Cyber Attacks Explained – Botnets

The hidden armies behind many cyber attacks

Introduction

When people think about cyber attacks, they often imagine a lone hacker sitting behind a computer, targeting a victim directly. While this image is popular in movies and television, the reality is often very different.

Many of the largest cyber attacks are carried out not by a single computer, but by thousands – or even millions – of compromised devices working together. These networks of infected devices are known as botnets.

Botnets have been responsible for some of the most disruptive cyber incidents in history, powering attacks that have taken down websites, spread malware, stolen data, and generated millions of pounds in criminal revenue.

What Is a Botnet?

The term botnet is a combination of two words:

  • Bot – Short for “robot,” referring to a device that performs automated actions.
  • Network – A collection of connected devices.

A botnet is therefore:

A network of compromised devices that are remotely controlled by a cybercriminal or threat actor.

The devices within the botnet are often referred to as:

  • Bots
  • Zombies
  • Compromised hosts

Once infected, these devices can receive commands and perform actions without the owner’s knowledge.

Understanding the Concept

Imagine a military commander controlling an army.

Each soldier follows instructions from the commander and performs specific tasks.

In a botnet:

  • The cybercriminal acts as the commander.
  • Compromised devices act as the soldiers.
  • Commands are distributed across the network.
  • The devices work together to achieve the attacker’s objectives.

The owner of the infected device is usually unaware that their system is participating in malicious activities.

What types of devices can become bots?

Many people assume botnets only consist of infected desktop computers, however, the reality is that almost any internet-connected device can become part of a botnet.

Examples include:

  • Desktop computers
  • Laptops
  • Servers
  • Smartphones
  • Tablets
  • Security cameras
  • Smart televisions
  • Routers
  • Network-attached storage (NAS) devices
  • Smart home devices
  • Industrial IoT equipment

As the number of connected devices continues to grow, so does the potential size of botnets.

Some botnets have involved millions of compromised devices – The biggest known botnet, which was dismantled by Dutch authorities in May 28, 2026 had over 17 million compromised bots and was managed by a network of 200 command and control (C2) servers.

Lots of the compromised devices were Android phones which were brought into the botnet via malicious code embedded inside multiple malicious apps available via the Google Play store – When an unwitting victim installed the app, they also installed the malware. Researches identified almost 200,000 devices infected just via this method.

How does a device become part of a botnet?

Botnet infections typically occur when malware is installed on a device.

There are several common infection methods.

Phishing attacks

One of the most common methods involves phishing emails.

For example:

  1. A user receives an email.
  2. The email contains a malicious attachment or link.
  3. The user opens the attachment.
  4. Malware is installed.
  5. The device joins the botnet.

The process often occurs without obvious signs of compromise.

Exploiting vulnerabilities

Attackers frequently scan the internet looking for vulnerable systems.

Examples include:

  • Unpatched software
  • Outdated operating systems
  • Vulnerable web applications
  • Weak network devices

Once a vulnerability is discovered, malware may be installed automatically.

Weak or default passwords

Many internet-connected devices are shipped with default credentials. If users fail to change these credentials, attackers may gain access and install malware.

This is particularly common with IoT devices.

The Mirai botnet infected millions of IoT devices in this way – the Mirai malware was hardcoded with the default credentials for 61 different devices – It scanned the Internet looking for devices, and tried these passwords to see if it could gain access

Malicious downloads

Users may unknowingly download malware disguised as:

  • Free software
  • Cracked applications
  • Fake updates
  • Browser extensions
  • Mobile applications

Once installed, the malware may silently connect to a botnet infrastructure.

How botnets are controlled

A botnet is only useful if the attacker can communicate with infected devices. This is achieved through a Command and Control (C2 or C&C) infrastructure.

The C2 system acts as a central management platform. The attacker sends commands to the C2 server, which then distributes instructions to infected devices.

In many botnets, a technique called Fast-Flux DNS is used. Here the malware which infects the bots runs an algorithm that generates thousands of random domain names. The attackers run the same algorithm and repeatedly register those domains to host their C2 infrastructure.

This rapid swapping of Domain names makes it very difficult for anyone to block access to those domains, thus allowing the attackers to keep their C2 machines always available.

These commands may include things like:

  • Launch an attack
  • Download additional malware
  • Send spam emails
  • Collect information
  • Update malware components

Some botnets have been found to have code that scans specific social media channels such as Twitter accounts for their instructions – All the threat actor needs to do is tweet an instruction, and all the affected machines in the botnet receive the tweet and instigate their pre-written code

Centralised vs decentralised botnets

Botnets generally use one of two control models.

Centralised Botnets – all devices communicate with a central server.

Advantages for attackers:

  • Easy management
  • Simple command distribution

Disadvantages:

  • The central server becomes a single point of failure.
  • Law enforcement can potentially identify and seize the server.

Peer-to-Peer (P2P) Botnets – infected devices communicate directly with each other.

Advantages:

  • More resilient
  • Harder to disrupt
  • No single control server

Disadvantages:

  • More complex to develop and manage

Many modern botnets use hybrid approaches that combine elements of both models.

What are botnets used for?

Botnets can support a wide range of cybercriminal activities.

Distributed denial of service (DDoS) attacks

One of the most common uses of botnets is launching DDoS attacks. (see the section about DoS attacks)

Thousands of infected devices simultaneously send traffic to a target. The goal being to overwhelm the victim’s resources and make services unavailable.

Spam campaigns

Botnets can send enormous volumes of spam email.

Examples include:

  • Phishing emails
  • Malware delivery
  • Scam messages
  • Advertising campaigns

A botnet containing thousands of devices can send millions of emails within hours.

Credential theft

Botnet malware may collect:

  • Usernames
  • Passwords
  • Browser data
  • Authentication tokens

The information is then transmitted to attackers for further exploitation.

Malware distribution

Botnets frequently distribute additional malicious software.

Examples include:

  • Ransomware
  • Banking malware
  • Remote access trojans
  • Spyware

Once a botnet gains a foothold on a device, attackers may deploy more advanced threats.

Cryptocurrency mining

Some botnets use infected systems to mine cryptocurrency.

This process consumes:

  • CPU resources
  • Memory
  • Electricity

Victims often notice slower performance while attackers profit from the stolen computing power.

Click fraud

Botnets can generate fraudulent advertising clicks.

The attacker earns advertising revenue by artificially inflating traffic statistics.

This costs advertisers significant amounts of money each year.

The lifecycle of a botnet

Most botnets follow a similar lifecycle.

  • Stage 1: Infection – The malware is delivered to the target device.
  • Stage 2: Installation – The malware establishes persistence.
  • Stage 3: Connection – The infected device contacts the command and control infrastructure.
  • Stage 4: Registration – The device joins the botnet.
  • Stage 5: Operation – The device waits for instructions and performs tasks when commanded.
  • Stage 6: Maintenance – The attacker updates malware and infrastructure as needed.

How can you tell if a device is part of a botnet?

Botnet infections are often designed to remain hidden.

However, common warning signs include:

  • Slower system performance
  • Increased network activity
  • Unexpected crashes
  • High CPU usage
  • Unusual outgoing connections
  • Unknown processes running
  • Excessive battery drain on mobile devices
  • Unexpected account activity

These symptoms do not always indicate a botnet infection, but they warrant investigation.

How organisations defend against botnets

Organisations use multiple security controls to detect and prevent botnet activity.

  • Endpoint Protection – Modern endpoint security solutions can detect known malware and suspicious behaviour.
  • Network Monitoring – Monitoring outbound network traffic can reveal communication with command and control servers.
  • Vulnerability Management – Regular patching reduces the number of exploitable weaknesses.
  • Email Security – Filtering malicious emails helps prevent malware delivery.
  • Multi-Factor Authentication – While MFA does not stop botnet infections directly, it can reduce the impact of stolen credentials.
  • Threat Intelligence – Security teams use threat intelligence feeds to identify known botnet infrastructure and malicious indicators.

How individuals can protect themselves

Individuals can significantly reduce their risk by following good cyber hygiene practices.

  • Keep Software Updated – Install security updates promptly.
  • Use Strong Passwords – Avoid default credentials and use unique passwords.
  • Enable Multi-Factor Authentication – Protect accounts even if passwords are compromised.
  • Be Cautious with Email Attachments – Avoid opening unexpected attachments or links.
  • Install Security Software – Use reputable antivirus and endpoint protection tools.
  • Secure IoT Devices – Change default passwords and keep firmware updated.

Why botnets remain a major cyber security threat

Botnets continue to evolve because they provide cybercriminals with scalable, flexible, and cost-effective attack platforms.

A single compromised device may have limited impact.

A network of hundreds of thousands of compromised devices can:

  • Disrupt critical services
  • Spread malware globally
  • Steal vast amounts of data
  • Generate significant criminal profits

As more devices become connected to the internet, the potential size and power of botnets continue to grow.

Conclusion

A botnet is a network of compromised devices that are remotely controlled by an attacker. These hidden armies of infected computers, smartphones, servers, and IoT devices are responsible for many of the cyber attacks seen today, including DDoS attacks, spam campaigns, malware distribution, and credential theft.

Botnets are particularly dangerous because they leverage legitimate devices belonging to unsuspecting users, allowing attackers to operate at massive scale while hiding their true identity.

Understanding how botnets work is essential for anyone interested in cyber security. Whether you’re an IT professional, business leader, student, or everyday internet user, recognising the risks posed by botnets can help you make informed decisions about securing your devices and protecting your digital environment.