Top threat trends of the 2025 botnet landscape

What defenders learned from a year of record‑scale, automated, and commoditized botnet activity

Takeaways

• Botnet risk in 2025 extended beyond direct attacks, with shared infrastructure and upstream providers increasingly caught in the blast radius of large‑scale DDoS campaigns 
• Speed and automation mattered more than sophistication, as short‑duration, high‑intensity attacks routinely outpaced human response while exploiting long‑known vulnerabilities
• Botnets evolved into shared criminal infrastructure, supporting fraud, proxy services, malware delivery, and initial access operations—not just denial‑of‑service attacks 

2024 was a year of both disruption and acceleration for botnet-driven threats. We had some big multi-national law enforcement victories, like the takedown of the 911 S5 botnet, which was the largest botnet in the world at the time. But we also saw the resilience of the botnet-related landscape. Overall botnet activity continued to grow in scale and intensity. Distributed denial‑of‑service (DDoS) attacks surged, attack volumes broke new records, and botnets increasingly enabled extortion, fraud, and cryptomining across a broad mix of compromised endpoints.

Botnets that dominated 2024 continued to have an oversized impact on 2025. Attack intensity, monetization strategies, command-and-control (C2) management and other botnet operations were  —set the trajectory for botnet operations, attack intensity, and monetization strategies observed across 2025. Here are a few examples:

• Phorpiex was a high‑volume spam botnet in 2024. Over the next year it evolved into a durable, multi‑purpose delivery platform, using hybrid peer‑to‑peer and command‑and‑control designs to sustain ransomware deployment, sextortion campaigns, and cryptocurrency theft despite ongoing disruption efforts.
• Androxgh0st gained attention in 2024 for stealing credentials and exploiting exposed web services. In 2025 this botnet had evolved into a hybrid model operation that linked botnet activity with cloud abuse, SaaS credential exploitation, and stealthy infrastructure hosting. This is one of the earliest documented operations to deliberately combine the core botnet activity with initial access operations.
• Mirai variants have been growing rapidly since the public release of Mirai source code in 2016.

In late 2024 Cloudflare reported record-setting Mirai-based DDoS and network‑layer attacks. The following year, researchers tracked more than 116 distinct Mirai variant branches and found a 50% increase in Mirai-related C2 infrastructure.

Botnets became both more active and more dangerous since the end of 2024. Operations that were dismantled or disrupted into fragments re-emerged under new names and infrastructure. Global botnet activity continued to grow, with new malware families and successor operations quickly replacing those that disappeared. Within the larger threat landscape, botnets have become a scalable and resilient service that is widely accessible to attackers of all types and skill-sets.

Botnet basics

A botnet is a network of internet‑connected devices that have been infected by malware that connects the devices to a system controlled by a threat actor. This threat actor is referred to as a 'botmaster' or 'bot herder,' and each infected device is a bot or a 'zombie.' Threat actors usually compromise devices by exploiting known software vulnerabilities, guessing or brute‑forcing weak or default passwords, exploiting or abusing insecure APIs, or using malware loaders delivered through phishing or malicious downloads. Once the malware infects a device, it will download instructions and begin acting as part of the larger 'robot network.'

Botnets were originally built on compromised PCs and servers, but the internet- and industrial internet of things (IoT, IIoT) have provided a rich landscape for creating bots. These devices are attractive targets because they are almost always online and rarely receive software or firmware updates. Threat actors are also exploiting misconfigured cloud instances to create more powerful bots for their networks.

The following are the most common uses of botnets:

• DDoS attacks: Botnets flood a target with traffic, overwhelming bandwidth or server capacity and causing outages. Large IoT botnets are especially effective at generating massive volumes of traffic. These attacks are favorite tools of hacktivists
• Spam and phishing campaigns: Compromised devices are used to send spam or phishing emails at scale, helping threat actors evade reputation‑based filters.
• Malware distribution and initial access: Some botnets act as delivery mechanisms, installing additional malware such as ransomware, info‑stealers, or remote access tools.
• Credential theft and surveillance: Infected systems may log keystrokes, capture credentials, or monitor network traffic.
• Cybercrime‑as‑a‑service: Many modern botnets are monetized by renting access to other criminals, lowering the barrier to launching attacks. Botnets available as a service allow anyone to rent the ability to launch attacks on a target of their choice.

Attack surface explosion

The growth of IoT targets and uncertified Android Open Source Project (AOSP) devices directly supplied the botnet infrastructure. Consumer IoT devices accounted for about 60% of all IoT in 2025, suggesting the majority of IoT devices are low-cost, lightly secured endpoints sitting in homes and small businesses. About 35% of global DDoS attacks now originate from IoT botnets.

Uncertified AOSP devices became the dominant platform powering the two largest botnets of 2025. You can think of AOSP as the raw Android codebase without the proprietary features of Google. It is a codebase that anyone can use, modify and build on. Certified AOSP builds pass Google's certification process and are eligible for Google's enhanced security and updates. Uncertified AOSP lacks this approval, which makes the devices running these builds less expensive, but also less secure. Uncertified AOSP became the primary infrastructure for two of the largest botnets in 2025:

• BadBox 2.0 compromised over 10 million uncertified AOSP devices to become the largest botnet of infected connected TV devices ever uncovered. Unlike many botnets, these devices were compromised with malware that was installed prior to purchase or via compromised updates that are required during the set-up process. The BadBox 2.0 operation conducts ad fraud and click fraud, and sells residential proxy services to other threat actors. These proxy services are used for malware distribution, DDoS attacks, account takeovers, and fake account creation.
• Kimwolf has compromised more than 2 million Android devices and functions primarily as massive-scale DDoS infrastructure, issuing 1.7 billion attack commands in a three-day span. Kimwolf is closely associated with the Aisuru botnet, but targets Android platforms and has a different monetization scheme.

You can get more information on these botnets here:

• BADBOX 2.0 Case Study: Google’s July 2025 Lawsuit Against the Botnet Infecting 10 Million Residential Android Open-Source IoT Devices
• Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes
• Aisuru, KimWolf Botnets Disrupted in International Operation
• Kimwolf: possible Aisuru successor capable of multi-Tbps DDoS attacks
• Kimwolf botnet leverages residential proxies to hijack 2M+ Android devices

2025 botnet patterns of risk

Botnets remained one of the most persistent and adaptable threats throughout 2025, but how they were built and used continued to change in ways that increased risk for organizations of all sizes. Rather than relying on a single tactic, modern botnets combined massive scale and automation, and leaned into the commercialization of their services. These are the dominant patterns that emerged in 2025.

Hyper‑volumetric DDoS capable of disrupting shared infrastructure

In 2025, botnet‑driven DDoS attacks reached unprecedented size, capable of targeting internet infrastructure. The Aisuru botnet, estimated at 1–4 million infected devices, was a major driver of attacks that routinely exceeded 1 terabit per second (Tbps) and 1 billion packets per second (Bpps), with record peaks of 29.7 Tbps. At this scale, attack traffic can overwhelm internet service providers (ISPs), hosting platforms, and transit networks, causing outages for multiple companies that rely on the targeted infrastructure. Cloudflare reported mitigating 8.3 million DDoS attacks in Q3 2025, representing 15% quarter‑over‑quarter (QoQ) and 40% year‑over‑year (YoY) growth, underscoring how frequently these large‑scale botnets were active.

Short‑duration, high‑impact DDoS attacks that evade response

Short, high‑intensity DDoS attacks increased significantly in 2025. These attacks are designed to overwhelm systems before defenders can manually react. 71% of HTTP‑layer attacks and 89% of network‑layer attacks ended in under 10 minutes, which is too fast for human‑led mitigation. While these attacks were short, they often triggered service instability, failed transactions, user lockouts, and recovery delays that lasted much longer than the attack itself. At the same time, Cloudflare reported sharp growth in attack intensity, with floods exceeding 100 million packets per second rising 189% QoQ and attacks over 1 Tbps rising 227% QoQ, showing that shorter attacks were not smaller attacks.

Automated exploitation of known vulnerabilities to grow botnets

Botnet growth in 2025 was driven less by novel malware techniques and more by automation against known vulnerabilities. Kaspersky confirmed that Mirai‑based botnets remained highly active, exploiting weak credentials and unpatched IoT vulnerabilities, including observed abuse of CVE‑2024‑3721 to compromise internet‑exposed DVR devices and recruit them into botnets used for DDoS and other activity. Rather than targeting a single device type, operators scanned broadly for exposed services and deployed multi‑architecture malware to rapidly convert vulnerable systems into bots. Industry reporting highlighted the same pattern among other botnets, including Gafgyt variants, showing how quickly publicly disclosed flaws were weaponized at scale.

Cloud and edge systems increasingly used as botnet infrastructure

Botnets increasingly recruited cloud‑hosted and edge environments throughout the year. Threat research documented large‑scale campaigns exploiting public application vulnerabilities and cloud misconfigurations to compromise PHP applications, gateways, and exposed services, turning them into reliable botnet nodes. Cloud nodes provide higher bandwidth, persistent connectivity, and closer proximity to enterprise systems than IoT and mobile devices or computer workstations and servers. As such, these are particularly valuable for DDoS operations and lateral movement. This trend blurred the distinction between traditional botnet activity and early‑stage intrusion.

Botnets as rented infrastructure and proxy services

One of the major risk patterns in 2025 was something we mentioned earlier, which is the continued commoditization of botnets as shared criminal infrastructure. Large botnets such as Aisuru were sold as botnet‑for‑hire services, lowering the technical and financial barrier to launching large‑scale DDoS attacks. At the same time, law‑enforcement advisories described how the dismantled 911 S5/Cloudrouter operation monetized more than 19 million compromised residential IP addresses as proxy services, enabling fraud, anonymity, and initial access brokering while hiding attackers behind legitimate‑looking traffic. Botnets increasingly functioned as a foundation for many types of cybercrime, not just denial‑of‑service attacks.

Lessons and action items for defenders

Botnets are no longer a single threat type but a scalable, resilient service layer that underpins much of today’s cybercrime ecosystem. While law‑enforcement takedowns and infrastructure disruptions created short‑term wins, overall botnet activity continued to grow in volume, speed, and diversity of use. 

Botnet risk now includes indirect and upstream impact

High‑volume botnets such as Aisuru demonstrated that organizations do not need to be the intended target to experience disruption. Attacks at multi‑terabit scale overwhelmed ISPs, hosting providers, and transit networks, creating outages for downstream customers sharing that infrastructure. This expanded the botnet threat model beyond “are we attacked?” to “are we dependent on something that could be attacked?” 

Action items:

• Map critical dependencies on ISPs, cloud providers, content delivery networks (CDNs), and DNS providers to understand where shared‑infrastructure exposure exists.
• Ensure incident response plans account for third‑party disruption scenarios, not just direct compromise or attack.

Human‑paced response is no longer sufficient

The prevalence of short‑duration, high‑impact DDoS attacks in 2025 showed that defenders often do not get a meaningful response window. With most attacks ending in under 10 minutes but still causing significant downstream effects, reliance on manual escalation and intervention increasingly failed to match attacker speed. 

Action items:

• Review detection and alerting workflows to ensure detection time is measured in seconds, not minutes.
• Identify critical services where even brief outages trigger business, safety or regulatory impact.

Known vulnerabilities remain the fastest growth engine for botnets

Mirai‑based botnets and their successors continued to scale primarily through automated exploitation of known flaws, not zero‑day vulnerabilities. The ongoing abuse of weak credentials and CVEs against internet‑exposed IoT devices highlight how quickly publicly disclosed issues are weaponized at scale.

Action items:

• Treat internet‑exposed systems, especially IoT, edge and management interfaces, as high‑risk assets in vulnerability prioritization.
• Track exploitation in the wild when assessing urgency. Do not rely on CVSS scores alone.

Cloud and edge environments are part of the botnet attack surface

Botnet operators increasingly recruited cloud‑hosted applications, gateways, and misconfigured services as bot infrastructure, valuing their bandwidth, uptime, and proximity to enterprise networks. This blurred the line between botnet activity and early‑stage intrusion, particularly when compromised systems were also used for lateral movement and malware delivery. 

Action items:

• Include botnet participation and outbound abuse indicators in cloud security monitoring, not just data exfiltration or account takeover.
• Pay close attention to exposed management and development interfaces.

Botnets are now enabling multiple crime types at once

Operations such as Aisuru and the dismantled 911 S5/Cloudrouter network showed that botnets increasingly function as multi‑purpose criminal infrastructure, supporting DDoS‑for‑hire, residential proxy services, fraud, and initial access brokering. This convergence means botnet exposure can amplify other risks rather than appearing as an isolated issue. 

Action items:

• Watch for signs that compromised systems are being used as proxies or relays, not just traffic generators.
• Consider botnet telemetry as a signal of broader compromise risk. 

The botnet activity observed in 2025 reinforces that defenders are facing an ecosystem problem, not a single threat. Large‑scale automation, commoditized access, and infrastructure‑level impact mean botnets will continue to play a central role in cybercrime even as individual operations are disrupted. Organizations that internalize these lessons will be better positioned to reduce both direct damage and the cascading effects that increasingly define real‑world incidents.

Barracuda can help

Stopping botnets isn’t about a single control—it’s about protecting the systems they target, abuse, and move through. Barracuda provides integrated protection across email, network, application, and cloud security, helping defenders disrupt botnet activity, block malicious traffic, and prevent compromised systems from becoming part of someone else’s attack infrastructure. Visit our website to see how Barracuda’s layered security approach can help reduce your exposure to botnet activity and the downstream risks it creates.