eastbaycyber

What Is a Botnet?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

A botnet is a collection of computers, servers, routers, cameras, phones, or other internet-connected devices that have been infected with malware or otherwise taken over and linked into a remotely controlled network.

A botnet is a network of compromised devices that an attacker controls remotely. Those infected devices, often called bots or zombies, can be used together to launch DDoS attacks, send spam, steal data, run credential attacks, or spread malware. In practice, a botnet turns ordinary internet-connected systems into attack infrastructure without the owner’s knowledge.

Botnets matter because they give attackers scale. One infected device has limited value, but thousands of compromised devices can overwhelm a service, hide malicious traffic, or support large cybercrime operations. For related background, see what is ddos and what is malware.

How a botnet works

A botnet works by compromising devices, connecting them to an attacker-controlled command channel, and then issuing instructions across the group.

Devices get infected or taken over

A device becomes part of a botnet when malware is installed on it or when an attacker gains lasting control.

Common infection paths include:

  • Phishing emails and malicious attachments
  • Drive-by downloads from compromised websites
  • Exploited software vulnerabilities
  • Weak or default passwords
  • Exposed remote management services
  • Poorly secured IoT devices
  • Trojans bundled with fake or pirated software

Botnets are not limited to desktop PCs. They can include:

  • Employee laptops
  • Servers
  • Cloud instances
  • Home routers
  • IP cameras
  • DVRs
  • Smart appliances
  • Mobile devices

This is one reason botnets are so persistent: attackers can recruit from almost any exposed or weakly protected system.

The infected device checks in

Once compromised, the device typically contacts a command-and-control system, often shortened to C2 or C&C. This is the infrastructure that tells the bot what to do and may also collect information back from it.

Botnet control models vary:

  • Centralized: Bots connect to one or more central servers
  • Peer-to-peer: Bots relay commands through other infected devices
  • Dynamic or distributed: Bots rotate through domains, services, or fallback infrastructure

The more resilient the control method, the harder the botnet is to disrupt.

The attacker issues commands

After enrollment, the attacker can assign tasks to the infected devices.

Common botnet activities include:

  • DDoS: Flooding a target with traffic or requests
  • Spam delivery: Sending phishing or scam emails at scale
  • Credential attacks: Testing stolen usernames and passwords
  • Malware distribution: Downloading or spreading additional payloads
  • Traffic relaying: Using infected hosts as proxies
  • Cryptomining: Stealing device resources for profit

A botnet is essentially stolen bandwidth, compute power, and network reach.

The malware tries to stay active

Botnet operators want devices to remain available as long as possible. To do that, the malware may:

  • Start automatically at boot
  • Disable or evade security tools
  • Update itself
  • Change command infrastructure
  • Reinfect the system after partial cleanup

In some IoT botnets, persistence is simpler. Devices are just so poorly secured that if they reboot or get cleaned, they are quickly compromised again.

Common botnet examples

Botnets are used in several recurring ways.

DDoS botnets

These botnets use many devices at once to overwhelm a website, API, or online service. IoT-heavy botnets are especially common here because cameras, routers, and similar devices are often exposed and weakly protected.

Spam and phishing botnets

Some botnets are built to send large volumes of email. Distributing mail through many infected hosts helps attackers spread phishing campaigns and reduce dependence on any single sender.

Credential attack botnets

Attackers may use a botnet to test stolen usernames and passwords against many sites. Spreading attempts across many IP addresses can make the activity harder to block.

Malware distribution botnets

A botnet can also serve as a delivery network for additional malware, including ransomware, spyware, and infostealers.

When you are likely to encounter a botnet

You are most likely to hear about botnets during incidents involving scale, distribution, or many suspicious source systems at once.

Common situations include:

  • DDoS investigations: A public-facing service is hit by traffic from many compromised devices
  • Email security incidents: Spam or phishing campaigns originate from a large set of infected hosts
  • Threat intelligence reporting: Analysts describe botnet malware, infrastructure, and C2 patterns
  • IoT security reviews: Internet-exposed devices are identified as recruitment targets
  • Abuse monitoring: Login abuse or scraping comes from rotating residential or compromised IP addresses
  • Endpoint investigations: A workstation repeatedly reaches suspicious external infrastructure

Many small and midsize businesses encounter botnets indirectly. Your systems may be targeted by a botnet, or one of your devices may become part of one without obvious symptoms.

Why IoT devices are common botnet targets

IoT devices are frequent botnet members because they often have:

  • Default credentials
  • Weak update practices
  • Internet exposure
  • Limited monitoring
  • Outdated firmware
  • Minimal built-in security controls

Home routers, cameras, DVRs, and small office edge devices are especially attractive because they are always on and often overlooked.

If you manage many connected devices, strong admin credentials stored in a password manager like Try 1Password → and routine firmware maintenance are more useful than ad hoc fixes after compromise.

How to reduce botnet risk

Reducing botnet risk means making your devices harder to recruit and your services harder to abuse.

Secure endpoints and devices

Basic steps include:

  • Patch operating systems and firmware
  • Remove default passwords
  • Disable unnecessary internet exposure
  • Restrict remote administration
  • Segment IoT devices from critical systems
  • Use reputable security software such as Get Malwarebytes → where appropriate

Improve credential hygiene

Many botnets grow by exploiting weak passwords or reused credentials. Use unique passwords for admin panels, email accounts, and remote access systems. Tools like Try 1Password → can help teams manage that safely.

Watch for outbound anomalies

A compromised device may not show obvious user-facing symptoms, but it may:

  • Reach known malicious infrastructure
  • Generate unusual outbound traffic
  • Contact many external IPs
  • Participate in repeated login attempts
  • Download additional payloads

Monitoring egress activity is often as important as filtering inbound threats.

Protect remote users carefully

For users on public or untrusted networks, a VPN such as Check NordVPN pricing → or Try Proton VPN → can improve privacy in transit. It does not stop botnet malware by itself, but it can be a sensible supporting control for remote work.

Malware

Malware is the broad category of malicious software. Botnet malware is specifically designed to enroll a device into a remotely controlled network.

Command and control

Command and control is the mechanism attackers use to communicate with compromised devices. A botnet depends on some form of C2.

DDoS

A distributed denial-of-service attack uses many systems at once to overwhelm a target. Botnets are one of the most common ways attackers generate that distributed traffic.

Zombie

A zombie is a compromised device under attacker control. A botnet is a group of zombies acting together.

Worm

A worm is malware that can self-propagate. Some worms help build botnets by infecting new devices automatically.

Final takeaway

A botnet is a network of compromised devices controlled remotely by an attacker. Those devices can be coordinated to launch DDoS attacks, send spam, steal data, distribute malware, or support other abuse at scale. The core danger comes from numbers: many ordinary systems acting as one malicious platform.

If you run internet-connected services or manage connected devices, botnets are relevant whether you are the target or the unwitting participant. Good patching, strong passwords, reduced exposure, and basic endpoint protection go a long way toward lowering that risk.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.