A botnet is a network or collection of internet-connected devices that have been infected with malware and are controlled remotely by threat actors. These devices include servers, routers, webcams, DVRs, smart TVs, set-top boxes, smart light bulbs, and other internet-connected equipment. Botnets are set up to exploit and compromise consumer and corporate devices through phishing campaigns, unpatched software vulnerabilities, or brute-force attacks on default or weak passwords. Once infected, the devices connect to a Command and Control (C2) server controlled by the threat actors, often without the device owner’s knowledge. The threat actors then send instructions to execute malicious cyber activities, such as Distributed Denial-of-Service (DDoS) attacks to crash websites or services, spam emails to spread more malware, and credential stuffing to try millions of stolen credential combinations across different websites simultaneously.

Over the years, botnets have evolved significantly, moving from simple infections to large-scale, AI-driven networks of compromised Internet-of-Things (IoT) devices. Traditional botnets were commonly used to send spam, conduct small-scale DDoS attacks, target computers and laptops, and spend hours to days conducting their attacks. In contrast, modern botnets are now taking just seconds or minutes to target IoT devices, cloud infrastructure, and AI agents in terabit DDoS attacks. The wide distribution of botnets across multiple countries enables threat actors to generate traffic from multiple locations simultaneously. This change allows threat actors to quickly and discreetly build large networks that are difficult to detect, block by country, and fully shut down.

The NJCCIC recently observed phishing campaigns attributed to botnets and continues to receive multiple reports of compromised devices, infected websites, and DDoS attacks. Cloudflare reported a surge of DDoS attacks in the past year, including a record-setting 31.4 Tbps attack. The US Justice Department, along with other authorities, disrupted the world’s largest IoT DDoS botnets—Aisuru, KimWolf, JackSkid, and Mossad—responsible for 300,000 DDoS attacks used for extortion, account abuse, credential theft, and the infection of over 3 million devices worldwide. Additionally, a Brazilian tech firm specializing in DDoS protection discovered a botnet responsible for massive DDoS attacks against other Brazilian network operators, likely the result of a security breach by a competitor. Furthermore, CISA and NCSC-UK issued a joint advisory, highlighting the rise of professionally maintained, covert botnet networks. The rise of sophisticated botnets and DDoS attacks has fundamentally shifted the cybersecurity threat landscape and organizational impacts.

Recommendations

  • Change default passwords, use strong, unique passwords, and enable multi-factor authentication (MFA) where available, choosing authentication apps or hardware tokens over SMS text-based codes.
  • Ensure systems are patched and up to date, encrypt sensitive data, and use a virtual private network (VPN).
  • Use a firewall, employ DDoS protection solutions, and closely monitor websites and services.
  • Identify network edge devices and the organizational assets that should connect to them.
  • Baseline normal connections, especially to VPNs or other similar services, and identify anomalous behavior.
  • Leverage available dynamic threat feeds that include covert network infrastructure.
  • Review the joint advisory for additional recommendations.

Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

Published in the NJCCIC May 7, 2025 Weekly Bulletin