A botnet is a network of compromised devices, remotely controlled by an attacker known as a bot-herder. These devices, also called "zombies", can be computers, servers, smartphones, or IoT devices like smart cameras, routers, and other internet-connected appliances. Bots are infected with malware that lets the bot-herder control them without the user noticing.

In 2025 botnets keep evolving, becoming more sophisticated and resilient. Some exploit peer-to-peer protocols to make it harder to take down command-and-control servers, others integrate artificial intelligence to adapt to security systems and stay hidden. Some botnets combine multiple capabilities, such as DDoS attacks, spam distribution, and cryptocurrency mining, into a single network.

How a botnet works

Building a botnet unfolds in three main phases:

  • Malware distribution: The bot-herder finds vulnerabilities in systems or exploits human error to infect devices. The most common methods include:

Phishing or scam emails with malicious attachments;

  • Exploit kits distributed via compromised sites (drive-by downloads);

  • Malware hidden in legitimate-looking software downloaded from unsafe sources;

  • Compromise of IoT devices with default credentials or outdated firmware.

  • Infection: Once the malware reaches the device, it becomes part of the botnet. The malware can run in the background, communicate with the command-and-control (C&C) server, and wait for instructions. Users often don't notice the malware's presence, because modern botnets are designed to use few resources and blend in with legitimate traffic.

  • Command and control: The bot-herder sends commands to infected devices to carry out various activities, including:

DDoS attacks to make websites or services unreachable;

  • Sending spam or phishing campaigns;

  • Theft of credentials and sensitive data;

  • Cryptocurrency mining;

  • Distribution of additional malware.

Types of botnets

  • DDoS botnet: aims to saturate the bandwidth or resources of servers and web services.

  • Spam botnet: sends large volumes of unsolicited email or targeted phishing campaigns.

  • Click-fraud botnet: simulates clicks on online ads to generate illicit revenue.

  • IoT botnet: exploits vulnerable internet-connected devices, such as cameras, routers and smart TVs.

  • Hybrid botnet: combines multiple capabilities in a single network, increasing attack effectiveness.

Educational botnet example in Python

Below is an educational example showing how a server can send commands to bots in a lab setting. This should never be run on real devices:

import socket
import threading

# Function to handle each connected bot
def bot_handler(conn):
    while True:
        try:
            command = input("Command to send: ")
            if command.lower() == "exit":
                break
            conn.send(command.encode())
        except:
            break
    conn.close()

server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(('0.0.0.0', 9999))
server.listen(5)
print("Server listening on port 9999...")

while True:
    conn, addr = server.accept()
    print(f"Connection from {addr}")
    threading.Thread(target=bot_handler, args=(conn,)).start()

This code simulates sending commands to bot clients. In a lab setting, it can be used to understand the basic workings of a zombie network, without causing real harm.

Defending against botnets

Modern defense strategies include:

  • Always keeping operating systems, firmware and applications on devices up to date.

  • Using antivirus, firewalls and endpoint detection and response (EDR) solutions updated for 2025.

  • Constantly monitoring network traffic to detect suspicious activity, such as connections to known C&C servers.

  • Disabling unnecessary services and changing default credentials on IoT devices.

  • Adopting good security practices as a user, such as avoiding suspicious links and unverified attachments.

  • Implementing intrusion detection and prevention systems (IDS/IPS) to block anomalous behavior.

Botnet evolution in 2025

Next-generation botnets are more resilient and modular:

  • Resilience: many use peer-to-peer architectures, making it harder to locate and shut down control servers.

  • AI and automation: some botnets analyze network behavior and automatically adapt to avoid detection.

  • Multi-function: some combine DDoS, spam, mining and data theft in a single network.

  • IoT and cloud: the growth of connected devices and cloud infrastructure has enormously expanded the attack surface.

Detection and analysis

The main tools for detecting and studying botnets include:

  • Honeypots and sandboxes to observe malware behavior without risk.

  • Behavioral analysis of network traffic to spot anomalies.

  • Threat intelligence and indicator-of-compromise (IoC) feeds updated with the latest threats.

Understanding botnets is essential not only to protect corporate networks, but also for the security of home devices, which are increasingly connected and vulnerable.