Most Dangerous Botnets That are Still in the Game

Most Dangerous Botnets

While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate devices and use them for running malicious code in the background. That’s where botnets come into play.

According to Spamhaus, the third quarter of 2021 has seen an 82% surge in the number of emerging botnet command & control servers. FastFlux technique has been mostly used by malicious operators to install backdoors for further malware updates and lateral movement.

Large botnets are notoriously hard to kill, with some of them operating for decades. Let’s take a look at the most dangerous of them that are still highly active at the beginning of 2022.



The botnet that used to be described as “world’s most dangerous malware,” is back again, after an official takedown earlier in 2021. The international law enforcement operation orchestrated a mass-uninstall of this malware, cleaning out all the infected computers across the world.

However, these measures stopped Emotet for only a few months. Even after the takedown of all its C&C centers, it recently emerged again, this time operating through another notorious botnet TrickBot.

Emotet sends its malicious malware strains to endpoint devices of presumably random users by email spam. Once downloaded, the code installs additional payloads.

Emotet started off as a banking Trojan but later expanded its influence. Infected devices constitute a Malware-as-a-Service infrastructure for cybercriminal groups, acting as proxy servers that forward the malicious traffic to the real backend. Multiple methods of maintaining persistence and evasion techniques make it difficult to detect this malware. One of the ways to ensure timely detection on an enterprise level is to power up security operation centers with SOC Prime’s Detection as Code Platform which provides the newest threat detection rules in real time.


Just like Emotet, TrickBot started off as a banking Trojan and later on grew into sophisticated modular malware capable of spreading follow-on ransomware, maintaining persistence, and conducting reconnaissance. The malware applies various distribution vectors in multi-purpose campaigns and ultimately, can take complete control over the infected devices. TrickBot is arguably more advanced than Emotet because it updates itself a few times a day and deletes itself once certain tasks are fulfilled.

The configuration of the latest TrickBot version allows attackers to decide what exactly they want to do once the Trojan gets into the target system. For example, they can go for credential harvesting to steal personal and financial data or collect other information like cookies and web history. Otherwise, it is possible for them to install ransomware payloads directly or manipulate web browsing sessions, connecting the infected devices to criminally controlled networks.

Despite the U.S. Department of Justice arresting one of the TrickBot coders Alla Witte, the malware family continues its operation, spreading across millions of computers globally.


The predecessor of Mēris, Mirai botnet appeared in 2016 and has been targeting enterprise-level hardware since then. In 2019, it grew into a network of several related botnets that were sometimes competing with each other. In fact, after the DDoS attack on DNS provider Dyn which took down Twitter, Spotify, and GitHub, Mirai grew to 63 malware variants.

The latest activity of Mirai includes exploiting six critical Azure OMIGOD vulnerabilities, even after the official patch release. The attackers used an Open Management Infrastructure (OMI) software agent to leverage remote code execution or elevate privileges on vulnerable Linux virtual machines running on Microsoft Azure. Thousands of Azure customers and millions of endpoints were estimated to be exposed to the risk of such attacks.

Vulnerabilities were also found in hardware devices like SonicWall, Netgear, and D-Link. Mirai was also found trying to take advantage of the unknown vulnerabilities in the internet-of-things (IoT) gadgets.

The ongoing massive migration to cloud-based environments is supported by large institutions maintaining numerous hardware servers at the backend, providing storage to smaller companies. The activity of botnets like Mirai represents a significant threat because upon shutting down cloud service providers, they can impact business operations on a global scale.


ZeroAccess is a distributed peer-to-peer (P2P) botnet that has been infecting tens of millions of computers since 2011 and operates primarily for the purpose of monetary gains. Some of the most frequently used methods include bitcoin mining, click fraud, information theft, and pay-per-install. ZeroAccess creates separate file systems for stolen credentials and applies rootkit techniques for stealthy communication.

A typical ZeroAccess attack starts by prompting a random user to visit an infected website. This could be executed by sending an email with a link, sharing a torrent file, or even by compromising legitimate sites and redirecting the traffic. Malicious websites hide PHP scripts that exploit security vulnerabilities of the software installed on a victim’s device (Adobe Acrobat, Internet Explorer, etc.). Once infected, the target system turns into a bot and starts the further exploitation of computational power for malicious purposes.

In 2021, the activity of this botnet surged 619,460%, and after that sank down. This is what ZeroAccess has been doing for years: after the massive bursts of activity usually come the periods of complete silence for months before appearing again. Such waves of activity could be explained by malware retooling or theming.


Botnets are nothing new to the cybersecurity community, nevertheless, some of them have been active for years and are still highly dangerous. Governments of countries like the US take measures in tackling these threats but they can help only for a few months, after which the malware rebounds again.

Large botnets require a lot of processing power for their operation, that’s why they are interested in taking over millions of devices of unsuspecting users. And once they do, it is possible for them to install ransomware, shut down the operation of critical infrastructures, steal money, and spy for confidential data. For organizations, it is crucial to conduct an enhanced set of measures to protect their networks of devices against these threats. To streamline their detection capabilities, they might use SOC Prime’s Detection as Code platform that has the latest content to detect the malicious activity caused by botnets described above, along with online translation tools like Uncoder.IO that supports instant content conversion into a variety of SIEM, EDR, and NTDR formats.

By Gary Bernstein

Ray Meiring
Fueled by extensive demand in IT, healthcare, financial services, and telecommunication—initially spurred by the pandemic-driven frenzy to transition to remote working—managed service providers (MSPs) are busier than ever. As businesses adopt MSP services to upgrade, ...
Cyber Threat Intelligence In an era of rapid digital transformation, we have witnessed a concerning evolution in the cyber threat landscape. Recent data analyses, as illustrated in the "Cyber Threat Intelligence Index: Q3 2023" report, ...
Gilad David Maayan
What Is Object Storage? Object storage, in the simplest terms, is a data storage architecture that manages data as objects, as opposed to traditional block storage or file storage architectures. These objects include the data, ...
Gary Bernstein
Artificial Intelligence (AI) has emerged as a transformative force that is reshaping industries, improving our daily lives, and pushing the boundaries of human potential. This cutting-edge technology is no longer confined to science fiction; it ...
Ronald van Loon
The increasing adoption of technology and AI in business continues to drive concerns regarding sensitive data and the protection of assets. Organizations must implement tools to protect data while also leveraging that data to identify ...
Gary Bernstein
AI-powered identity verification Even if you don’t want to admit it, doing business online in today’s environment poses a greater risk. Criminals are constantly on the lookout for vulnerabilities to exploit, including hacking, data breaches, ...

Get Smarter

Whether you're just starting out in the online industry or looking to take your skills to the next level, Get Smarter eLearning platform is the perfect choice for you. Sign up today and start your journey towards online success!

Use code LEARN15 to enjoy 15% off all courses.