Most Dangerous Botnets That are Still in the Game

Most Dangerous Botnets

While it’s no secret that the technical sophistication of cyber-attacks grows exponentially, adversaries often need widespread networks to make it happen. One of the ways to do that is to infect legitimate devices and use them for running malicious code in the background. That’s where botnets come into play.

According to Spamhaus, the third quarter of 2021 has seen an 82% surge in the number of emerging botnet command & control servers. FastFlux technique has been mostly used by malicious operators to install backdoors for further malware updates and lateral movement.

Large botnets are notoriously hard to kill, with some of them operating for decades. Let’s take a look at the most dangerous of them that are still highly active at the beginning of 2022.



The botnet that used to be described as “world’s most dangerous malware,” is back again, after an official takedown earlier in 2021. The international law enforcement operation orchestrated a mass-uninstall of this malware, cleaning out all the infected computers across the world.

However, these measures stopped Emotet for only a few months. Even after the takedown of all its C&C centers, it recently emerged again, this time operating through another notorious botnet TrickBot.

Emotet sends its malicious malware strains to endpoint devices of presumably random users by email spam. Once downloaded, the code installs additional payloads.

Emotet started off as a banking Trojan but later expanded its influence. Infected devices constitute a Malware-as-a-Service infrastructure for cybercriminal groups, acting as proxy servers that forward the malicious traffic to the real backend. Multiple methods of maintaining persistence and evasion techniques make it difficult to detect this malware. One of the ways to ensure timely detection on an enterprise level is to power up security operation centers with SOC Prime’s Detection as Code Platform which provides the newest threat detection rules in real time.


Just like Emotet, TrickBot started off as a banking Trojan and later on grew into sophisticated modular malware capable of spreading follow-on ransomware, maintaining persistence, and conducting reconnaissance. The malware applies various distribution vectors in multi-purpose campaigns and ultimately, can take complete control over the infected devices. TrickBot is arguably more advanced than Emotet because it updates itself a few times a day and deletes itself once certain tasks are fulfilled.

The configuration of the latest TrickBot version allows attackers to decide what exactly they want to do once the Trojan gets into the target system. For example, they can go for credential harvesting to steal personal and financial data or collect other information like cookies and web history. Otherwise, it is possible for them to install ransomware payloads directly or manipulate web browsing sessions, connecting the infected devices to criminally controlled networks.

Despite the U.S. Department of Justice arresting one of the TrickBot coders Alla Witte, the malware family continues its operation, spreading across millions of computers globally.


The predecessor of Mēris, Mirai botnet appeared in 2016 and has been targeting enterprise-level hardware since then. In 2019, it grew into a network of several related botnets that were sometimes competing with each other. In fact, after the DDoS attack on DNS provider Dyn which took down Twitter, Spotify, and GitHub, Mirai grew to 63 malware variants.

The latest activity of Mirai includes exploiting six critical Azure OMIGOD vulnerabilities, even after the official patch release. The attackers used an Open Management Infrastructure (OMI) software agent to leverage remote code execution or elevate privileges on vulnerable Linux virtual machines running on Microsoft Azure. Thousands of Azure customers and millions of endpoints were estimated to be exposed to the risk of such attacks.

Vulnerabilities were also found in hardware devices like SonicWall, Netgear, and D-Link. Mirai was also found trying to take advantage of the unknown vulnerabilities in the internet-of-things (IoT) gadgets.

The ongoing massive migration to cloud-based environments is supported by large institutions maintaining numerous hardware servers at the backend, providing storage to smaller companies. The activity of botnets like Mirai represents a significant threat because upon shutting down cloud service providers, they can impact business operations on a global scale.


ZeroAccess is a distributed peer-to-peer (P2P) botnet that has been infecting tens of millions of computers since 2011 and operates primarily for the purpose of monetary gains. Some of the most frequently used methods include bitcoin mining, click fraud, information theft, and pay-per-install. ZeroAccess creates separate file systems for stolen credentials and applies rootkit techniques for stealthy communication.

A typical ZeroAccess attack starts by prompting a random user to visit an infected website. This could be executed by sending an email with a link, sharing a torrent file, or even by compromising legitimate sites and redirecting the traffic. Malicious websites hide PHP scripts that exploit security vulnerabilities of the software installed on a victim’s device (Adobe Acrobat, Internet Explorer, etc.). Once infected, the target system turns into a bot and starts the further exploitation of computational power for malicious purposes.

In 2021, the activity of this botnet surged 619,460%, and after that sank down. This is what ZeroAccess has been doing for years: after the massive bursts of activity usually come the periods of complete silence for months before appearing again. Such waves of activity could be explained by malware retooling or theming.


Botnets are nothing new to the cybersecurity community, nevertheless, some of them have been active for years and are still highly dangerous. Governments of countries like the US take measures in tackling these threats but they can help only for a few months, after which the malware rebounds again.

Large botnets require a lot of processing power for their operation, that’s why they are interested in taking over millions of devices of unsuspecting users. And once they do, it is possible for them to install ransomware, shut down the operation of critical infrastructures, steal money, and spy for confidential data. For organizations, it is crucial to conduct an enhanced set of measures to protect their networks of devices against these threats. To streamline their detection capabilities, they might use SOC Prime’s Detection as Code platform that has the latest content to detect the malicious activity caused by botnets described above, along with online translation tools like Uncoder.IO that supports instant content conversion into a variety of SIEM, EDR, and NTDR formats.

By Gary Bernstein

David Fletcher Blown Image
Disaster Plan.png
Viral Infection Wearabletech
Kelly Dyer
Achieving Data Security Compliance As individuals, we go through life sharing information about ourselves in every aspect of our daily existence. From credit checks for securing a loan, through to entire personal and family medical ...
Bi Tools
BI Tools For Data Scientists Many data scientists prefer to use open-source framework to code scripts; after all, it’s something they already trust to work. Business intelligence tools like Qlik Sense, Power BI, or Tableau, ...
Gilad David Maayan
Azure Storage Pricing Introduction to Azure Storage Services Azure Storage is a set of cloud storage services provided by Microsoft as part of the Azure public cloud. It offers highly scalable object storage, file systems ...
Gilad David Maayan
Cloud Security Posture Management Cloud Security Posture Management (CSPM) enables you to secure cloud data and resources. You can integrate CSPM into your development process, to ensure continuous visibility. CSPM is particularly beneficial for DevOps ...
Alex Vakulov
Ransomware Database Targeting The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency ...
  • Plural Site


    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2


    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary


    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.