Security Experts:

Connect with us

Hi, what are you looking for?



Lots and Lots of Bots: Looking at Botnet Activity in 2021

A botnet today can be used as a foundation for bad actors to carry out other attacks later

A botnet today can be used as a foundation for bad actors to carry out other attacks later

Botnets continue to be a major problem for cybersecurity teams. With the growth in sophisticated threats, botnets are becoming more malicious, sometimes able to create hundreds of thousands of drones that can attack a variety of machines, including Mac systems, Linux, Windows systems, edge devices, IoT devices, and so on. 

Examining threat trends around botnet activity is helpful because it provides a glimpse into the malicious activities tied to Command and Control tactics. In the first half of 2021, the percentage of organizations detecting botnet activity jumped from 35% to 51%, according to the latest global threat landscape report from FortiGuard Labs.

That increase was led by a surge in the use of TrickBot, which was taken offline in 2020 but came back on the radar in mid-2021, not as prolific as before. Designed initially as a banking trojan but since evolved into a sophisticated, modular and multi-stage toolkit supporting a range of illicit activities. TrickBot certainly wasn’t the only such botnet being used however, as FortiGuard Labs researchers saw.

Major botnet trends

The surge we’ve seen so far this year is rather peculiar for aggregate botnet activity. Mirai was the most prevalent, overtaking Gh0st in 2020 and continuing to dominate ever since. Mirai became notorious several years ago after fueling massive IoT-based DDoS attacks. Since that time, it’s continued adding new cyberweapons to its arsenal to maintain its dominance. It’s likely that Mirai’s dominance stems at least in part from attackers seeking to exploit IoT devices used by (or proximate to) remote workers. 

Also, during the first half of this year, Gh0st has been noticeably active. The remote access botnet allows malicious actors to take full control of the infected system, access live webcam and microphone feeds, download and upload files, log keystrokes and perform other nefarious activities.

In a very unusual twist, other than Gh0st and Mirai, most of the remaining botnets we saw in 2021 weren’t in the top 10 previously. The usual suspects tend to turn up every time, so it’s surprising to see some newcomers to the group. The prominent bump in prevalence toward the end of the half-year demonstrates those newcomers helped drive overall botnet activity to new heights. Communications with the Trochilus botnet bumped up early in the year, particularly in Oceania and Southeast Asia. 

What’s behind the surge

The traditional perimeter is obviously a relic of the past. The edge – as defined as the kind of barrier between your own network, your LAN and the internet access – has faded away. There are cloud services, mobile services, web services – so there is no edge anymore; everyone’s living on the edge. Organizations are accessing the internet in all sorts of ways, including IoT and other devices, and attackers are leveraging this and finding new ways into your organization. They’re landing and expanding. They’re moving horizontally throughout the network and thinking, “Even if I can only access you through an IoT device, how can I use that to perhaps obtain a more valuable target?” 

We’re seeing a lot of web-borne threats and, unfortunately, many environments still aren’t segmented or secured the way they should be. And attackers are definitely using botnets to take advantage of this. A botnet today can be used as a foundation for bad actors to carry out other attacks later. 

Next steps

With the traditional edge no more, that means the old ways of securing environments no longer fly, of course. And this means that organizations need to look for ways to expand cybersecurity beyond the edge. Addressing the ongoing security challenges related to increasingly distributed networks and the rapidly dissolving network perimeter can seem daunting. 

The first steps to address these challenges, particularly for remote access, include moving to modern endpoint security solutions and embracing a zero-trust model. That means no user or device is trusted until fully verified. Zero trust access (ZTA) focuses on role-based access control to the network. Its partner, zero-trust network access (ZTNA), relates to brokered access for users to applications and allows organizations to extend the zero-trust model beyond the network.

In addition, advanced, automated endpoint protection, detection, and response endpoint security solutions need to provide visibility into devices and their state, strong protection measures, remote monitoring tools and threat remediation for endpoint devices of all kinds.

New security strategies

Botnet attacks continue to rise, with many new varieties entering the field. Old defense strategies won’t work, which highlights the need for new ones, including ZTA and ZTNA. Another needed strategy is more proactive collaboration among organizations and law enforcement, like the kind that helped bring down Emotet. Modern endpoint security solutions will also go a long way toward securing your borderless network.

Written By

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...