Top threats of the 2024 botnet landscape

Our last post on botnets explored the terminology, architectures, and capabilities of these versatile attack tools. This post will take a closer look at the most dominant botnets of the last year. 

The largest known botnet was  the 911 S5 botnet that was dismantled in 2024. At its peak it had about 19 million active bots operating in 190 countries. 911 S5 was spread through infected VPN applications, like MaskVPN, DewVPN, ShieldVPN, and a few more. A botnet might include personal computers, business servers, mobile devices, and Internet of Things (IoT) devices like smart thermostats, cameras, and routers. The composition of the botnet depends on the malware. For example, the new Eleven11bot botnet only uses HiSilicon-based devices running TVT-NVMS9000 software, because the malware is designed to exploit a single vulnerability running on these devices. This limits the composition and size of the botnet, though the botmaster may be adding new capabilities to grow the network. 

The damage from botnet attacks manifests in multiple ways: business disruptions, widespread data theft operations, ransomware distribution campaigns, and even cryptojacking activities where computing resources are hijacked for cryptocurrency mining. The cascading effects of these attacks include data breaches, financial losses, and reputational damage that can take years to overcome.

Botnets, botmasters, and capabilities are always changing. Like ransomware threats, botmaster and affiliated threat actors want to expand the reach of their attacks. They may specialize in one specific type of crime, but they’ll enhance their operations to infect more devices and add redundancy to their networks. It isn’t clear how many botnets are active at one time, or how many emerge or are disrupted each year. Botnet activity is typically measured by attack metrics rather than the number and size of botnets. However, one recent study found that botnet activity is becoming stronger and more destructive. Some key findings:

• The total number of DDoS attacks in 2024 increased by 53% compared to 2023.
• The most powerful DDoS attack of 2024 peaked at 1.14 Tbps, which is 65% higher than the previous year’s record of 0.69 Tbps.
• The largest botnet we detected in 2024 consisted of 227,000 devices (compared to the largest botnet in 2023, which included “just” about 136,000 devices). This rapid growth in botnet size is attributed to the rising number of outdated devices in developing countries

The study also found that multi-vector attacks increased by 8% over 2023, which means the attack is sophisticated enough to attack the same target in multiple ways. We will cover multivector attacks in a future post.

Top botnets of 2024

We can’t get into all the botnets that have been active over the last year, but we can dig into a few of them. These are some of the most dominant of 2024.

Phorpiex Botnet

Phorpiex has been active for over a decade, with the exception of about five months in 2021 when the original operator shutdown the network and sold the source code. 

It was back online by December of that year, although it reemerged as a variant called ‘Trik’ or ‘Twizt.’ The new version could operate in peer-to-peer mode, which added resiliency by removing the need for command and control (C2C) servers. Phorpiex is primarily used to distribute ransomware through massive spam campaigns. It has also been particularly associated with sextortion campaigns and the delivery of malware and ransomware payloads. In April 2024, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) identified a LockBit-branded ransomware campaign delivered by the Phorpiex botnet. This was one of the most notable Phorpiex attacks in 2024.

This malware has undergone several iterations to stay ahead of security measures. The updates typically focus on improving the botnet’s spam distribution capabilities and enhancing its ability to deliver other malware payloads effectively. Operators cleverly took advantage of the remote workforce at the height of the pandemic by exploiting flaws in applications like Zoom. Information captured through these methods was used to fine-tune their extortion material.

Phorpiex is not the most sophisticated botnet, but its use in ransomware distribution and phishing campaigns has made it one of the top volume-based threats of 2024.

Androxgh0st Botnet

Androxgh0st was identified by researchers in late 2022, though it may have been active earlier. Analysts found code similarities with Mozi botnet malware, and observed Androxgh0st deploying Mozi payloads against IoT devices. This is a significant link between the two, leading to the theory that Androxgh0st was an integration or evolution of Mozi. The Mozi botnet ‘faded out’ in August 2023, and it’s not definitively known if Mozi was shutdown or if it fully merged with Androxgh0st. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are released a joint Cybersecurity Advisory (CSA) in January 2024:

Androxgh0st malware establishes a botnet for victim identification and exploitation in vulnerable networks, and targets files that contain confidential information, such as credentials, for various high profile applications.

Security researchers suspect “with low confidence” that Androxgh0st is operated by threat actors aligned with interests of the People’s Republic of China (PRC). and represents a new generation of hybrid botnets that combine capabilities from multiple sources.  The botnet targets Windows, Mac, and Linux systems, and exploits personal computers, web servers, and IoT devices. These capabilities expand the botnet’s reach across networks and the global internet. Many consider Androxgh0st a significant threat to critical infrastructure and national security.

What distinguishes this botnet is its broad exploitation capabilities—it targets vulnerabilities in VPNs, firewalls, routers, and web applications, giving it exceptional versatility in compromising different types of systems. This adaptability makes it particularly challenging to defend against. Androxgh0st is known for the diversity of its attack portfolio, including DDoS attacks, data theft operations, and cloud-focused credential theft.

Gafgyt (Bashlite) Botnet

Gafgyt, originally named Bashlite, is a botnet affecting IoT devices and Linux-based systems. It was first observed around 2014 and has successfully adapted advances in cybersecurity and threat intelligence.  There are several variants, including some that have incorporated Mirai botnet code to expand command and attack capabilities. Gafgyt-based botnets are capable of brute-force and DDoS attacks, credential theft, and GPU-powered cryptomining. Gafgyt will also kill any competing malware already found on the system.

In 2024, Gafgyt started targeting cloud-native environments, allowing it to conduct more CPU-intense operations. It has been particularly effective at infecting wireless routers from manufacturers like TP-Link and Zyxel. It is currently operated as a botnet-as-a-service (BaaS) and linked to a threat actor named Keksec, also known as FreakOut.

Gafgyt exploits weak passwords and known vulnerabilities in IoT devices and cloud environments. It currently appears to have a dual focus of generating revenue through cryptomining while maintaining the capability to launch powerful, multivector DDoS attacks. This makes it attractive to criminals looking for multiple revenue streams through a single *-as-a-service operation.

Mirai Botnet

Mirai has an interesting story. It was created in 2016 by Paras Jha, Josiah White, and Dalton Norman. Jha and his associates designed Mirai to target launch DDoS attacks against rival servers, then offered protection services to those servers through their company, ProTraf Solutions. Brian Krebs was instrumental in the investigation that brought the Mirai botmasters to justice. You can find Krebs’ coverage here and more background info here.

The leak of Mirai source code was a watershed moment in cybersecurity. Consider the immediate and long-term impacts:

• The barriers to launching a botnet were lowered, because anyone with basic technical skills could use the Mirai code as a starting point. This led to a surge in DDoS attacks and a proliferation of hybrid botnets that incorporated Mirai capabilities. The 2016 attack on Dyn used a Mirai variant.
• Mirai exposed the risks of using default credentials and configurations on IoT devices. Prior to Mirai and botnet proliferation, the risks to IoT devices were just theoretical. The industry accelerated IoT security standards after the leak.
• The leaked code became an accelerator for new threats. By starting with a working botnet malware, threat actors could focus on developing new capabilities like cryptocurrency mining and multivector DDoS attacks.

Mirai specializes in powerful DDoS attacks launched by IoT devices. Several vendors have found that about 72% of new IoT malware contains Mirai code. This could be attributed to the original brute force logic and command-and-control protocols, which are usually cloned into new variants.

A fluid landscape

The worldwide botnet threat is always changing.  When one botnet is neutralized through law enforcement action or security measures, new variants or entirely new botnets quickly emerge to fill the void. This constant evolution presents significant challenges for defenders who need to secure assets from current and future unknown threats. However, we can identify several key trends in the botnet landscape:

• Increasing specialization, with some botnets focusing on specific attack types or targets.
• Greater sophistication in evasion techniques, making detection and attribution more difficult.
• The commercialization of botnet capabilities through "Botnet-as-a-Service" models.
• The convergence of botnet capabilities, such as multiple attack vectors or revenue streams from a single botnet.
• Strategic positioning of botnet resources in jurisdictions with limited international cooperation on cybercrime enforcement.

Effective botnet protection comes from combining technological solutions with human awareness and organizational preparedness. By staying informed about emerging threats and implementing comprehensive security measures, organizations and individuals can significantly reduce their vulnerability to these powerful and persistent cybersecurity threats.

Mitigation and Bot Protection

Protecting against botnet threats requires a multi-layered approach that addresses both prevention of infection and mitigation of attacks. Barracuda Advanced Bot Protection is the ultimate tool for combating multivector botnet attacks. By providing proactive defense mechanisms, enhanced visibility, and customizable controls, it empowers businesses to protect their companies and maintain their competitive edge in an increasingly automated world.