled-in-international-cyber-operation
  172. https://www.spamhaus.org/resource-hub/malware/botnets-disrupted-worldwide-operation-endgame-is-back/
  173. https://www.justice.gov/archives/opa/pr/qakbot-malware-disrupted-international-cyber-takedown
  174. https://news.microsoft.com/source/2013/12/05/microsoft-the-fbi-europol-and-industry-partners-disrupt-the-notorious-zeroaccess-botnet/
  175. https://www.justice.gov/archives/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation
  176. https://www.nyulawreview.org/wp-content/uploads/2018/08/NYULawReview-90-2-Zeitlin.pdf
  177. https://scholarlycommons.law.wlu.edu/cgi/viewcontent.cgi?article=1512&context=crsj
  178. https://digitalcommons.law.scu.edu/cgi/viewcontent.cgi?article=1592&context=chtlj
  179. https://www.lawfaremedia.org/article/why-current-botnet-takedown-jurisprudence-should-not-be-replicated
  180. https://www.linkedin.com/pulse/navigating-takedown-comprehensive-guide-disrupting-bhattacharya-3qhdc
  181. https://www.researchgate.net/publication/220797066_A_Case_Study_in_Ethical_Decision_Making_Regarding_Remote_Mitigation_of_Botnets
  182. https://arstechnica.com/information-technology/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/
  183. https://www.darkreading.com/cyber-risk/botnet-takedowns-spur-debate-over-effectiveness-ethics
  184. https://www.sciencedirect.com/science/article/pii/S0267364924001468
  185. https://internetpolicy.mit.edu/why-botnets-persist-designing-effective-technical-and-policy-interventions/
  186. https://www.rand.org/pubs/commentary/2023/08/what-are-practical-steps-to-embrace-the-messiness-of.html
  187. https://www.sciencedirect.com/science/article/pii/S0167404825002950
  188. https://academic.oup.com/cybersecurity/article/7/1/tyab003/6248895
  189. https://www.swp-berlin.org/10.18449/2024C46/
  190. https://www.scworld.com/brief/china-refutes-us-attribution-of-volt-typhoon-operation
  191. https://www.cfr.org/cyber-operations/
  192. https://irregularwarfare.org/articles/eroding-global-stability-the-cybersecurity-strategies-of-china-russia-north-korea-and-iran/
  193. https://www.justsecurity.org/121741/options-accountability-cyber-attacks/
  194. https://www.vifindia.org/article/2023/january/31/geopolitics-of-cyber-attribution
  195. https://www.qil-qdi.org/attributing-cyber-operations-under-international-law-political-and-legal-aspects/
  196. https://www.akamai.com/blog/security-research/new-aquabot-mirai-variant-exploiting-mitel-phones
Add your contribution
Related Hubs
User Avatar
No comments yet.