Security Experts:

Connect with us

Hi, what are you looking for?



All About the Bots: What Botnet Trends Portend for Security Pros

Protecting your organization against botnet threats requires a holistic, integrated approach to security

Protecting your organization against botnet threats requires a holistic, integrated approach to security

Botnets have become a fixture in the threat landscape, but they aren’t primarily focused on DDoS attacks anymore. Nowadays, they’re in a state of evolution as they learn and use newer, more evolved cybercriminal attack techniques. They have become multi-purpose attack vehicles using an assortment of more sophisticated attack techniques, including ransomware.

For example, threat actors – including operators of botnets like Mirai – integrated exploits for the Log4j vulnerability into their attack kits. Let’s take a look at what we’re seeing and what these trends mean for security professionals and their respective organizations. 

The background on bots

Botnets give a view of post-compromise activity, in contrast to the pre-compromise side of cyber threats that IPS (intrusion prevention system) and malware trends usually show. Once infected, systems often attempt to communicate with remote hosts, making this traffic an important part of monitoring the full scope of malicious activity. In ATT&CK parlance, botnet traffic is most indicative of Command and Control (C2) TTPs.

We’ve seen that the most prevalent botnets across our sensors tend to stay the same over time, mainly because persistent control is a prized commodity among cybercriminals and a great deal of work goes into preserving their investment in malicious infrastructure. That’s why the most successful botnets are impressive in their consistency over time. In the second half of 2021, we saw that the biggest names in botnets – Mirai, ZeroAccess and Pushdo – continued to reign supreme.

The new bots on the block 

That said, there was still plenty of screen time for many new upstarts in the world of bots.

Outside of the aforementioned big three, we saw an increase in July and August in detections of  Warzone RAT, which could also be called “BargainZone RAT” due to its reputation as a low-cost, high-functionality malware-as-a-service tool. Blackberry’s description of the RAT as “the choice for aspiring miscreants on a budget” is aptly put. In an era of commoditization in cybercrime markets, Warzone has established a successful business model.

It’s also worthy of note that in September and October, we saw an uptick in RedLine Stealer malware, especially in the Middle East and Europe. Technically, this isn’t a newcomer; it’s been around since at least early 2020, with cybercriminals using it to nab credentials from infected systems. Furthermore, that uptick isn’t likely to be an isolated incident, as RedLine’s developers regularly morph the malware to find new victims. In fact, FortiGuard Labs recently discovered a new variant in the form of a COVID-themed file, “Omicron Stats.exe.” It won’t be the last. 

Even when security professionals and law enforcement manage to take down a threat, their success is sometimes short-lived. The coordinated takedown of Emotet in April 2021 was a huge deal for the cybersecurity world – only for it to return in November. That said, its comeback was weak. Emotet activity is well below what it once was and not nearly as rampant globally. For example, two-thirds of detections were limited to the region of Latin America, where activity was 25x higher than in Europe and North America. 

Combatting the scourge of bots

So, what’s the takeaway in all of this? The major point is that botnets are growing in sophistication – and they are leveraging all manner of attack techniques. Protecting your organization against botnet threats requires a holistic, integrated approach to security. Point products need to be replaced with security devices designed to operate as a unified solution to consistently protect every user, device and application. This approach also enables centralized management to ensure that policies are enforced consistently, configurations and updates are delivered promptly, and suspicious events are centrally collected and correlated.

It’s also vital to harden your Linux systems and OT environments, including adding tools designed to protect, detect and respond to threats in real time. Similarly, take a security-first approach when adopting new technologies, whether upgrading Windows systems or adding satellite-based connectivity, to ensure protections are in place before adding them to your network. In addition, deploy behavioral analytics to discover and block attacks during initial reconnaissance and probing efforts to prevent problems that can arise when they are only found later in the attack chain.

In addition, you should deploy AI and machine learning capabilities across the network to baseline normal behavior, correlate threat data, respond instantly to changes, and detect and disable sophisticated threats before they can execute their payloads. Consider deception technologies to turn traditionally passive security into active defense systems.

If you wait, you’re too late

We’re likely to see record-level volume and viciousness of cyberattacks this year. Integration of network and security tools into an integrated, proactive cybersecurity mesh architecture is vital as you protect your organization today from the next generation of threats. Broad deployment, deep integration and dynamic automation should be the hallmarks of any security system used to protect networks. If you wait until some indeterminate time in the future to make these necessary changes, you may find that you’re too late.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...