Most Dangerous Botnets That are Still in the Game

Most Dangerous Botnets

While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate devices and use them for running malicious code in the background. That’s where botnets come into play.

According to Spamhaus, the third quarter of 2021 has seen an 82% surge in the number of emerging botnet command & control servers. FastFlux technique has been mostly used by malicious operators to install backdoors for further malware updates and lateral movement.

Large botnets are notoriously hard to kill, with some of them operating for decades. Let’s take a look at the most dangerous of them that are still highly active at the beginning of 2022.



The botnet that used to be described as “world’s most dangerous malware,” is back again, after an official takedown earlier in 2021. The international law enforcement operation orchestrated a mass-uninstall of this malware, cleaning out all the infected computers across the world.

However, these measures stopped Emotet for only a few months. Even after the takedown of all its C&C centers, it recently emerged again, this time operating through another notorious botnet TrickBot.

Emotet sends its malicious malware strains to endpoint devices of presumably random users by email spam. Once downloaded, the code installs additional payloads.

Emotet started off as a banking Trojan but later expanded its influence. Infected devices constitute a Malware-as-a-Service infrastructure for cybercriminal groups, acting as proxy servers that forward the malicious traffic to the real backend. Multiple methods of maintaining persistence and evasion techniques make it difficult to detect this malware. One of the ways to ensure timely detection on an enterprise level is to power up security operation centers with SOC Prime’s Detection as Code Platform which provides the newest threat detection rules in real time.


Just like Emotet, TrickBot started off as a banking Trojan and later on grew into sophisticated modular malware capable of spreading follow-on ransomware, maintaining persistence, and conducting reconnaissance. The malware applies various distribution vectors in multi-purpose campaigns and ultimately, can take complete control over the infected devices. TrickBot is arguably more advanced than Emotet because it updates itself a few times a day and deletes itself once certain tasks are fulfilled.

The configuration of the latest TrickBot version allows attackers to decide what exactly they want to do once the Trojan gets into the target system. For example, they can go for credential harvesting to steal personal and financial data or collect other information like cookies and web history. Otherwise, it is possible for them to install ransomware payloads directly or manipulate web browsing sessions, connecting the infected devices to criminally controlled networks.

Despite the U.S. Department of Justice arresting one of the TrickBot coders Alla Witte, the malware family continues its operation, spreading across millions of computers globally.


The predecessor of Mēris, Mirai botnet appeared in 2016 and has been targeting enterprise-level hardware since then. In 2019, it grew into a network of several related botnets that were sometimes competing with each other. In fact, after the DDoS attack on DNS provider Dyn which took down Twitter, Spotify, and GitHub, Mirai grew to 63 malware variants.

The latest activity of Mirai includes exploiting six critical Azure OMIGOD vulnerabilities, even after the official patch release. The attackers used an Open Management Infrastructure (OMI) software agent to leverage remote code execution or elevate privileges on vulnerable Linux virtual machines running on Microsoft Azure. Thousands of Azure customers and millions of endpoints were estimated to be exposed to the risk of such attacks.

Vulnerabilities were also found in hardware devices like SonicWall, Netgear, and D-Link. Mirai was also found trying to take advantage of the unknown vulnerabilities in the internet-of-things (IoT) gadgets.

The ongoing massive migration to cloud-based environments is supported by large institutions maintaining numerous hardware servers at the backend, providing storage to smaller companies. The activity of botnets like Mirai represents a significant threat because upon shutting down cloud service providers, they can impact business operations on a global scale.


ZeroAccess is a distributed peer-to-peer (P2P) botnet that has been infecting tens of millions of computers since 2011 and operates primarily for the purpose of monetary gains. Some of the most frequently used methods include bitcoin mining, click fraud, information theft, and pay-per-install. ZeroAccess creates separate file systems for stolen credentials and applies rootkit techniques for stealthy communication.

A typical ZeroAccess attack starts by prompting a random user to visit an infected website. This could be executed by sending an email with a link, sharing a torrent file, or even by compromising legitimate sites and redirecting the traffic. Malicious websites hide PHP scripts that exploit security vulnerabilities of the software installed on a victim’s device (Adobe Acrobat, Internet Explorer, etc.). Once infected, the target system turns into a bot and starts the further exploitation of computational power for malicious purposes.

In 2021, the activity of this botnet surged 619,460%, and after that sank down. This is what ZeroAccess has been doing for years: after the massive bursts of activity usually come the periods of complete silence for months before appearing again. Such waves of activity could be explained by malware retooling or theming.


Botnets are nothing new to the cybersecurity community, nevertheless, some of them have been active for years and are still highly dangerous. Governments of countries like the US take measures in tackling these threats but they can help only for a few months, after which the malware rebounds again.

Large botnets require a lot of processing power for their operation, that’s why they are interested in taking over millions of devices of unsuspecting users. And once they do, it is possible for them to install ransomware, shut down the operation of critical infrastructures, steal money, and spy for confidential data. For organizations, it is crucial to conduct an enhanced set of measures to protect their networks of devices against these threats. To streamline their detection capabilities, they might use SOC Prime’s Detection as Code platform that has the latest content to detect the malicious activity caused by botnets described above, along with online translation tools like Uncoder.IO that supports instant content conversion into a variety of SIEM, EDR, and NTDR formats.

By Gary Bernstein

Adam Cole
Mitigating Regulatory Risk Some of the great business opportunities for Unified Communications as a Service (UCaaS) integrators and Value-Added Resellers (VARs) have been the emergence of cloud, telephony and Unified Communications (UC) technologies such as ...
Martin Mendelsohn
The Colonial Pipeline Dilemma The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with ...
Alex Vakulov
Ransomware Database Targeting The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency ...
Dana Gardner
Low-code Development Has Entered a Maturity Spurt Closing the gap between the applications and services a company needs -- and the ones they can actually produce -- has long been a missing keystone for attaining ...
How to Start Your Cloud Career Cloud computing is the present. And it is the future as well!! In fact, a quote by Chris Howard says, ‘Cloud Computing is a spectrum of things complementing one ...


  • Smartproxy


    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks


    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.