The Modern Era: from modular loaders to multi-vector flood engines As defenders have become more aware of the classic tactics used by earlier botnets like BASHLITE, Mirai, and GameOver Zeus, threat actors have shifted focus to more resilient and evasive designs. In this second part of our botnet learning series, we explore how newer botnets – some active right now – are using encryption, peer-to-peer architecture, and multi-platform payloads to stay effective and hidden.
This article is part of a learning series about botnets:
- Part 1: Anatomy of a Botnet
- Part 2: Early Botnets: Analysis of infection methods, architecture and capabilities
- Part 3: (This article) Modern botnets: modular loaders and multi-vector flood engines
How are modern botnets spreading?
Recent botnets tend to avoid single points of failure. Instead of relying on hardcoded command-and-control IPs or simple credential brute-forcing, they scan across device types (especially routers and IoT nodes), use domain generation or DNS tunnelling for persistence, and often support multiple CPU architectures from the outset – including ARM, MIPS, and x86.
Modern botnets are harder to detect, harder to stop, and built for more than just volume. Unlike earlier waves that relied on brute-force floods, current variants are often cross-platform, encrypted, and designed to persist inside networks while generating revenue quietly.
Take PumaBot as an example. It uses brute-force SSH attacks to break into Linux-based IoT devices. Once inside, it sets up encrypted control channels and repurposes the hardware for cryptomining, proxy traffic, or credential theft, all with minimal noise.
HTTPBot, first seen in 2024, focuses on application-layer (Layer 7) DDoS. It targets smart devices and servers alike, delivering HTTP/2 floods that exhaust web-facing services. Written in Go, it’s fast, portable, and efficient.
Ballista exploits known router vulnerabilities, like those in certain 2023 TP-Link models. Once installed, it hides behind Tor and enables remote control through an encrypted channel. It’s often used for targeted disruption or traffic manipulation.
Vo1d takes aim at Android TV boxes, embedding itself via compromised firmware. These devices are then used for DDoS, ad fraud, or traffic redirection. It’s another reminder that consumer electronics are fully in scope for botnet operators.
Chaos supports multiple platforms, including Windows and Linux, and comes with centralised C2 and support for cryptomining. Built in Go, it’s compact and easy to deploy across diverse environments.
FritzFrog operates without central control. It spreads laterally using SSH and forms a peer-to-peer mesh network where each node can receive and forward commands. It mines crypto and resists takedown due to its decentralised structure.
In short, today’s botnets combine stealth, persistence, and multi-purpose payloads. They don’t just flood, they adapt, hide, and monetise.
What architectures are we seeing now? Where botnets once leaned on simple centralised infrastructure (e.g. IRC or HTTP C2s), today’s threats are more diverse. We’ve seen:
• Encrypted centralised C2s: Like in HTTPBot, which sends Layer 7 flooding commands over encrypted TCP, using self-updating configurations to adapt its targeting.
• Decentralised P2P: Seen in FritzFrog, which avoids a single C2 by relying on a peer-to-peer model over SSH. Each infected node acts as a relay, making detection and mapping far more complex.
• Hybrid control systems: Used by GorillaBot and AIRASHI, combining central servers with encrypted relay layers or domain-fluxed C2 addresses to avoid IP blacklisting.
These design choices show that evasion is now a key design principle for active botnet developers.
Are they harder to stop?
Yes, and not just because of encryption or P2P. Many modern botnets include self-patching mechanisms, obfuscate their binaries, and rotate infrastructure as frequently as possible. Infection rates have climbed due to the sheer number of exploitable consumer-grade devices now connected to the internet with poor configurations or no firmware updates.
Botnets like Chaos and AIRASHI don’t just use new techniques , they also recycle old ones effectively. Weak SSH configurations, open Telnet, outdated firmware: these remain the low-hanging fruit. What’s changed is how quickly attackers can scale — and how long they can stay inside undetected.
What to expect next?
As we’ve seen from these charts, botnets are no longer simple DDoS engines, but evolving platforms with plugin-style payloads, and many of them operate as rented infrastructure in criminal marketplaces.
The next wave will likely include more automation, better persistence, and deeper integration with AI-assisted reconnaissance. That’s not speculation as it’s already visible in leaked forums and in the design of loaders seen this year.
If your defensive tools rely on fixed IP blocks or regex filtering alone, they’re going to fall behind. Real-time behavioural analysis, anomaly detection, and layered DDoS mitigation are now baseline requirements for any infrastructure with public exposure.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com