For over two decades, botnets have been at the heart of some of the most disruptive activity online – from large-scale DDoS campaigns to credential theft and malware distribution. While the end goals haven’t changed much, the technical machinery behind them has evolved in significant ways.
In the first part of this learning series, we covered the basics of what a botnet actually is. This blog offers a side-by-side view of how botnets have developed over time. We look at their infection strategies, command-and-control (C2) infrastructure, and the attack types they’re built to deliver. In the third part, we will cover some of the botnet evolution and discuss modern botnate architectures.
How did early botnets operate?
The earliest botnets made use of basic but effective building blocks: centralised control, insecure services like telnet, and often minimal obfuscation.
BASHLITE, for example, was one of the first to exploit the Shellshock vulnerability and open telnet ports to conscript IoT devices into simple flood-based DDoS attacks. Its architecture was straightforward – infected devices reported back to an IRC or HTTP server that would broadcast commands.
GameOver Zeus, on the other hand, introduced a more resilient model with its peer-to-peer (P2P) design. Rather than talking to a single C2 server, each infected node could forward commands and updates, making takedown attempts far more complex. It doubled as a loader for ransomware and financial malware, often stealing credentials before delivering a secondary payload.
Necurs took a different route. Rather than relying on centralised or P2P infrastructure, it used a Domain Generation Algorithm (DGA) to dynamically produce lists of potential command-and-control domains. This made it difficult to block via static blacklists. Necurs was primarily used as a spam delivery engine, often pushing payloads like Dridex and Locky through massive email campaigns. It also supported malware loaders, giving it flexibility beyond pure spamming.
Emotet started as a banking trojan but evolved into a modular platform that distributed other malware families, including TrickBot and Ryuk. It spread via malicious email attachments and used macros to establish footholds in corporate environments. Its infrastructure blended centralised control with fast-flux DNS, which rotated C2 endpoints rapidly to avoid detection and takedown.
Mirai, which went public in 2016, made a name for itself by targeting IoT devices with default credentials. Its architecture remained centralised but modular, allowing attackers to push updates and switch between attack modes easily. Mirai’s floods included SYN, UDP, HTTP, and even GRE-based vectors, making it one of the most versatile DDoS tools at the time.
Each of these early botnets demonstrates a step forward in automation, resilience, or scalability. From simple command broadcasts to dynamic domain lookups and polymorphic loaders, attackers continued to iterate on what made previous generations work, while defenders played catch-up.
The chart below illustrates the fundamental architecture and communication methods used by early botnets, highlighting their reliance on centralised control and unencrypted protocols.
The early botnets were noisy, largely unencrypted, and relatively easy to take down if the central C2 infrastructure was identified. But they worked – largely because devices were unpatched, unmonitored, and completely exposed to the public internet.
What are the botnets doing once deployed?
Early botnets typically stuck to simple tasks: spam, flooding, or keylogging. Modern botnets are more ambitious. They run layered attacks, mix DDoS with crypto mining, and often act as malware delivery systems for hire.
Let’s take Aquabot and GorillaBot as examples. Aquabot targets Linux-based routers and cameras with UPnP and telnet vulnerabilities. Once inside, it launches HTTP/2 floods, a protocol-level attack that bypasses many legacy DDoS filters. GorillaBot, meanwhile, supports a wide array of DDoS vectors, from DNS amplification to TLS handshake abuse, and compiles itself for multiple chipsets to maximise coverage.
Some, like AIRASHI, go further by mixing application- and transport-layer attacks, often launching Layer 7 floods that mimic legitimate browser behaviour. Others, such as Matrix, appear to target containers and virtual machines directly, suggesting an increasing focus on enterprise systems, not just consumer-grade hardware.
Matrix doesn’t go after your average smart camera or dusty home router. It sets its sights higher – on servers and container platforms, the kind powering apps, cloud services, and virtual machines. First spotted in 2024, Matrix feels like a botnet built by someone who knows infrastructure. It quietly slips into Linux environments, often via misconfigured or unpatched systems. Its command network is scattered and encrypted, so even if you shut down one part, others keep running. Matrix is deliberate, but not chaotic. It doesn’t flood the internet just to make noise. Instead, it launches targeted, high-cost attacks – like overwhelming HTTPS connections or abusing HTTP/2 protocols, meant to drain resources and make services buckle under pressure. It’s less about brute strength and more about strategic disruption.
And Eleven11Bot, by contrast, feels like a street brawler. It’s aggressive, loud, and has one goal: break in and hit hard. Surfacing in 2025, it’s been seen prowling the edges of the internet, finding overlooked HiSilicon-based devices (security cameras, DVRs, and cheap routers) and muscling its way in through weak login pages or insecure firmware. Once it’s in, the devices are quickly drafted into a fast-moving swarm that launches raw, overwhelming traffic toward whatever target the operator picks. There’s no elegance here, just relentless pressure. Eleven11Bot rotates its IPs, keeps the flood steady, and wears down defences over time. It’s the kind of threat that doesn’t need to be clever, just persistent enough to break through.
How has botnet architecture evolved?
Modern botnets have borrowed from both models. Some still rely on centralised infrastructure, often obfuscated or hidden behind DNS tunnelling and fast-flux domains. Others have gone fully P2P. Many now use encrypted channels, frequently rotate addresses, or layer their infrastructure across multiple regions and ISPs to slow down attribution and disruption.
Mirai marked a turning point. Its source code was released in 2016 and led to an explosion of variants and derivatives. Written in C and designed for IoT environments, Mirai infected devices by brute-forcing default credentials. Its modular design and simple architecture made it easy to adapt and impossible to fully contain once the source was public.
Today’s botnets often include their own update mechanisms, loaders for additional malware, and support for multiple CPU architectures (MIPS, ARM, x86). This allows them to target a much wider pool of devices, from routers and DVRs to NAS units and cloud instances.
How have botnets changed, and what are defenders up against today?
- More encrypted C2 traffic: Plain HTTP is out. Many modern botnets use custom protocols, TLS over non-standard ports, or tunnelled communications.
- Multiple infection paths: They no longer rely solely on one vulnerability or service – brute-force, CVEs, phishing, and supply-chain compromise are all in play.
- Self-updating code: Like software projects, many botnets now include their own patching systems or loaders that fetch new binaries.
- Multi-platform support: They run on more than just Linux or Windows, targeting IoT firmware, Android, and virtualised environments as well.
While early botnets were easy to fingerprint and block with signature-based tools, today’s variants often blend in with normal traffic. The traffic may be encrypted, the payload polymorphic, and the infrastructure decentralised or rapidly shifting.
In part 3 of this learning series, we’ll dig into today’s most active botnet families and how they spread, what they target + why traditional defences are struggling to keep up.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats. For more information, visit https://fastnetmon.com