Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

What are Botnets? A Journey Through Malware, Cyber Threat Intelligence, and OSINT

Redazione RHC : 16 July 2025 11:25

The Internet provides a sea of information. We often talk on RHC about Open Source Intelligence (OSINT) and Cyber Threat Intelligence (CTI), i.e. those intelligence disciplines that deal with the research, collection and analysis of data and news of public interest drawn from open, closed or semi-closed sources.

OSINT (Open Source Intelligence), for example, is a very old discipline, which was introduced during the Second World War by the United States of America following the surprise bombing of the fleet at Pearl Harbor by the Japanese army. If you want to better understand what it is, we refer you to one of our videos.

It is an intelligence discipline that deals with the research, collection, and analysis of data and news of public interest from open and public sources. This practice is based on the use of public information sources such as news, magazines, websites, social media, discussion forums, blogs, and any other information source accessible to the public.

Cyber Threat Intelligence (CTI), on the other hand, refers to a set of processes that deal with collecting, analyzing, and interpreting information regarding cyber threats in order to identify and mitigate cyber security risks. CTI relies on data collection from various sources, such as intelligence feeds, analyst reports, telemetry data, underground forums, social media, and other online communication channels. This data is then analyzed using artificial intelligence, machine learning, and data mining techniques to identify patterns and trends in cybercriminal behavior.

In this article, we will delve into the world of Botnets to better understand how they work technically and their close connection to Cyber Threat Intelligence and the world of OSINT.

Indice dei contenuti nascondi
1. What is a botnet
2. How a Botnet Works
3. Cyber threat intelligence systems and dark feeds
4. What is meant by a cyber threat intelligence system
5. How to protect ourselves from botnets

What is a botnet

A botnet is a network of computers infected with malware, controlled by an individual called the bot master. The bot master is the person who manages the botnet infrastructure, using compromised computers to launch a variety of attacks such as injecting malware, harvesting credentials, or performing CPU-intensive tasks. Every single device within the botnet network is called a bot.

The first generation of botnets operated on a client-server architecture, in which a command-and-control server (C&C) managed the entire botnet. Due to its simplicity, the disadvantage of using a centralized model over a P2P model is that it is susceptible to a single point of failure.

The two most common C&C communication channels are IRC and HTTP:

  • IRC (Internet Relay Chat) botnets:IRC botnets are among the earliest types of botnets and are controlled remotely with a server and a preconfigured IRC channel. Bots connect to the IRC server and await commands from the master bot;
  • HTTP botnet: An HTTP botnet is a web-based botnet through which the master bot uses the HTTP protocol to send commands. Bots will periodically visit the server to get updates and new commands. Using the HTTP protocol allows you to disguise your activities as normal web traffic.

The types of Botnets are as follows:

  • DDoS Botnets: Infected bots can be used to launch powerfulDDoS attacks against a specific target. Owners of these botnets can rent their botnets as DDoS services.
  • Network Discovery Botnets: Bots can scan the internet and find other vulnerable computers to infect with malware, which could then transform into a bot. This type of bot often seeks out specific targets (such as servers) to gain complete control. Full control means access to data, software, and hardware resources;
  • Backdoor botnets: Bots are used to infect other computers and add them to the list of bots that can be controlled by the attacker for various purposes;
  • Information stealing botnets: Bots are used to collect personal information from their victims through various means (keyloggers, screenshot grabbers, etc.). The collected data is then sent back to the command and control server and resold in underground networks for money. These types of malware can be installed on victims’ computers manually (by tricking them into installing malicious software) or automatically (using drive-by download attacks).
  • Spam botnets: Many people think spam is a thing of the past, but virtually all of us have encountered it at least once in our lives, even accidentally. These types of malware are designed to send millions (or even billions) of unsolicited messages from infected computers around the world to their potential victims. The email addresses used by these botnets can be collected on public websites or by other means (for example, by infecting other computers).

How a Botnet Works

A botnet, as we have seen, can be used for many purposes, but to delve into this analysis, we must first understand how a botnet infection works.

The drawing below shows a schematic of a classic infection. The phishing email is an example, as the initial attack vector can be different. 

In summary, we can divide the infection into 6 phases that are:

  1. The master bot sends a victim a phishing email, forcing them to click on the attachment using various forms of social engineering. For more information, you can read how BazarCall/BazarLoader works, a precursor malware widely used in ransomware activities, which explains these advanced forms of social engineering. In addition to classic phishing, malware that allows entry into a botnet is often inserted into executables (for example keygens) or pirated software;
  2. Once the user runs the software on the workstation, this software starts working by sending information to the C2 command and control system. It usually starts sending data such as session cookies from visited sites, sensitive user data stored on the hard disk, screenshots or videos of what happens on the PDL and keystrokes, like a normal keylogger;
  3. The user, unaware of the malware, continues his activities, such as visiting the websites of the organization he works for, making banking transactions, etc…
  4. Obviously, all this valuable information is sent to the command and control system controlled by the attacker;
  5. Now the attacker can access this data, analyze it and understand how to benefit from this information;
  6. At this point, the bot master can resell this information to other criminals who can conduct illicit activities by simulating and impersonating the end user on whom the malware has been installed.

Cyber threat intelligence systems and dark feeds

There are various systems that allow you to scan the darknet for information regarding data leaks, possible domains or websites on which cybercriminals are organizing attacks, correlating the information with the clear web, producing reports and alerts to be analyzed manually.

In the case of botnets, there are sites in the underground (such as the more well-known Genesis) that were created to sell access to bots to other cybercriminals, so that they can then conduct targeted attacks, perhaps with prior knowledge of the victims’ activities.

The figure summarizes how bots work a Cyber Threat Intelligence tool that integrates dark feeds

Some intelligence systems can have access to command and control systems or directly to the victims’ PDLs, allowing analysts to perform targeted queries on the content exfiltrated by the bots.

This is because cyber criminals themselves make feeds and APIs available that can be integrated into their systems, thus providing real-time access to cyber threats unfolding underground.

By analyzing this information, carrying out searches by domain or email within these feeds produced by these tools, it is possible to understand what the real threats are and which bots are installed on workstations that access a specific domain.

What is meant by a cyber threat intelligence system

A cyber threat intelligence system is a set of technologies, processes and resources human capabilities that enable organizations to identify, analyze, and mitigate cyber threats. The system is based on the collection and analysis of information regarding the activities of cybercriminals, including their techniques, tools, and motivations.

Typically, the cyber threat intelligence system includes:

  1. Data collection: This may include scanning open or closed sources, collecting data from your own security systems, collaborating with other security experts, and participating in online security communities.
  2. Data analysis: The collected data must be processed to identify potential threats and cybercrime trends. This requires the use of advanced data analytics tools, such as machine learning and artificial intelligence.
  3. Intelligence dissemination: Once the intelligence has been analyzed, it must be disseminated to all stakeholders within the organization, including IT and security teams.
  4. Action: Finally, the organization must take steps to mitigate the threats identified through the intelligence. This may include implementing additional security measures, patching vulnerable software, or reporting criminal activity to the relevant authorities.

In summary, a cyber threat intelligence system helps organizations prevent and mitigate cyber threats by providing timely and detailed information on cybercriminals and their activities.

It goes without saying that having information on what cybercriminals are currently discussing with your company provides a significant strategic advantage in managing a threat.

How to protect ourselves from botnets

To protect ourselves from botnets, we need to put into practice a series of recommendations which are often the same ones we normally provide to protect ourselves from malware in general. Some of these can be summarized as follows:

  1. Install and keep quality antivirus software updated.
  2. Avoid opening suspicious emails and clicking on links or attachments from unknown sources.
  3. Keep your computer’s operating system and other software up to date.
  4. Use a strong password and change it regularly.
  5. Do not use the same password for multiple accounts.
  6. Use a secure, encrypted connection when making sensitive online transactions, such as banking.
  7. Do not share personal or sensitive information on unsecured websites.
  8. Use a firewall to block unauthorized access to your computer.
  9. Regularly monitor your computer’s activity and report any anomalies or suspicious activity.
  10. Use additional security tools, such as Internet security software, a spam filter, and an intrusion detection system to increase your protection against botnets.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Categories
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr