The Incident That Started With a Billing Anomaly
A mid-sized e-commerce company noticed unusual spikes in outbound bandwidth on a Tuesday morning. The security team initially attributed it to a marketing campaign. By Friday, the same anomaly had grown threefold. It was only when a network engineer cross-referenced firewall egress logs with DNS query frequency logs that the pattern became clear: hundreds of internal endpoints were making low-frequency, high-regularity connections to a rotating set of external IP addresses across three different ISPs. The company had been running a botnet node cluster for eleven days before any alert fired.
This scenario is not unusual. Botnets are engineered to evade exactly the kind of threshold-based alerting most organizations rely on. Understanding how modern botnets operate, how to track their infrastructure, and how to contain their impact requires a structured approach that goes beyond signature-based detection.
How Modern Botnets Operate at the Infrastructure Level
Contemporary botnets have moved far beyond the centralized command-and-control (C2) models of the early 2000s. Today's operators use a layered architecture designed to maximize resilience and minimize detectability. Key structural elements include peer-to-peer communication among infected nodes, fast-flux DNS to rotate C2 IP addresses rapidly, domain generation algorithms (DGAs) to produce thousands of potential C2 domains, encrypted communications over standard ports such as 443 and 80, and residential proxy networks to mask traffic origin.
The 0ktapus threat group, which victimized more than 130 organizations, demonstrated how botnet infrastructure can be embedded within what appears to be normal SaaS traffic. Their campaign used phishing to recruit devices into a credential-harvesting network that relayed stolen data through intermediary nodes that blended with legitimate cloud service traffic. Similarly, Chinese APT groups involved in Central Asia telecommunications attacks have been documented sharing Linux backdoors across botnet infrastructure, allowing multiple threat actors to reuse the same compromised node pool for different operations simultaneously.
The Kimsuky group's continued use of PebbleDash-based tools illustrates another common pattern: deploying lightweight implants on compromised hosts that function as botnet relays for later-stage operations rather than immediately executing visible payloads. These implants communicate on irregular schedules, often mimicking the beaconing patterns of legitimate software update checks.
Detection: Where Most Teams Start Too Late
Effective botnet detection requires correlated telemetry across multiple data sources. Relying on a single feed, whether that is firewall logs, endpoint detection alerts, or NetFlow data, creates blind spots that botnet operators actively exploit.
Network Traffic Baselining
Start by establishing a behavioral baseline for outbound connections per endpoint, segmented by time of day, protocol, and destination ASN. Botnets generate traffic with statistical regularity that differs from human-driven behavior. A host that sends 512 bytes of data to an external IP every 300 seconds at 2:00 AM on a Saturday is behaving differently from a workstation running scheduled backups. Tools like Zeek (formerly Bro) and Arkime (formerly Moloch) allow teams to capture full packet metadata and build per-host connection profiles.
Specifically, look for these traffic characteristics:
- Fixed or near-fixed beaconing intervals from single endpoints
- Low-byte, high-frequency outbound sessions to IPs with no historical connection history
- DNS queries to domains with high entropy names (characteristic of DGA activity)
- Outbound connections to IP addresses in ASNs associated with bulletproof hosting providers
- Connections that cycle through multiple IPs in the same /24 CIDR block within short windows
DNS Telemetry as an Early Signal
DNS is consistently the most underutilized detection layer in botnet tracking. Because DGA-based botnets generate large volumes of failed DNS resolutions alongside occasional successful lookups, passive DNS monitoring reveals this pattern clearly. A host generating 2,000 NXDOMAIN responses per hour is almost certainly running DGA malware.
Implement DNS response logging at the resolver level, not just at the firewall. Forward this data to your SIEM and build alerts for hosts exceeding NXDOMAIN thresholds relative to their baseline. Tools like Farsight DNSDB and PassiveTotal provide historical DNS data that helps identify fast-flux infrastructure by showing IP churn rates for specific domains.
Endpoint Behavioral Signals
On the endpoint side, botnet implants exhibit consistent behavioral patterns that EDR platforms can surface. Process trees showing network-connected child processes spawned from unexpected parents, persistence mechanisms in scheduled tasks or registry run keys, and memory-resident payloads that avoid writing to disk are all common indicators. The modified CIA Hive implant that has entered criminal markets demonstrates how sophisticated C2 frameworks, originally designed for covert operations, produce endpoint artifacts that differ from commodity malware but follow recognizable patterns when analysts know what to look for.
Configure your EDR to alert on processes making outbound connections that were not observed making network connections during the baseline period. Correlate this with parent process chains to identify injection or masquerading behaviors.
Tracking Botnet Infrastructure
Once you have identified a suspected botnet node or C2 endpoint, infrastructure tracking allows you to map the broader network and preemptively block related assets before they become active in your environment.
Pivot Points for Infrastructure Mapping
Begin with the indicators you have confirmed: IP addresses seen in beaconing traffic, domains resolved before connections were established, and certificate data from TLS handshakes. From these starting points, use the following pivot techniques:
- WHOIS and registration correlation: Botnet operators frequently reuse registrar accounts, billing email addresses, or nameserver configurations across multiple domains. Tools like DomainTools and WHOIS history APIs expose these shared registration artifacts.
- TLS certificate clustering: Self-signed certificates and certificates issued through low-cost providers often share Subject Alternative Names, organization fields, or serial number patterns. Censys and Shodan both index certificate data and support searches across these fields.
- ASN and hosting provider analysis: Bulletproof hosting providers concentrate botnet infrastructure. Identifying the ASN associated with a known C2 and reviewing other known malicious infrastructure in that ASN provides a list of preemptive block candidates.
- Passive DNS chaining: Track which IP addresses have historically resolved for a given domain and which other domains have resolved to the same IP. This exposes fast-flux pools and shared hosting relationships within the botnet's infrastructure.
Using Threat Intelligence Feeds Effectively
Commercial and open-source threat intelligence feeds provide curated lists of known botnet C2 endpoints, but their value depends on freshness and integration. Feeds that lag by 24 hours or more miss fast-flux infrastructure entirely. Prioritize feeds with sub-hour update frequencies for C2 indicators specifically.
The NIST NVD enrichment policy shift toward prioritizing vulnerabilities with attacker behavior signals is directly relevant here. As NVD begins tagging CVEs with active exploitation context, security teams can correlate botnet activity against recently weaponized vulnerabilities to identify how the initial infection likely occurred. A botnet campaign exploiting a recently disclosed vulnerability in a content delivery mechanism, for instance, becomes visible when you cross-reference your infected host inventory against software versions and the CVE timeline.
Integrate threat intelligence at the DNS resolver and firewall policy level rather than relying solely on SIEM alerting. Automated blocking of confirmed C2 domains and IPs at the infrastructure layer reduces response lag significantly.
Mitigation: Containing an Active Botnet Infection
When you have confirmed botnet activity within your environment, the response sequence matters. Acting out of order, particularly isolating hosts before you have collected sufficient forensic data, destroys the evidence you need to understand the full scope of the compromise.
Immediate Containment Without Evidence Destruction
The first priority is to cut off the infected hosts from their C2 infrastructure while preserving forensic integrity. Implement egress firewall rules blocking communication to identified C2 endpoints at the network perimeter. This prevents further data exfiltration and command execution without altering the host's disk state or memory.
Use network segmentation to isolate affected VLANs or subnets from sensitive internal resources while maintaining logging. Keep the infected hosts running and connected to a monitored network segment. This allows you to observe what the botnet attempts to do when its C2 connection fails, which often reveals secondary C2 channels or fallback mechanisms.
Full Scope Assessment Before Remediation
Before reimaging or remediating any endpoint, conduct memory acquisition using tools like Volatility or Magnet RAM Capture. Botnet implants designed to operate without persistent disk artifacts vanish entirely when a system reboots, leaving no forensic trail. Memory analysis reveals active network connections, injected code in legitimate process memory, and encryption keys used for C2 communication.
Simultaneously, audit authentication logs for all accounts that touched infected endpoints. Botnets increasingly function as credential harvesters alongside their primary purpose. The ransomware landscape in early 2026 shows a clear pattern of initial access brokers using botnet infrastructure to harvest credentials and then selling that access to ransomware operators. Assume that any endpoint confirmed as a botnet node has had its credential cache exposed.
ISP and Upstream Coordination
For botnets operating at scale within your environment, direct coordination with upstream ISPs accelerates the takedown of C2 infrastructure. Most major ISPs have abuse desks with established processes for acting on documented botnet C2 reports. Provide detailed evidence including packet captures, DNS logs, and IP/domain indicators. Abuse reports that include behavioral evidence rather than just IP addresses receive faster responses.
If your organization operates its own ASN, coordinate with your regional internet registry and peer ASNs to implement BGP blackholing for confirmed botnet C2 prefixes. This is particularly effective against botnets using static IP infrastructure rather than fast-flux systems.
Cleaning Infected Endpoints
After memory acquisition and credential audit, proceed with host remediation. For endpoints running Windows, examine scheduled tasks, WMI subscriptions, registry autorun locations, and service configurations for persistence mechanisms. Linux endpoints require examination of cron jobs, systemd service units, init.d scripts, and SSH authorized_keys files, particularly in the context of Linux backdoors being shared among threat actor groups in recent campaigns.
Reimaging is the safest remediation path for confirmed botnet nodes. Attempting to manually remove botnet implants from live systems without a complete malware sample analysis risks missing secondary payloads or modified system binaries. If operational constraints prevent immediate reimaging, use EDR to achieve runtime process termination and persistence removal while scheduling the reimage for the next maintenance window.
Building Ongoing Botnet Tracking Capability
Reactive botnet response is necessary but insufficient. Organizations that build proactive tracking capabilities detect botnet infections within hours rather than days.
Internal Honeypot Segments
Deploy internal honeypot hosts in each major network segment with no legitimate business function. These systems should generate no outbound traffic and receive no inbound connections from legitimate users. Any traffic to or from these hosts represents anomalous activity worth immediate investigation. Botnet lateral movement and scanning routines reliably hit honeypot systems, providing early warning before the botnet establishes a foothold on production assets.
Threat Hunting Cadence
Establish a recurring threat hunt specifically targeting botnet indicators. A weekly hunt using the following queries catches low-and-slow botnet beaconing that automated alerting misses:
- Hosts with consistent outbound connection intervals to the same external IP across multiple days
- Endpoints generating NXDOMAIN responses at rates more than three standard deviations above their baseline
- Internal hosts communicating with IP addresses that have appeared in threat intelligence feeds within the last 90 days
- Processes making outbound connections that have no corresponding inbound connection history in the prior 30 days
Vendor and Supply Chain Awareness
Botnet infections increasingly originate through third-party software and supply chain vectors. The content delivery exploit enabling brand hijacking demonstrates how trusted distribution mechanisms become infection vectors. Maintain an inventory of all third-party software components and their update mechanisms. Treat unexpected software update traffic with the same scrutiny you apply to unknown outbound connections, because botnet operators have demonstrated the ability to compromise software update infrastructure to deliver implants to large numbers of endpoints simultaneously.
Integrating Agentic AI for Botnet Detection at Scale
As organizations move toward AI-assisted security operations, agentic AI systems capable of autonomously correlating telemetry across DNS, network flow, and endpoint data offer meaningful improvements in botnet detection speed. The practical guidance for CISOs building AI-ready security operations applies directly here: ensure that AI-assisted detection tools operate from a defined bill of materials that includes the threat intelligence feeds, behavioral models, and data sources they rely on. An agentic detection system working from stale or incomplete data produces high false-positive rates that train analysts to ignore alerts, recreating exactly the conditions that allowed the eleven-day botnet infection in our opening scenario to persist undetected.
Reporting and Post-Incident Documentation
After containing and remediating a botnet incident, thorough documentation serves multiple purposes. Internally, it informs improvements to detection rules, network segmentation policies, and patching prioritization. Externally, sharing sanitized indicators with ISACs and threat intelligence communities contributes to collective defense.
Document the following for every confirmed botnet incident: initial infection vector, timeline from first observable indicator to detection, full list of affected endpoints and accounts, C2 infrastructure details including IPs, domains, and ASNs, malware family if identified, and all remediation actions taken with timestamps. This documentation also satisfies regulatory reporting requirements where applicable and provides the factual basis for any engagement with law enforcement in cases involving large-scale data theft or infrastructure damage.
Botnet tracking and mitigation demands sustained attention across network, endpoint, and threat intelligence disciplines. The organizations that detect botnet infections in hours rather than days maintain integrated telemetry pipelines, enforce behavioral baselining over signature-only detection, and conduct proactive hunting that does not wait for automated alerts to fire. The investment required to build this capability is substantially smaller than the cost of discovering a botnet infection through a billing anomaly eleven days after the first infected host checked in.
