4 Ways to Protect Networks from Botnets Before It’s Too Late

Imagine waking up to find that someone has infiltrated into your home, the place where you feel safest, and taken over control of every device you own. With no sign of forced entry, just your everyday smart devices are now silently enlisted as digital warriors, a botnet, that sends attacks to places, people, and companies you don’t know. Your security cameras, smart thermostats, and even your smart freezer could be working for cybercriminals right now.

While this may sound like a science fiction movie, cybercriminals deploy malware to these innocent devices every day, using them for their own nefarious purposes. From large-scale Distributed Denial of Service (DDoS) attacks that cause digital service outages to brute-force credential stuffing that provide unauthorized access to sensitive data, cybercriminals are increasingly weaponizing botnets by exploiting the weakest link in the chain. Often, that link is an unsecured personal device.

While the Mirai botnet may be one of the most famous in the cybersecurity world, threat actors follow that model regularly. In the beginning of March 2025, HUMAN Security’s Satori Threat Intelligence and Research team found that a China-based ecosystem, dubbed Badbox 2.0, had deployed malware to over 1 million consumer devices like TV streaming boxes, tablets, projectors, and after-sale car infotainment systems. Starting with off-brand Android-based devices, the attackers were able to perpetuate fraud across 22 countries with the scammer-controlled botnet. Simultaneously, the Eleven11bot DDoS attack targeted telecom companies and gaming platforms, using somewhere between 5,000 or upwards of 30,000 compromised devices. 

With the ability to control these difficult-to-secure Internet of Things (IoT) devices, attackers increasingly rely on botnet malware to accomplish their objectives. 

The Anatomy of a Botnet

At its core, a botnet comprises numerous internet-connected devices infected with malware. Usually, a single weak link — a smart camera containing an unpatched vulnerability or a router with a default password — enables attackers to install malware and take remote control over the device. 

Once compromised, these devices operate under a cybercriminal’s command, forming vast networks that attackers use for illegal activities. Often, the large number of compromised devices enables them to deploy DDoS attacks, sending high volumes of requests that overwhelm websites and services while also spreading malware across networks. The impact of these attacks can range from disrupting business operations to data theft to manipulating online traffic and transactions. The stealthy nature of these infiltrations means that many users remain oblivious to their devices’ malicious activities.

Internet Service Providers (ISPs) may issue warnings about unusual traffic patterns, indicating potential botnet activity. However, many people and organizations ignore these alerts.

Whether an employee or organization is trying to determine if home devices are part of a botnet, these attacks all include similar warning signs:

• Unusually slow internet speeds or unexplained bandwidth spikes.
• Frequent device crashes or reboots without reason.
• ISP notifications about suspicious activity coming from your home network.
• Inability to access device settings because an attacker has locked you out.

4 Best Practices for Mitigating Botnet Malware Risk

Organizations may not be able to control the devices that their work-from-anywhere employees have in their homes. However, they can take steps to improve end-user cyber awareness and strengthen their own network defenses. 

Start with Access

As organizations moved their operations to the cloud, the perimeter shifted. While a company may not be able to control an employee’s home network security, they can provide information about securing access to applications and company-owned devices. By extension, employees can apply these same access protections to their own home devices. 

At a minimum, some protections that apply to all network connected devices include: 

• Changing default passwords on all smart devices and routers immediately.
• Using strong, unique credentials — long, complex passwords that are different for each device.
• Enabling two-factor authentication (2FA) where possible to add an extra layer of security.

Keep Everything Updated

Increasingly, attackers use known vulnerabilities to deploy malware on end-user devices. While an organization may not be able to control how remote workers manage their personal devices at home, they can apply security updates to all corporate devices. By engaging in these practices, the organization can limit its own risk by reducing the likelihood that attackers will compromise corporate assets. 

Some best practices for improving device security include:

• Regularly updating your devices’ firmware to patch security vulnerabilities.
• Turning on automatic updates whenever available.
• Replacing outdated devices that no longer receive manufacturer support.

Segment Your Network

Remote employees are not the only IoT risk facing companies. Many organizations use IoT devices for business purposes. From security cameras and smart TVs to printers and smart lighting sensors, organizations need to implement security controls that limit attackers’ ability to compromise these corporate assets. 

With network segmentation, organizations can improve security by grouping critical assets together so they can monitor those network areas more precisely. Some best practices for segmenting networks include:

• Create VLANs (Virtual Local Area Networks) to separate your IoT devices from critical systems.
• Use guest networks for smart home gadgets, keeping them isolated from work or personal data.
• Monitor device traffic using security software or your router’s settings.

Pay Attention to Warnings

Many security teams are overwhelmed with alerts and false positives that lead them down a rabbit hole of unnecessary investigation, making it easy to ignore warnings that they feel are irrelevant. However, threat intelligence is public information based on known attacker activity. By correlating this information with other security data, analysts can improve their alerts and reduce false positives. 

Some best practices for improving detections includes correlating: 

• ISP notifications about unusual activities.
• Network scanner tools that identify unauthorized devices connected to your Wi-Fi.
• Configurations for any device you suspect may be compromised.

The Bigger Picture: A Global Cybersecurity Threat

Cybercriminals are increasingly leveraging artificial intelligence to automate attacks, making them more sophisticated and harder to detect. Meanwhile, emerging quantum computing threats pose risks to encryption methods that secure critical systems.

This alarming trend highlights the necessity for unified defenses and information sharing among cybersecurity professionals, organizations, and individuals. And this is only one first step — cybercriminals rely on lax security practices to build their attack infrastructure, and by taking a proactive, continuous approach to security, we can collectively reduce their operational effectiveness.