Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
T1583.005 , Resource Development (TA0042)
Botnet
Acquiring networks of compromised devices , IoT routers, cameras, and servers weaponized for DDoS, proxy relay, and command obfuscation...
C2 COMMAND
192.168.1.1
10.0.0.45
172.16.0.3
192.168.0.12
10.1.1.88
203.0.113.7
192.168.5.22
10.0.2.101
172.16.1.55
192.168.8.3
10.0.3.77
198.51.100.2
203.0.113.44
10.2.2.9
172.16.3.12
192.168.9.55
10.0.4.200
203.0.113.88
172.16.5.33
198.51.100.15
10.1.2.67
192.168.3.100
203.0.113.201
172.16.8.44
TARGET
// Section 02
Why It Matters
The explosive growth of IoT devices and botnet-for-hire services has made botnet acquisition one of the most dangerous and accessible threats in modern cybersecurity.
The scale of the botnet threat has reached unprecedented levels. According to a Zayo Group report, DDoS attacks surged 82% from 2023 to 2024, escalating from 90,000 to 165,000 incidents globally, driven primarily by the proliferation of IoT devices and AI-enhanced attack capabilities. Since the end of 2024, a large-scale IoT botnet leveraging Mirai and Bashlite variants has been launching devastating DDoS attacks against targets worldwide, exploiting known vulnerabilities in routers, IP cameras, and other internet-facing edge devices. The barrier to entry has never been lower , booter and stresser services offer subscription-based access to powerful botnets for as little as $10–$50 per month, enabling even unsophisticated threat actors to launch attacks capable of knocking major services offline.
State-sponsored actors have also embraced botnet infrastructure as a critical operational tool. Microsoft's Silk Typhoon group (March 2025) was observed building and deploying Operational Relay Box (ORB) networks , clusters of compromised SOHO routers, IoT devices, and VPS servers , to obfuscate their command-and-control communications and proxy malicious traffic through legitimate infrastructure. ORB networks make attribution extremely difficult by routing attacks through dozens of intermediary devices owned by innocent third parties, and they serve as resilient proxy layers that can survive the takedown of individual nodes. The MITRE ATT&CK framework classifies botnet acquisition as T1583.005, underscoring the technique's central role in adversary resource development strategies.
Internet-facing edge devices that are end-of-life (EOL) and no longer receive security patches represent the primary recruitment pool for botnets. Home routers, IP cameras, smart TVs, network-attached storage devices, and industrial control system sensors are routinely compromised and added to botnet armies numbering in the hundreds of thousands. The Aisuru botnet emerged in 2025 as a record-breaking threat, driving DDoS attacks exceeding 22.2 Tbps through a global network of compromised devices. Defenders must understand that botnets are not merely tools for volumetric attacks , they function as covert proxy networks for C2 communications, reconnaissance platforms, and data exfiltration channels that blend malicious traffic with legitimate network activity.
82%
DDoS Attack Surge (2023–2024)
165K
DDoS Incidents in 2024
22.2 Tbps
Record DDoS Attack (Aisuru Botnet 2025)
$50
Monthly Cost for Botnet-for-Hire
// Section 03
Key Terms & Concepts
Understanding the vocabulary of botnet operations is essential for both threat hunters and defenders.
Definition
Acquiring or Leasing a Botnet (T1583.005) refers to the process by which adversaries obtain access to a network of compromised systems that can be instructed to perform coordinated tasks. A botnet is a collection of infected devices , often internet-facing edge devices like routers, IP cameras, IoT sensors, and servers , that are remotely controlled by a command-and-control (C2) server. Adversaries may purchase subscriptions to existing botnets through booter/stresser services, lease Operational Relay Box (ORB) networks consisting of VPS instances and compromised SOHO devices, or build their own botnets by exploiting known vulnerabilities in end-of-life devices. Botnets enable adversaries to launch distributed denial-of-service (DDoS) attacks, proxy their C2 communications through layers of compromised infrastructure, conduct reconnaissance at scale, and obfuscate the true origin of malicious activity.
Everyday Analogy
Like renting an army of remote-controlled robots scattered across the world , each robot does a small task, but together they can overwhelm any target. Imagine thousands of small drones, each sitting in someone's home, quietly waiting for orders. When the controller says "attack," they all simultaneously fly toward the same building, creating a traffic jam so massive that no one can get in or out. Meanwhile, some drones act as relay stations, bouncing the controller's signals through multiple houses so the true source of the orders can never be traced. That's exactly how a botnet works: compromised routers, cameras, and smart devices receive commands from a C2 server and coordinate to flood a target with traffic, while ORB nodes mask the attacker's real location through chains of proxy connections.
Botnet
A network of compromised systems (bots/zombies) remotely controlled by a C2 server to perform coordinated malicious tasks such as DDoS, spam, or proxying traffic.
ORB (Operational Relay Box)
Compromised devices (VPS, SOHO routers, IoT) used as relay nodes to obfuscate C2 communications, making traffic appear to originate from legitimate sources.
Booter / Stresser Service
Commercial "DDoS-for-hire" platforms offering subscription-based access to botnet attack capabilities, typically priced from $10–$100/month with web-based attack panels.
IoT Botnet
A botnet composed primarily of Internet of Things devices , routers, IP cameras, smart home devices , exploited due to weak default credentials and unpatched firmware vulnerabilities.
DDoS-for-Hire
The commercial model of renting botnet attack capacity, lowering the barrier to entry so that even non-technical actors can launch devastating volumetric attacks against any target.
Mirai
A notorious IoT malware family first released in 2016 by "Anna-Senpai" that targets Linux-based IoT devices using a dictionary of 62 default credentials. Variants remain active in 2025.
// Section 04
Real-World Scenario
A realistic portrayal of how adversaries leverage botnet infrastructure in targeted operations.
Character Profile: Chen Wei
Chen Wei is a mid-level operator working for a financially motivated threat group. His assignment is to conduct a multi-phase operation against a regional financial services company. He begins by subscribing to a booter service on a dark web marketplace for $50/month, gaining access to a botnet of approximately 15,000 compromised IoT devices , primarily home routers, IP cameras, and smart plugs located across Southeast Asia and Eastern Europe. The booter service provides a clean web-based control panel where Chen can specify target IPs, select attack types (HTTP flood, UDP amplification, SYN flood), and adjust duration and intensity.
Phase 1: Botnet Acquisition & ORB Setup
Chen accesses the booter service through Tor and configures his attack parameters. He also separately leases an ORB network of 200 compromised SOHO routers from another vendor, paying $200/month in Monero. The ORB nodes will serve as a proxy layer for his C2 communications, routing all command traffic through innocent third-party devices to mask his true location.
Phase 2: Reconnaissance Through Botnet Proxies
Before launching the main attack, Chen uses the botnet's IoT devices as proxy nodes to conduct reconnaissance against the target. He routes port scans and vulnerability probes through 50 different compromised routers, making the scanning traffic appear to originate from residential IP addresses across multiple countries. This distributed reconnaissance avoids triggering rate-based detections and geolocation alerts that a single-source scan would trigger.
Phase 3: DDoS Distraction Attack
Chen launches a coordinated DDoS attack against the target's public-facing web servers, directing 8,000 botnet nodes to simultaneously send HTTP flood requests. The attack generates 450 Gbps of traffic, overwhelming the target's DDoS mitigation service and drawing the attention of the security operations center (SOC). While the SOC is focused on mitigating the volumetric attack, Chen's team exploits a separate vulnerability in the target's VPN gateway using credentials obtained through the reconnaissance phase.
Phase 4: C2 Communications Through ORB Network
With initial access established, Chen routes all C2 beacon traffic through the ORB network. Each command from his C2 server passes through 3–5 compromised SOHO routers before reaching the implanted malware on the target's network. The ORB chain rotates every 4 hours, with compromised nodes being cycled in and out to prevent pattern detection. Traffic analysis tools see only connections to residential IP addresses in various countries , consistent with normal user behavior , rather than connections to known malicious infrastructure.
Detection Opportunity
Despite Chen's precautions, several indicators could reveal the botnet activity: the DDoS attack shows anomalous traffic patterns from IoT device IP ranges; ORB relay nodes exhibit unusual outbound connection patterns (long-lived TLS sessions to diverse destinations); and several of the compromised SOHO routers in the ORB chain have known vulnerabilities associated with Mirai variants. A threat hunter correlating these signals could identify the ORB network and trace it back to the C2 infrastructure.
// Section 05
Step-by-Step Guide
How adversaries systematically acquire, configure, and deploy botnet infrastructure for operations.
1
Identify Botnet / ORB Requirements DETECT
Assess operational needs to determine the type, size, and capabilities of the botnet or ORB network required.
- Determine attack type: volumetric DDoS, application-layer attacks, or proxy/C2 relay operations
- Calculate required bandwidth: IoT botnets for DDoS (thousands of nodes), ORB networks for C2 (dozens of high-quality relay nodes)
- Identify target geography and ensure botnet coverage matches target region for low-latency attacks T1583
2
Locate Booter / Stresser Services DETECT
Find and evaluate commercial botnet-for-hire services or dark web vendors offering ORB network access.
- Search dark web marketplaces and underground forums for DDoS-for-hire services with proven track records
- Evaluate service quality: botnet size, geographic distribution, attack methods offered (UDP/TCP/HTTP floods, amplification)
- Research vendor reputation and operational security , avoid services known to be run by law enforcement T1583.003 VPS
3
Subscribe and Configure Access PREVENT
Complete the acquisition transaction and configure botnet access with security precautions.
- Pay using privacy-focused cryptocurrency (Monero preferred) to maintain financial anonymity
- Access the botnet control panel through Tor or a chain of VPN services to protect operational identity
- Configure attack parameters: target selection, attack vectors, duration limits, and traffic obfuscation settings
4
Integrate Botnet with Operations PREVENT
Incorporate the botnet and ORB network into the broader operational plan and attack infrastructure.
- Configure ORB relay nodes to proxy C2 traffic through multiple layers of compromised devices
- Integrate botnet DDoS capability as a distraction mechanism timed with primary exploitation phases
- Establish fallback botnet routes in case primary ORB nodes are discovered or taken offline T1583.004 Server
5
Execute DDoS / Proxy Activities RESPOND
Deploy the botnet for its intended purpose: volumetric attacks, C2 proxying, or reconnaissance.
- Launch coordinated DDoS attacks against target infrastructure, adjusting intensity to overwhelm defenses without triggering automated escalation
- Route C2 beacon traffic through ORB relay chain to obfuscate command origin and evade network monitoring
- Use botnet IoT nodes as distributed scanning platforms for reconnaissance, spreading probe traffic across many source IPs
6
Maintain Botnet Access and Rotate DETECT
Sustain operational access by refreshing compromised nodes and adapting to defensive countermeasures.
- Rotate ORB relay nodes periodically (every 4–12 hours) to prevent pattern-based detection by traffic analysis
- Monitor botnet health: track node availability, bandwidth capacity, and attrition from defensive actions or device reboots
- Replenish botnet capacity by exploiting new device vulnerabilities or leasing additional nodes from booter services
// Section 06
Common Mistakes & Best Practices
Adversary pitfalls and defender strategies for botnet-related threats.
Adversary Mistakes
- Using the same botnet or ORB nodes across multiple operations, allowing defenders to correlate attacks and identify the shared infrastructure used across campaigns.
- Failing to rotate ORB relay nodes frequently enough, creating detectable patterns in network traffic that reveal the proxy chain structure and enable attribution.
- Paying for booter services with traceable cryptocurrency (BTC) instead of privacy coins (XMR), leaving a financial trail that law enforcement can follow to identify the operator.
- Launching DDoS attacks that are disproportionate to the operational objective, attracting significant attention from law enforcement and DDoS mitigation providers who can analyze the attack and identify participating botnet nodes.
- Using botnet infrastructure that contains honeypot nodes operated by security researchers, resulting in real-time visibility into attack commands and C2 server locations.
Defender Best Practices
- Implement IoT network segmentation to isolate all internet-facing edge devices (cameras, routers, smart devices) on separate VLANs with strict egress firewall rules limiting outbound connections.
- Deploy DDoS mitigation services (Cloudflare, Akamai, AWS Shield) with automatic traffic scrubbing configured to detect and filter volumetric and application-layer attacks in real-time.
- Monitor for unusual outbound traffic patterns from IoT devices, including long-lived connections to unknown destinations, high-volume DNS queries, and connections on non-standard ports.
- Maintain firmware currency on all network-edge devices by implementing automated firmware update processes and replacing EOL devices that no longer receive security patches from their manufacturers.
- Correlate threat intelligence feeds with internal network telemetry to identify known botnet C2 indicators, ORB network fingerprints, and compromised device signatures in your environment.
// Section 07
Red Team vs Blue Team View
Contrasting adversarial and defensive perspectives on botnet infrastructure.
RED TEAM
Attacker Perspective
Anonymity Through Proxy Chains: ORB networks provide multiple layers of relay between the attacker and the target. Each connection hop passes through a compromised SOHO device, making traffic attribution nearly impossible without analyzing the entire chain.
DDoS as Distraction: Volumetric attacks serve a dual purpose , they degrade the target's security posture by overwhelming monitoring systems, creating noise that masks the real exploitation activity happening simultaneously.
Low Cost, High Impact: Booter services offer attack capacity that would cost millions to build from scratch. For $50/month, an attacker gains access to thousands of compromised devices and can launch attacks generating hundreds of Gbps of traffic.
Distributed Reconnaissance: Spreading scanning and probing activity across hundreds of botnet nodes makes each individual probe appear as low-volume, residential-sourced traffic that blends with normal user activity and evades rate-based detection.
BLUE TEAM
Defender Perspective
IoT Security Posture: The most effective defense begins with securing the devices that botnets recruit. Default credential changes, firmware updates, network segmentation, and EOL device replacement dramatically reduce the pool of exploitable devices.
DDoS Mitigation Architecture: Multi-layer DDoS protection combining upstream scrubbing (ISP/CDN-level), on-premises rate limiting, and application-layer defenses ensures volumetric attacks can be absorbed without impacting business operations.
Traffic Analysis & ORB Detection: Advanced defenders use netflow analysis, TLS fingerprinting, and beacon pattern detection to identify compromised devices being used as ORB relay nodes, even when the relayed traffic appears superficially legitimate.
Threat Intelligence Correlation: Subscribing to botnet intelligence feeds that provide lists of known C2 servers, compromised device IP ranges, and botnet malware signatures enables proactive blocking of botnet-related traffic before it reaches critical infrastructure.
// Section 08
Threat Hunter's Eye
Proactive hunting hypotheses and detection strategies for botnet infrastructure in your environment.
Hunting Hypotheses
Hypothesis 1 , Unusual Outbound Traffic Patterns: Compromised devices within the network may exhibit anomalous outbound connection patterns, including connections to destinations in unusual geographic regions, connections at unusual times (consistent with C2 beaconing schedules), or high volumes of outbound traffic to single destinations that are inconsistent with normal device behavior. Hunters should baseline normal IoT device traffic and alert on deviations exceeding 2 standard deviations.
Hypothesis 2 , Connections to Known Botnet C2 Infrastructure: Internal systems or IoT devices may be connecting to IP addresses or domains associated with known botnet command-and-control servers. Cross-referencing outbound connection logs with threat intelligence feeds (AbuseIPDB, Spamhaus DROP lists, MITRE ATT&CK CTI) can reveal devices that have been recruited into active botnet campaigns.
Hypothesis 3 , IoT Device Behavioral Anomalies: Smart cameras, routers, and other IoT devices that suddenly begin generating large volumes of DNS requests, initiating outbound connections on non-standard ports, or exhibiting increased CPU/memory utilization may indicate compromise by botnet malware. Mirai and its variants typically exploit Telnet (port 23) or SSH (port 22) with default credentials to propagate.
Hypothesis 4 , ORB Network Relay Indicators: Devices acting as Operational Relay Boxes exhibit distinctive traffic patterns: they receive inbound connections from few sources but initiate outbound connections to many destinations, they maintain long-lived TLS sessions with consistent timing (beacon intervals), and their traffic volume ratios (inbound vs outbound) are inverted compared to normal devices. Network flow data analysis can identify these relay patterns.
Detection Queries & Indicators
Network Flow Analysis: Query netflow/Zeek logs for IoT device subnets showing outbound connections to more than 10 unique external destinations within a 24-hour period, or devices with sustained connections exceeding 4 hours to single external IPs. Pay particular attention to devices connecting on ports 23, 2323, 80, 8080, and 443 with consistent timing intervals (indicating C2 beaconing).
DNS Query Monitoring: Alert on IoT devices generating more than 100 DNS queries per hour, resolving domains associated with known botnet families, or querying DGA (Domain Generation Algorithm) domains. Botnet malware frequently uses DGA to generate unpredictable C2 domain names that evade static blocklists.
TLS Fingerprint Analysis: Use JA3/JA3S fingerprinting to identify botnet malware by its TLS client characteristics. Mirai variants, for example, have distinctive TLS fingerprints that differ from legitimate IoT device TLS implementations. Correlate unusual JA3 hashes with outbound connection destinations to identify potential C2 communication.
// Section 09
Continue Exploring
Botnet acquisition is one component of the broader infrastructure acquisition lifecycle. Explore related techniques and sub-techniques.
Related MITRE ATT&CK Techniques
Explore the full spectrum of infrastructure acquisition and access techniques that adversaries combine with botnet operations.
DONATE · SUPPORT
ROOT::DONATE
- April 7, 2026
- No Comments