Botnet – Definition, Attack Types and Mitigation

What is a Botnet?

A botnet is a network of malware-infected computers and networked devices (IoT, smart devices, etc.) that work together under the control of a single malicious actor or an attack group often called a “botmaster”.

Each compromised device, often called a bot or zombie, can be remotely instructed to perform malicious activities such as launching DDoS attacks, stealing data, spreading malware, or mining cryptocurrency.

Campaigns like the RondoDox botnet show how critical web application vulnerabilities (such as React2Shell in Next.js) are now being weaponized to recruit servers and IoT devices into botnets at scale.

How Many Bots Are in a Botnet?

The number of bots in a botnet can vary widely, ranging from a few thousand to over a million compromised devices.

• Hide ‘n Seek botnet: ~24,000 devices
• Mirai botnet (2016): Estimated 800,000–2.5 million devices
• RondoDox botnet (2025): Actively targeting ~90,300 vulnerable Next.js servers globally, alongside routers, DVRs, and other IoT devices

This highlights how unpatched web servers are now as valuable to botnet operators as traditional IoT targets.

How Do Botnets Work?

Infection Phase

The botmaster initiates the creation of a botnet by distributing malware through various channels.

These include sending malicious email attachments, setting up drive-by downloads on compromised websites, exploiting software vulnerabilities(e.g., React2Shell), and deploying Trojan horse programs that appear legitimate but contain malicious code.

Once a device executes this malware, it becomes compromised and joins the botnet as a “bot” or “zombie.” The malware gains control by exploiting system vulnerabilities or deceiving the user into granting necessary permissions.

Communication Phase

Once infected, bots need to communicate with the botmaster for instructions. This is facilitated through a Command and Control (C&C) infrastructure.

In centralized C&C setups, bots connect to a single server or a small cluster of servers, often using protocols like HTTP/HTTPS or IRC.

In more sophisticated botnets, a decentralized peer-to-peer (P2P) approach is used, where bots communicate directly with each other, forming a resilient and difficult-to-disrupt network.

RondoDox, for example, uses loaders that aggressively remove competing malware and re-establish persistence via scheduled tasks.

To ensure confidentiality and avoid detection, the communication between bots and the C&C server is typically encrypted.

Command Execution Phase

Bots regularly communicate with the C&C server or their peers to obtain new instructions. These commands direct the bots to perform various malicious activities.

Common tasks include

• Launching DDoS attacks by flooding targets with excessive traffic
• Executing extensive spam campaigns through bot networks
• Stealing sensitive data via keylogging techniques
• Engaging in crypto jacking activities to mine cryptocurrencies illicitly
• Committing click fraud to generate fraudulent ad revenue
• Using bots as proxies to direct malicious traffic and hide the source of attacks

Maintenance and Expansion Phase

To maintain and expand the botnet, the botmaster can update the malware on infected devices, enhancing their capabilities and improving evasion techniques.

The botmaster continually seeks to recruit new bots by propagating the malware through already infected devices or exploiting new vulnerabilities.

RondoDox has expanded its arsenal to exploit dozens of vulnerabilities, spanning web frameworks, routers, DVRs, and surveillance systems.

This process ensures that the botnet remains robust and can compensate for any bots that are detected and removed by security measures.

Common Types of Botnet Attacks

A botnet attack refers to malicious activities orchestrated using a network of compromised computers or devices (known as bots) under the control of a cybercriminal.

Botnets execute various types of attacks, each posing a significant threat to businesses. Here are some typical botnet attack methods:

DDoS Attack

Botnets are commonly used to launch DDoS attacks, where a large number of bots simultaneously send a flood of traffic to a target website or server. This exhausts the target’s resources, making it inaccessible to legitimate users.

Get more insights on DDoS Botnet here.

Spam Campaigns

Botnets are often employed to send out massive volumes of unsolicited emails. These spam emails may contain phishing links, advertisements, or malware attachments. By using a botnet, attackers can bypass email filters and reach a large number of recipients, increasing the likelihood of successful attacks. Learn more about spam bots here.

Credential Stuffing

In credential stuffing attacks, botnets use previously leaked usernames and passwords to attempt logins on various websites and services. Bots systematically try these credentials across multiple platforms, exploiting users who reuse passwords.

Data Theft

Botnets can steal sensitive information from infected devices. This includes capturing keystrokes (keylogging), taking screenshots, accessing stored files, and exfiltrating data to the botmaster. Stolen data can include personal information, financial details, and intellectual property.

Click Fraud

In click fraud attacks, bots are used to generate fake clicks on online advertisements. This artificially inflates the number of clicks, generating revenue for the attacker or causing financial loss to the advertisers. Click fraud can distort marketing analytics and waste advertising budgets.

Cryptojacking

Botnets can exploit the computing power of compromised devices for cryptocurrency mining. This type of attack, known as cryptojacking, can significantly slow down the performance of the compromised devices and increase electricity usage, resulting in higher costs for the victims.

Financial Fraud

Botnets can be used to carry out financial fraud, such as automating transactions, manipulating stock prices, or executing unauthorized bank transfers. These attacks can cause significant financial losses and disrupt financial markets.

Social Media Manipulation

Botnets can be deployed to create and manage fake social media accounts. These accounts can be used to spread misinformation, generate fake likes and followers, and influence public opinion. Social media botnets can manipulate online discourse and amplify certain messages or campaigns.

Real-World Botnet Examples

RondoDox Botnet(2025 – Present)

The RondoDox botnet shows how modern botnets have evolved beyond insecure IoT devices to exploit critical web application vulnerabilities. First observed in early 2025, RondoDox initially targeted routers and DVRs before expanding its attack surface by weaponizing React2Shell (CVE-2025-55182), a critical RCE vulnerability in React Server Components and Next.js. This shift enabled attackers to recruit internet-facing web servers alongside traditional IoT devices.

By exploiting React2Shell, RondoDox automated the discovery and compromise of vulnerable Next.js servers exposed to the internet. Threat intelligence indicates that around 90,300 Next.js instances remained vulnerable as of December 2025, enabling rapid and large-scale botnet expansion. This highlights how quickly a disclosed vulnerability can transition from targeted abuse to fully automated botnet recruitment.

After compromise, RondoDox deploys multiple payloads, including cryptominers, botnet loaders, and Mirai-based DDoS components. Its loader aggressively removes competing malware, establishes persistence, and maintains long-term control over infected systems.

Mirai Botnet

The Mirai botnet attack, launched in late 2016, was one of the most famous cyberattacks in recent history. It targeted IoT devices by exploiting their default or weak passwords. The botnet’s massive scale allowed it to infect hundreds of thousands of devices, which were then used to launch powerful DDoS attacks.

These attacks interrupted major websites and services, including popular platforms like Twitter, Spotify, and Netflix, highlighting the vulnerabilities of IoT devices and the potential for widespread internet disruption caused by botnet attacks.

Zeus Botnet

The Zeus botnet, also known as Zbot, is a notorious example of malware designed to steal sensitive information from infected devices. It surfaced around 2007, primarily affecting Windows-based systems.

Zeus infects computers through malicious email attachments, drive-by downloads, or exploit kits. Once installed, it operates stealthily to capture sensitive data.

The Zeus botnet was responsible for numerous financial fraud incidents, including unauthorized bank transactions and identity theft. It targeted financial institutions and individuals alike, causing substantial financial losses and reputational damage.

Mariposa

Mariposa, discovered in 2008, was a sprawling botnet infecting millions globally through sophisticated malware known as “Butterfly Bot.” It enabled cybercriminals to remotely control compromised devices, facilitating extensive theft of personal and financial data.

Gorilla Botnet

The newly identified Gorilla botnet, built on Mirai’s leaked code, has launched extensive DDoS attacks in over 100 countries, executing more than 300,000 attack commands. This botnet targets IoT devices and cloud hosts using various flood methods, such as ACK and SYN floods, and exploits a vulnerability in Apache Hadoop YARN RPC for remote code execution.

Aisure DDoS Botnet

Aisuru’s operators have exploited various known vulnerabilities to compromise devices and expand the botnet. For instance, in January 2025, threat actors exploited a zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of Aisuru known as AIRASHI. Additionally, the botnet has leveraged command injection vulnerabilities in devices like TP-Link routers and Zyxel firewalls to recruit new bots.

The Aisuru botnet’s reach is truly global, with compromised devices observed in regions such as Brazil, Russia, Vietnam, and Indonesia. Its commercialization through platforms like Telegram has lowered the barrier for launching high-impact cyberattacks, making powerful DDoS capabilities accessible to a wider range of malicious actors

How to Protect Your Device from Botnets?

Botnets present a dual threat to businesses: they can infect one or multiple devices within your network or pool their resources to conduct DDoS and other targeted attacks against your business infrastructure.

Check out the 10 effective botnet detection best practices to protect your business from attacks.

It is crucial to prevent devices from joining botnets to avoid potential issues such as higher internet costs and compromised data. Legal consequences can also be severe if devices are involved in botnet-driven attacks.

Here are effective botnet protection strategies to protect devices:

1. Strong Passwords: Create and enforce strong passwords across all devices and accounts to prevent unauthorized access by botnet malware.
2. System Maintenance: Regularly wipe and restore systems to eliminate potential malware infections and restore system integrity.
3. Code Execution Control: Restrict execution permissions for third-party code to trusted and whitelisted entities only, minimizing the risk of malware infiltration.
4. Software Updates: Ensure devices are regularly updated with the latest security patches and software updates to minimize vulnerabilities botnets exploit.
5. Application Patch Management: Rapidly patch critical vulnerabilities in web frameworks such as React, Next.js, WordPress, and Struts2. Botnets like RondoDox actively automate exploitation of recently disclosed vulnerabilities to recruit new bot nodes.
6. WAAP Implementation: Deploy a WAAP with managed WAF and bot protection to block exploit attempts, automated scanning, and botnet recruitment traffic targeting web applications and APIs.

Discover the top 15 bot management software of 2026 for blocking botnet-driven attacks and malicious automation.

How to Disable an Existing Botnet?

• Understand how bots communicate with each other and the C&C infrastructure, whether through centralized or P2P methods.
• Immediately isolate infected devices from the network to prevent the botnet from spreading.
• Disconnect compromised systems from both the internet and internal networks to contain the spread of malicious activities.
• Block communication channels used by the botnet to connect with C&C servers. This involves blocking specific IP addresses, domains, or ports associated with botnet operations.
• Implement firewall rules and network filtering to prevent bots from communicating with C&C servers or other compromised devices.
• Continuously monitor network traffic to detect any attempts by bots to reconnect to C&C servers or switch to alternative communication channels.
• Isolate internet-facing web servers and IoT devices into dedicated network segments or VLANs to limit lateral movement if a system is compromised. In botnet campaigns like RondoDox, where attackers aggressively establish persistence and remove competing malware, rapid isolation and C2 disruption are critical to stopping reinfection.

How AppTrana Helps Prevent Botnet Attacks

AppTrana WAAP provides comprehensive botnet protection as part of its fully managed application security platform, helping organizations block both traditional and modern botnet-driven attacks. AppTrana uses AI-powered behavioral analysis and real-time detection to identify and mitigate malicious automation before it can recruit systems into botnets or abuse exposed services.

At the core of its botnet defense is real-time analysis of incoming traffic patterns, where every request is scored against multiple risk signals, including IP reputation, user-agent characteristics, request frequency, geographic behavior, and anomaly detection. This correlated risk scoring allows AppTrana to distinguish between legitimate human traffic and automated bot traffic, significantly reducing opportunities for botnets to exploit vulnerabilities or propagate across assets.

AppTrana’s behavioral bot protection also includes customizable controls that let security teams tailor mitigation policies based on business logic and workflow contexts. For example, high-risk automation such as credential stuffing, scraping, or rapid script-driven attacks can trigger advanced challenges, rate restrictions, or outright blocking, while legitimate users continue uninterrupted. This flexibility helps prevent botnets from leveraging automated tools to spread or launch coordinated attacks.

Moreover, AppTrana’s bot management is part of a wider WAAP stack that includes a managed WAF, API protection, and DDoS mitigation, ensuring that botnet attacks do not find alternate paths through unprotected layers of the application stack. With continuous updates from threat intelligence and 24×7 SOC support tuning detection logic, AppTrana adapts to evolving botnet strategies and minimizes risk even as attackers shift tactics.

By combining AI/ML-driven detection, risk-based scoring, and workflow-aware policies, AppTrana prevents botnets from recruiting assets or abusing application logic. Expert-managed services ensure strong protection across both web and API surfaces with minimal false positives.