A botnet is a network of infected devices (computers, routers, IoT cameras) remotely controlled by a cybercriminal (botmaster) via a C&C server. Devices in a botnet (called zombies) execute commands without the owners' knowledge — DDoS attacks, spam distribution, data theft.

How can I check if my device is part of a botnet?

Warning signs: unusual system slowdown, high background network traffic, processes with unknown names, antivirus alerts, problems with updates. Use network traffic analysis tools (Wireshark) or EDR systems.

What are the largest botnets in history?

Mirai (2016) — infected 600K IoT devices, launched a record-breaking DDoS attack. Emotet — a modular botnet for ransomware distribution. Zeus/GameOver Zeus — banking data theft on a billion-dollar scale. Conficker — 10+ million infected computers.

How can a company protect itself against botnets?

Key measures: IoT firmware updates, network segmentation, 24/7 SOC monitoring (detecting C&C communication), EDR on endpoints, DNS filtering, employee training. nFlo offers SOC services with botnet communication detection.

Botnet — What Is a Zombie Network and How to Protect...

A botnet is one of the most versatile and dangerous tools in the cybercriminal arsenal. A network of thousands, and sometimes millions, of infected devices operating under a single command can paralyze critical infrastructure, steal millions of data records, and generate enormous financial losses. In this article, we explain in detail what a botnet is, how it is created, what threats it poses to organizations, and how to effectively protect yourself against it.

What Is a Botnet? Definition and Etymology

A botnet is a network of infected computing devices — called bots or zombies — remotely controlled by a cybercriminal known as a botmaster. The name comes from the combination of the English words “robot” and “network.” Each device incorporated into a botnet operates without the knowledge and consent of its owner, executing commands sent through the command and control (Command & Control, C&C) infrastructure.

The concept of a botnet appeared in the cybersecurity context at the beginning of the 21st century, although the first bot networks — still in the form of legitimate automated programs on IRC channels — had been functioning since the 1990s. Today, botnets encompass not only personal computers and servers, but also home routers, IP cameras, smart TVs, industrial devices, and virtually any equipment connected to the internet.

The scale of the problem is enormous. According to data from Spamhaus, in 2024 alone over 700 new botnet C&C servers were identified. Meanwhile, Nokia’s Threat Intelligence report from 2025 indicates that the number of IoT devices infected with malware increased by 400% compared to 2020.

How Does a Botnet Work? The Zombie Network Lifecycle

The operation of a botnet can be described as an organized cycle consisting of several key phases. Understanding this cycle is fundamental to effective defense.

Phase 1: Infection and Recruitment

The botmaster must first build their army. To do this, they use various attack vectors:

Phishing — infected attachments or links in email messages that, when clicked, install a bot agent on the victim’s device.
Exploits — automatic internet scanning in search of devices with unpatched security vulnerabilities. Bots like Mirai actively scanned IP ranges, testing default login credentials.
Drive-by download — visiting an infected website is enough for malware to download and install itself in the background.
Removable media — USB drives with autorun, distributed or planted in physical locations.
Other malware — trojans or droppers that, after infection, download additional botnet components.

After successful infection, the malware embeds itself in the system, often modifying registry entries or creating system services that ensure automatic startup after a reboot (persistence mechanisms).

Phase 2: Communication with the C&C Server

The infected device establishes a connection with the botmaster’s C&C infrastructure. This is a critical moment — without communication with the command center, the bot is useless. Methods of establishing contact include:

Direct connection — the bot connects to a hardcoded IP address or domain of the C&C server.
Domain Generation Algorithm (DGA) — the bot algorithmically generates hundreds or thousands of potential domain names daily. The botmaster registers only a few of them, making blocking more difficult.
Fast-flux DNS — rapid rotation of IP addresses assigned to the C&C domain, making it harder to identify and shut down the server.
Communication through social media — some botnets use platforms such as Twitter, Telegram, or Pastebin to transmit encrypted commands.

Phase 3: Waiting and Maintenance

The bot remains in a dormant state, periodically polling the C&C server for new commands. During this time, the malware may update itself, download additional modules, or adjust evasion techniques. The botmaster ensures that bots do not generate suspicious activity during idle periods — resource consumption is minimal, and network traffic is disguised as legitimate.

Phase 4: Attack

On the botmaster’s command, the entire network (or a selected portion) simultaneously executes a designated task. The strength of a botnet lies in its scale — a single device has limited capabilities, but thousands or millions acting simultaneously can paralyze even well-protected infrastructure.

Botnet Architecture: Centralized, P2P, and Hybrid

The way communication is organized within a botnet determines its resilience against neutralization attempts. There are three main architectural models.

Centralized Model (Client-Server)

This is the oldest and simplest model. All bots communicate with one or several central C&C servers. The botmaster issues commands from this server, and the bots execute them.

Advantages for the attacker: simplicity of management, low latency in issuing commands, easy implementation.

Weaknesses: the C&C server constitutes a single point of failure. If law enforcement or security researchers identify and shut down the server, the entire botnet loses operational capability.

Historical botnets such as Zeus or early versions of Conficker were based on this model.

Decentralized Model (Peer-to-Peer)

In P2P architecture, there is no central server. Each bot is simultaneously a client and a server — commands propagate through the network from one bot to another, like gossip. The botmaster introduces a command to any node, from where it spreads to the rest of the network.

Advantages for the attacker: no single point of failure, significantly harder to shut down, resistance to infrastructure takedown.

Weaknesses: higher latency in command propagation, more complex implementation, generates characteristic P2P network traffic that can be detected by NDR systems.

GameOver Zeus and ZeroAccess are examples of botnets using P2P architecture.

Hybrid Model

Modern botnets combine elements of both approaches. They may use a hierarchical structure with multiple proxy layers, where bots in higher layers serve as intermediaries (relay nodes) between the botmaster and the executing bots. If an intermediary node is shut down, the remaining ones automatically reconfigure communication paths.

Emotet is an excellent example of a hybrid botnet — it used a multi-layered architecture with dynamically changed C&C servers, which for years made its full neutralization impossible.

Typical Uses of Botnets

Botnets are multifunctional tools. A botmaster can use their zombie network for many purposes, often simultaneously.

DDoS Attacks (Distributed Denial of Service)

The most common use of botnets. Thousands of infected devices simultaneously send massive amounts of traffic to the target, overwhelming its servers and network infrastructure. A DDoS attack from a botnet of 100,000 bots can generate traffic on the order of hundreds of gigabits per second.

In October 2016, the Mirai botnet carried out an attack on the company Dyn (a DNS provider), generating traffic at an intensity of 1.2 Tbps. The result was several hours of inaccessibility to services such as Twitter, Reddit, Netflix, and Spotify across the United States and Europe.

Spam and Phishing Distribution

Botnets are responsible for a huge portion of global spam. Using thousands of different IP addresses makes filtering difficult — each bot sends a small number of messages, which does not raise suspicion from email providers. According to Symantec/Broadcom estimates, botnets were responsible for over 80% of global spam volume during the peak activity of botnets such as Rustock and Cutwail.

Credential Stuffing and Brute-Force

A botnet can simultaneously test stolen login-password combinations (from database leaks) across hundreds of internet services. By distributing attempts across thousands of IP addresses, the attacker bypasses typical rate limiting mechanisms.

Cryptojacking

The botmaster uses the computing power of infected devices to mine cryptocurrencies — most commonly Monero (XMR), due to its CPU-friendly algorithm. For the device owner, this manifests as decreased performance and increased energy consumption. The Smominru botnet infected over 500,000 machines and generated cryptocurrency worth millions of dollars.

Data Theft

Specialized botnets, such as Zeus and TrickBot, install keyloggers, intercept browser forms (form grabbing), and steal login credentials for online banking, corporate portals, and social media accounts.

Ransomware Distribution

Emotet, one of the most dangerous botnets in history, functioned as a distribution platform for ransomware. After infecting a device, the botnet delivered payloads such as Ryuk and Conti, which encrypted the victim’s data and demanded ransom.

IoT and Botnets — A New Era of Threats

The growth of the Internet of Things (IoT) has radically changed the botnet threat landscape. Billions of devices connected to the network — IP cameras, routers, smart TVs, thermostats, and even smart light bulbs — represent an enormous attack surface.

Why Are IoT Devices So Vulnerable?

Default login credentials — many manufacturers deliver devices with factory passwords (admin/admin, root/1234) that users never change.
Lack of updates — many IoT devices do not receive regular security patches, and some do not offer a firmware update mechanism at all.
Limited resources — IoT devices often lack sufficient computing power or memory to run security software.
Lack of monitoring — unlike computers and servers, IoT devices are rarely covered by security monitoring.
Long lifespan — cameras and routers operate for years without intervention, meaning that once infected, a device can remain part of a botnet for years.

Mirai — The Botnet That Changed Everything

Mirai, whose source code leaked online in September 2016, infected over 600,000 IoT devices by scanning the internet for devices with an open Telnet port and testing a list of 62 default login-password combinations. After the code leak, dozens of Mirai variants emerged, many of which are still active today.

ENISA’s 2025 report estimates that over 30% of all DDoS attacks in the EU originate from botnets based on Mirai variants. Alarmingly, new variants can infect not only cameras and routers, but also medical devices, SCADA systems, and industrial infrastructure.

Famous Botnets in History

Learning about the most famous botnets helps understand the evolution of this threat and prepare for modern variants.

Conficker (2008)

One of the largest botnets in history, which at its peak infected between 9 and 15 million Windows computers. It spread through the MS08-067 vulnerability in the Windows Server service. Despite global efforts (including the establishment of the Conficker Working Group), the botnet was never fully eliminated, and infected machines were detected years after the peak of its activity.

Zeus / GameOver Zeus (2007-2014)

Zeus is a specialized banking trojan that evolved into a full-fledged botnet. It is estimated that various versions of Zeus are responsible for thefts totaling over 100 million dollars. GameOver Zeus (GOZ) — a P2P version without a central C&C server — was dismantled in 2014 as part of the international Operation Tovar, led by the FBI, Europol, and cybersecurity companies.

Emotet (2014-2021, Resurgence in 2022)

Emotet started as a banking trojan but transformed into the most dangerous malware distribution platform in the world. Europol called it “the most dangerous malware in the world.” In January 2021, an international law enforcement operation from 8 countries seized Emotet’s infrastructure, but the botnet re-emerged in November 2021. Emotet used advanced techniques — polymorphic code, Office document macros, thread hijacking (impersonating existing email threads).

TrickBot (2016-2022)

The successor to the Dyre trojan, TrickBot became one of the most popular cybercriminal tools. In addition to banking data theft, it offered modules for network reconnaissance, lateral movement, and ransomware delivery (Ryuk, Conti). In 2020, Microsoft and partners attempted to neutralize TrickBot before the US presidential election, but the botnet quickly rebuilt its infrastructure.

Mirai (2016-Present)

As mentioned earlier, Mirai revolutionized IoT botnets. Its open source code has led to new variants appearing to this day. In 2025, Mirai variants were responsible for some of the largest DDoS attacks, reaching intensities above 3 Tbps.

How to Detect a Botnet in an Organization?

Detecting botnet activity in a corporate network requires a combination of technical tools and analytical processes. Here are the key methods.

Network Traffic Analysis (NDR)

Network Detection and Response systems analyze network traffic patterns looking for anomalies characteristic of botnet communication:

Periodic beaconing — regular connections to the same external addresses at fixed intervals.
Communication with new or unknown domains generated by DGA.
Network traffic to known C&C addresses (threat intelligence feeds).
Unusual DNS traffic — a high number of queries to non-existent domains (NXDOMAIN), which is characteristic of DGA algorithms.

SIEM and Event Correlation

SIEM (Security Information and Event Management) systems correlate logs from multiple sources — firewalls, IDS/IPS systems, DNS servers, endpoints — enabling the detection of subtle patterns of botnet activity that would be unnoticeable when analyzing individual data sources.

DNS Analytics

Analysis of DNS queries is one of the most effective methods for detecting botnets. Monitoring includes:

Queries to domains with suspicious structures (random character strings, newly registered domains).
Anomalous numbers of DNS queries from a single host.
Connections to domains listed on IOC (Indicators of Compromise) lists.
DNS-over-HTTPS (DoH) queries, which can be used to hide C&C communication.

EDR Systems on Endpoints

Endpoint Detection and Response solutions monitor process behavior on workstations and servers, detecting:

Processes establishing unusual network connections.
Registry key modifications characteristic of persistence mechanisms.
Code injection into legitimate processes (process injection).
Automatic startup of unknown programs at system boot.

Behavioral Analysis

Advanced systems use machine learning to build profiles of normal user and device behavior (baseline). Any deviation from the norm — e.g., a workstation generating traffic at 3 AM or a server establishing connections to countries the company does not do business with — is flagged as a potential threat.

Botnet Protection: Technical and Operational Controls

Effective protection against botnets requires a multi-layered approach combining technical safeguards with operational procedures.

Technical Controls

Vulnerability and Patch Management:

Regularly updating operating systems, applications, and IoT device firmware.
Scanning infrastructure for known vulnerabilities (vulnerability management).
Prioritizing patching of vulnerabilities actively exploited by botnets (CISA KEV catalog).

Network Segmentation:

Isolating IoT devices in separate network segments (VLAN).
Limiting communication between segments to the business-required minimum.
Microsegmentation in data center and cloud environments.

DNS Filtering:

Blocking known C&C domains at the DNS resolver level.
Monitoring and blocking queries to algorithmically generated domains (DGA).
Enforcing the use of corporate DNS servers (blocking external resolvers).

Endpoint Protection:

Deploying EDR solutions with behavioral analysis capabilities.
Application whitelisting — running only approved applications.
Regular antivirus scanning with up-to-date signatures.

Network Security:

IDS/IPS systems with rules for detecting botnet communication.
Next-generation firewall (NGFW) with SSL/TLS inspection.
Egress filtering — blocking non-standard ports.

Operational Controls

24/7 SOC Monitoring: A security operations center (SOC) is the foundation of botnet defense. SOC analysts continuously monitor infrastructure, correlate alerts, and respond to incidents. Time is critical — the faster you detect C&C communication, the less damage the bot will cause. At nFlo, our SOC team responds in under 15 minutes from incident detection.

Incident Response Plan: A pre-prepared incident response plan ensures organized action when a botnet infection is detected. It includes isolating infected systems, forensic analysis, malware eradication, and operations restoration.

Employee Training: Phishing remains the primary vector of botnet infection. Regular security awareness training, combined with simulated phishing campaigns, significantly reduces the risk.

Password and Authentication Policy:

Enforcing strong, unique passwords on all devices (including IoT).
Changing default credentials on network and IoT devices immediately after deployment.
Implementing multi-factor authentication (MFA) wherever possible.

Security Audits: Regular audits and penetration tests verify the effectiveness of implemented safeguards and identify vulnerabilities before botmasters do.

Botnet-as-a-Service (BaaS) — The Democratization of Cybercrime

One of the most concerning trends is the growth of the Botnet-as-a-Service model. On darknet forums and in closed Telegram channels, botnet operators offer their zombie networks for rent by the hour, day, or for a specific task.

How Does BaaS Work?

The botnet operator builds and maintains the infrastructure (malware, C&C servers, bot network) and then makes it available to clients for a fee. A typical BaaS offering includes:

DDoS attacks on demand — from 20 USD per hour for a low-intensity attack to several thousand dollars for a multi-day attack exceeding 100 Gbps.
Spam distribution — network rental for spam campaigns, billed per number of messages sent.
Malware installation — pay-per-install, where the client pays for each device on which their payload is installed.
Credential stuffing — testing stolen credentials on selected services.

Scale of the Problem

The BaaS model lowers the barrier to entry into cybercrime. Carrying out a DDoS attack no longer requires technical knowledge — a credit card (or cryptocurrencies) and access to the right forum is sufficient. According to Europol’s report (IOCTA 2025), BaaS accounts for over 40% of all DDoS incidents in Europe.

What is particularly concerning is that some BaaS services offer interfaces resembling professional SaaS panels — with dashboards, attack statistics, and even technical support. This shows how professionalized the underground cybercrime economy has become.

How to Respond to a Botnet Infection?

If you suspect that devices in your organization have become part of a botnet, swift and methodical action is critical.

Isolation — immediately isolate suspicious devices from the rest of the network. Do not shut them down — you will lose valuable volatile data (RAM, active connections).
Analysis — collect network logs, memory dumps, and disk images. Identify the malware variant and determine the scope of infection.
Eradication — remove the malware from all infected devices. For IoT devices, factory firmware restoration may be necessary.
Recovery — restore normal operations while carefully monitoring for potential re-infection.
Lessons Learned — conduct a post-incident analysis (lessons learned). Determine the infection vector and implement safeguards to prevent recurrence.

If your organization does not have an internal security team, professional incident response support can be critical for minimizing losses.

The Future of Botnets — Trends and Predictions

The botnet threat landscape is constantly evolving. Here are the trends shaping the future of this threat:

AI-powered botnets — using artificial intelligence to automate propagation, evade detection, and dynamically adapt tactics. AI-driven bots can autonomously identify and exploit vulnerabilities.
Cloud botnets — instead of infecting endpoint devices, attackers compromise poorly secured cloud instances (misconfigured cloud instances), gaining access to significantly greater computing power and bandwidth.
5G and edge computing — the growing number of edge devices with 5G network access creates a new, enormous attack surface.
Botnets in OT/ICS — infected industrial control systems can not only participate in DDoS attacks but also sabotage production processes and critical infrastructure.

How nFlo Helps Protect Against Botnets

At nFlo, we have been helping organizations defend against botnet threats for years. Our experience includes over 500 projects delivered for over 200 clients.

SOC 24/7 — our team continuously monitors client infrastructure, detecting C&C communication and botnet activity with a response time of under 15 minutes.
Incident Response — in the event of a detected botnet infection, we provide immediate support in isolation, analysis, and threat neutralization.
Threat Intelligence — we use up-to-date IOC databases covering known C&C servers, DGA domains, and botnet malware signatures.
Security Audits — we identify vulnerabilities that could be used to incorporate devices into a botnet before cybercriminals do.

Botnets are a threat that will not disappear — it will evolve alongside technological development. The key to defense is a proactive approach: continuous monitoring, regular updates, network segmentation, and threat awareness at every level of the organization. If you want to check how your company is prepared for botnet threats, contact our team.