What Is a Botnet: Architecture, Real Examples and Defence

A botnet is a network of compromised machines controlled remotely to execute coordinated actions. Common uses: sending spam, launching DDoS attacks, distributing malware, generating ad fraud, mining cryptocurrency or serving as intermediate infrastructure for other operations. Each infected device gets called a bot or zombie; the coordinated set is the botnet. The operator is the botmaster. Botnets have existed since the late nineties, and although techniques have evolved a lot, the concept stays identical: someone gives the order, thousands of machines obey.

This guide explains what a botnet actually is, the four command and control architectures that appear in real investigations (centralised C2, P2P, Fast Flux, DGA), the six economic uses that justify their existence, essential documented cases (Mirai 2016, Emotet 2014-2021, Mozi 2019, Necurs, Cutwail), how to detect them in enterprise and how to eradicate them when a machine falls inside one.

What a botnet is

A botnet is a distributed network of compromised machines executing commands received from command and control (C2) infrastructure. The four defining properties:

1. Bot malware client installed on every victim. Runs in the background, maintains persistence and queries the C2.
2. C2 (Command and Control) infrastructure. Servers, domains, communication channels or peer-to-peer networks from which the operator sends commands.
3. Human operator or automated operation that monetises the network.
4. Scale. A small botnet has hundreds of bots; a big one, millions. Mirai at its peak had approximately 600,000 IoT devices compromised simultaneously.

What it gives the operator:

• Mass payload distribution without own servers. Spam, DDoS, scraping, brute force at scale.
• Anonymity and geographic illusion. Traffic comes from different IPs in diverse countries.
• Stolen processing power. Cryptojacking, distributed password cracking.
• Intermediate infrastructure for other operations. Residential proxies for ad fraud, phishing redirectors, exfiltrated data storage.
• Persistence and resilience. If some bots fall, others stay alive. If a C2 falls, bots migrate to the next.

What limits it:

• High visibility when monetised by DDoS or spam. The traffic gives it away.
• Modern mitigations. DNS sinkhole, blocklists, coordinated police-vendor takedowns.
• Vulnerability of C2 infrastructure. If identified and shut down, part of the botnet goes orphan.

The four C2 architectures

Ways to coordinate thousands of bots change over time. Four models cover practically every historical and current case.

Centralised C2

The classic model. Each bot queries a central server periodically (HTTP, IRC, custom protocol) to receive commands. Simple to implement, easy to operate at small scale.

Weakness: if authorities identify the C2 and achieve takedown, the whole botnet goes mute. Operation Endgame (Europol, 2021) brought down centralised Emotet this way.

Examples: most old botnets (Zeus, SpyEye, GameOver Zeus in its first version).

Peer-to-peer (P2P) C2

Bots communicate with each other and forward commands without a single central server. Much more resistant to takedowns. Each node knows only its direct neighbours; taking one down doesn't affect the rest.

Cases: GameOver Zeus after evolving, Storm Worm (2007), Mozi (IoT botnet 2019-2023).

Inconvenience for the operator: slower command distribution, greater implementation complexity.

Fast Flux

Variant of centralised C2 where the C2 domain resolves to hundreds or thousands of different IPs that rotate rapidly via DNS with low TTL. Each bot queries c2-malicious.example and receives a different IP each time. If one IP falls, DNS keeps providing others.

Double Fast Flux: both A record IPs and nameservers rotate. Hard to defend without registrar cooperation.

Cases: Storm Worm, Asprox, Bredolab. Still used in modern operations.

Domain Generation Algorithm (DGA)

The bot dynamically generates hundreds or thousands of domain names each day following a predictable algorithm. Tries to connect with all of them until one responds. The operator only registers a few in advance.

Advantage for the operator: even if defenders identify some domains and sinkhole them, the operator can always register new ones.

Defence: reverse engineering the algorithm to predict and block every future domain before the operator registers them. Paradigmatic cases: Conficker (over 50,000 domains a day after Conficker.C), Murofet, Tinba, Locky ransomware.

Six economic uses

What's the money in a botnet? The six reasons sustaining the model.

DDoS as a Service (booter / stresser)

Pay by hour or by attack to take a target service down. Mature underground market, public-looking markets with apparent legitimacy ("pentesting tools") that actually serve attacks against third parties.

The Mirai case (2016) showed the potential: attack on Dyn DNS that took down Twitter, Spotify, GitHub and other services. Botnet built with IoT devices (cameras, routers, DVRs) with default credentials.

Mass spam and phishing

Sending millions of emails per day from non-listed residential IPs. Necurs (2012-2020) reached billions of daily emails at peak.

Ad fraud (click fraud and impression fraud)

Bots that simulate visits and clicks on ads from residential IPs pretending to be real users. Defrauding ad networks and advertisers. Methbot (2016), 3ve (2018), Migalo (ongoing campaigns) generated damages estimated in billions.

Cryptojacking

Using each bot's CPU/GPU to mine Monero or other crypto. Adylkuzz, Smominru, MyKings. Profitable until the crypto price change or detection improvement makes the model less attractive.

Residential proxies

Selling access to residential IPs as a "legitimate" or underground service. Legitimate companies (Bright Data, Oxylabs) run proxies with user consent; illegal networks like Faceless reuse bots without consent. They serve scraping, geoblock evasion, ad fraud and carding.

Malware distribution

The botnet as infrastructure. Late-phase Emotet wasn't spam by itself: it charged ransomware operators, banking trojans and stealers to deliver their payload on already infected endpoints (malware-as-a-service / pay-per-install model).

Documented real cases

Names every security lead should keep in mind.

Mirai (2016). IoT botnet that took advantage of default credentials in cameras, routers and DVRs (admin/admin, root/root, etc.). Estimated peak: 600,000 devices. DDoS attacks of up to 1.2 Tbps against Dyn DNS, OVH and Krebs on Security. Source code leaked in 2016 spawned dozens of variants (Satori, Masuta, Hajime). Still alive in variants affecting consumer IoT and SOHO.

Emotet (2014-2021, 2022 resurrection). Started as a banker, evolved into a paid loader. Dismantled by Operation Ladybird (Europol, NCA, FBI and others) in January 2021 with international coordination. Resurrected in November 2021. Partial fall in 2023. Considered for years one of the most sophisticated criminal services.

Conficker (2008-present). Worm and botnet with DGA architecture generating 50,000 daily domains. Infected between 9 and 15 million machines. Forced creation of the Conficker Working Group (Microsoft, ICANN, registrars) to mitigate. Still appears in scans of unpatched Windows over 15 years later.

GameOver Zeus / P2P Zeus (2011-2014). P2P variant of the Zeus trojan. Stole hundreds of millions of dollars from bank accounts. Dismantled by Operation Tovar (FBI 2014) in an operation combining technical analysis, legal takedown and operator identification (Evgeniy Bogachev, still wanted).

Necurs (2012-2020). Massive spam botnet. Distributed Locky, Dridex, Trickbot and others. Microsoft led the takedown in March 2020 coordinated with 35 countries.

Mozi (2019-2023). P2P IoT botnet, conceptual successor to Mirai. Took advantage of routers and IoT devices with known vulnerabilities. Peaks of several hundred thousand bots. Near-total fall in 2023 after an operation not yet officially attributed: someone injected a self-destruct command into the network.

Cutwail / Pushdo (2007-present residual). Historical spam botnet with several partial takedowns and resurrections. Main distributor of the Pushdo / Cutwail trojan.

Smominru (2017-present). Massive cryptojacking botnet, specialised in leveraging EternalBlue against unpatched Windows. Generates Monero at scale and persists despite multiple disinfection campaigns.

Trickbot (2016-2022). Banker that evolved into a platform with multiple modules and integrated with Ryuk and Conti ransomware. Operation EternalShadow (Microsoft + US Cyber Command, 2020) and the Conti takedown (2022) affected its operations.

How they get detected

The fronts covered by a modern defensive team.

EDR / XDR with behavioural detection. Patterns that trigger alerts: unknown process querying DGA domains, periodic beaconing with C2-typical jitter, connections to no-reputation IPs, internal lateral scanning. Detail in what is an EDR.

Centralised DNS telemetry. Detection of resolutions to known DGA domains, NXDOMAIN spikes characteristic of the bot trying to reach the C2 before connecting. Detail in what is a SIEM.

Network monitoring and NDR. Public Sigma rules for known C2 patterns, beaconing detection, flows toward suspicious ASNs.

Threat intelligence feeds. Lists of IoCs (domains, IPs, sample hashes) kept up to date by providers like Mandiant, CrowdStrike, Spamhaus, Abuse.ch. Integration into SIEM and proxy.

Sinkhole DNS. Internal DNS resolvers that return a controlled IP for known malicious domains. The bot connects to defensive infrastructure instead of the C2; the event gets logged as a detection.

Honeypots. Trap systems that detect scans and worm-driven infection attempts associated with botnets. Especially useful against Mirai-like attacks in networks with exposed IoT.

Threat hunting over C2 patterns when they haven't triggered automatic alerts. Detail in what is threat hunting.

How to eradicate if you fall inside one

For isolated home users:

1. Disconnect the machine from the network.
2. Scan with modern antivirus and additional anti-malware tool (Malwarebytes).
3. Change passwords from a clean backup device, especially banking and email.
4. If the device is IoT (camera, router, DVR): factory reset, firmware update, default credential change. If firmware can't be updated, replace the device.
5. Notify the ISP if infection persists or if you receive a notice from them. Many Spanish carriers have detection processes for client IPs inside botnets.

For corporate environments:

1. Host isolation from EDR.
2. Forensic capture (memory, disk) before remediating.
3. IR analysis to identify the initial vector, IoCs and possible lateral movement.
4. Hunting across the network with the derived IoCs to detect other pockets.
5. Clean reinstall of the operating system on compromised hosts.
6. Credential rotation for any credentials the bot may have captured.
7. Legal and client notification where applicable (GDPR 72h, NIS2 24/72h).
8. Lessons learned and control improvement.

Compliance fit

Being an involuntary part of a botnet falls under regulatory frameworks:

• NIS2 (article 21). Malicious software protection, incident management, monitoring. Devices in botnets are evidence of weak anti-malware control.
• DORA (article 9). ICT risk management. Formal detection and response required.
• ISO 27001:2022 (controls 8.7, 8.16, 8.20). Malware protection, activity monitoring, secure networks.
• ENS Royal Decree 311/2022 (op.exp.6, op.mon). Malicious code protection and monitoring.
• PCI DSS v4.0 (req. 5, 11.5). Anti-malware and intrusion detection.
• GDPR. A botnet leaking customer personal data is a notifiable breach.

Frequently asked questions

What's the difference between botnet and malware?

Malware is the individual malicious software; the botnet is the network of devices infected with bot malware coordinated by an operator. A one-off trojan infection isn't a botnet; if that trojan queries a C2 and obeys coordinated commands with thousands of others, it is.

How do I know if my machine is part of a botnet?

Indirect symptoms: degraded performance without visible cause, battery lasting less, network traffic spikes without explanation, high CPU/GPU usage with the device idle, connections to strange IPs, ISP sending notice of suspicious activity. Modern antivirus detects most commodity variants. If you suspect, scan with a second antivirus and review processes and connections.

Are home routers frequent victims?

Yes. Mirai and derivatives specialised in SOHO routers with default credentials, unpatched firmware and administration exposed to the Internet. Basic defence: updated firmware, disable remote administration, unique credentials, hardware replacement plan at firmware end of life.

What's a bot herder or botmaster?

The person who controls the botnet. Professionally there can be a technical operator who maintains the infrastructure and monetises, and partners who rent it for specific operations. In more mature criminal structures, the role fragments across multiple levels.

Is IoT still used for botnets in 2026?

Yes, massively. The global IoT fleet (cameras, routers, connected appliances, consumer medical devices, toys) keeps growing with very uneven security. A significant share of DDoS attacks and residential proxies in 2026 comes from IoT botnets. Mozi fell but new variants keep appearing.

Is researching botnets legal?

Passive research (sample analysis, controlled sandbox, domain sinkholing with authorisation) is legal and gets done by threat intelligence firms and police services. What's illegal is operating the botnet, renting its services or taking technical control (sinkholing without a court order) without a specific legal framework.

Does a VPN protect against being a botnet victim?

No. The VPN encrypts traffic, doesn't prevent bot malware from installing. If your device gets infected, the VPN only changes the apparent destination, not the reality of the compromise. The defence against being a victim is anti-malware, hardening, training and patch management.

Related resources

• Types of malware: broader family where bots sit alongside trojans, worms and others.
• What is a trojan: most frequent vector for recruiting machines into modern botnets like Emotet or TrickBot.
• What is a computer worm: families like Conficker or Mozi are simultaneously worm and botnet, with autonomous propagation and C2 coordination.
• What is ransomware: the botnet often serves as intermediate infrastructure for ransomware distribution.
• What is an EDR: control that detects beaconing and bot behaviour.
• What is threat hunting: discipline that hunts C2 patterns when they don't trigger automatic alerts.

Botnet defence at Secra

At Secra we cover botnet risk on three usual fronts: review of EDR configuration and network telemetry for real behavioural detection, inventory and hardening of corporate IoT (IP cameras, OT equipment, medical devices, SOHO routers in remote offices) which are typically the most vulnerable, and empirical validation via Red Team that tests whether defensive controls detect simulated beaconing and known C2 patterns. If your organisation has IoT deployed without formal policy, has received ISP notice for suspicious activity or has never measured how long it takes to detect C2 behaviour, get in touch via contact.