Botnet

Botnet infections spread through phishing emails, malicious downloads, exploitation of unpatched vulnerabilities, and drive-by downloads from compromised websites. Once a device is infected, it phones home to a command-and-control (C2) server that issues instructions — run a DDoS attack, send spam, scan for other vulnerable hosts.

The infected device typically shows no obvious symptoms. The malware is designed to be quiet — a loud bot gets detected and remediated. The value to attackers is the aggregate scale: a botnet of 100,000 infected machines provides enormous DDoS capacity, spam-sending volume, or credential-stuffing capability.

From a defender's standpoint, a device on your network joining a botnet is a significant incident — it means malware is running with enough access to establish outbound C2 connections. EDR solutions detect botnet-related behavior (unusual outbound connections, process injection, persistence mechanisms). DNS filtering catches C2 communications by blocking known malicious domains.