Recruitment: a device becomes a bot through malware (Trojans, worms), exploitation of an unpatched vulnerability or, in the case of IoT, simply by trying factory credentials. Mirai built hundreds of thousands of bots using nothing but the default passwords of cameras and routers.
What is a botnet
A botnet is a network of compromised devices —computers, servers, phones, IP cameras, routers— that an attacker controls remotely through a C2 infrastructure. Each infected device, called a bot or zombie, keeps working apparently normally for its owner while carrying out the operator's orders: launching DDoS attacks, sending spam, testing stolen credentials at scale or acting as a proxy to hide other crimes. Its strength lies in the sum: one bot is irrelevant, but hundreds of thousands acting in concert generate firepower that is rented out by the hour on criminal markets. And any poorly protected connected device is a potential recruit.
Why it matters
Botnets matter to a business in two ways at once: as a victim of their attacks and as an unwitting accomplice. As a victim, they are the muscle behind the DDoS attacks that take down websites and APIs, the credential stuffing against customer portals and the spam that distributes malware. As an accomplice, the scenario is more uncomfortable: if one of the organisation's servers, laptops or IP cameras belongs to a botnet, the company is attacking third parties without knowing it. The consequences are concrete: corporate IP addresses on blocklists that wreck email deliverability, bandwidth consumed, warnings from the Internet provider or a CERT, and evidence that an attacker has code execution inside the network — because a bot rarely comes alone, and the same access that sends spam today can deploy ransomware tomorrow. The rise of IoT makes it worse: devices with factory credentials and no patching path are permanent recruits nobody watches. Detecting a bot early is not just hygiene: it is discovering an active breach before its operator decides to monetise it differently.
Key points
Command architecture: bots take orders from the C2 infrastructure, either centralised (servers that law enforcement can take down) or distributed P2P, with techniques such as algorithmically generated domains (DGA) and fast-flux to resist blocking and takedowns.
Main uses: DDoS attacks for hire, mass spam and phishing distribution, credential stuffing against online services, advertising click fraud and cryptocurrency mining on other people's hardware.
Residential proxies: many botnets rent out their victims' connections so other criminals can browse 'from' those home or corporate IPs, evading geo-blocking and anti-fraud systems. The company's IP address ends up signing off on someone else's crimes.
Signs a corporate machine is a bot: anomalous or periodic outbound traffic to strange domains (beaconing), bulk or randomly named DNS queries, unexplained CPU or bandwidth consumption, the corporate IP appearing on blocklists, and external warnings from the ISP or a CERT.
Disinfection: isolate the device, identify the malware and its entry route, rebuild from scratch (for IoT, updated firmware and fresh credentials), rotate the credentials the machine knew, and close the root cause. Without that last step, reinfection is a matter of days; network segmentation limits the reach of the next attempt.
Example: An IP camera turns the company into an attacker
An industrial firm installs eight IP cameras to monitor its warehouse. The integrator connects them to the corporate network and nobody changes the factory password or updates the firmware. Three weeks later, an automated scanner belonging to a Mirai-style botnet finds one of the exposed cameras, logs in with the default credentials and recruits it; from there, it scans the internal network and adds five more. The devices keep recording normally: nobody notices anything until the Internet provider sends a formal notice because the company's IPs are participating in DDoS attacks against third parties, and the corporate domain starts landing on blocklists that stop its commercial email from being delivered.
The SOC investigation confirms the cameras' beaconing towards the C2 and uncovers the more serious finding: the cameras shared a network segment with the production servers, so the botnet operator had a foothold inside the factory's flat network. Remediation combines the immediate —isolating and reflashing the cameras, unique credentials, blocking the C2— with the structural: segmenting IoT into its own VLAN with no direct route to the Internet, and putting connected devices through IoT security testing before they are ever plugged into production.
Common mistakes
- Downplaying a bot because it 'only sends spam'. A bot is proof that someone is executing code inside your network; that same access gets resold and can end in ransomware or exfiltration. It is an active breach, not a nuisance.
- Leaving IoT out of the inventory and the patching programme. Cameras, printers, UPS units and routers are botnets' favourite recruits precisely because nobody watches them, they never get updated and they keep factory credentials for years.
- Disinfecting the machine without closing the entry route. If the vulnerability remains unpatched or the default credential stays active, the same automated scanner that recruited it the first time will reinfect it within days.
- Ignoring external warnings. Emails from the ISP or a CERT, or appearing on blocklists, are often the first and only sign of infection; treating them as bureaucratic spam gifts the attacker months of dwell time.
- Watching only inbound traffic. A bot gives itself away through what leaves: periodic beaconing to the C2, coordinated traffic spikes, anomalous DNS. Without outbound traffic monitoring, the botnet operates in complete peace.
Related terms
Related services
This concept may be related to services such as:
Frequently asked questions
How do I know if my company is part of a botnet?
The most reliable signals are network-level: periodic outbound connections to unknown domains (beaconing), DNS queries with random-looking names, unexplained traffic spikes and devices talking to the Internet when they should not. Add the external warnings: the corporate IP on blocklists, formal notices from the ISP or notifications from a CERT. A SOC with visibility of outbound traffic detects these patterns routinely.
Why do botnets recruit so many IoT devices?
Because they are the perfect target: they ship with factory credentials nobody changes, many never receive patches, they run twenty-four hours a day and no antivirus runs on them. They also tend to join the corporate network unsegmented, so a single compromised device gives the attacker a permanent presence inside the perimeter with visibility of the whole segment.
What exactly does a botnet operator gain?
Money, almost always through rental. The dominant model is service-based: DDoS by the hour, spam by the million, residential proxies by the gigabyte, and computing capacity for mining or credential stuffing. The operator can also resell access to 'interesting' bots —a corporate server is worth more than a camera— to ransomware groups, turning a minor infection into the opening phase of a targeted attack.
How do you disinfect a machine that belongs to a botnet?
First, isolate it from the network and preserve the evidence to understand the entry route. Then rebuild from a clean source —for IoT, updated firmware— and replace every credential the device knew or stored. Finally, and decisively, close the root cause: patch the vulnerability, remove default credentials and segment the device. Cleaning without closing the door merely schedules the reinfection.