Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1583.005: Botnet

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.[1] Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.

Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.[2]

With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).[3][4][5][6] Acquired botnets may also be used to support Command and Control activity, such as Hide Infrastructure through an established Proxy network.

EnterpriseT1583.005Sub-techniqueObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Botnet acquisition is a pre-compromise resource-development behavior: an adversary buys, rents, or leases access to compromised systems, including booter/stresser services, operational relay box networks, VPSs, SOHO routers, IoT devices, and unsupported edge appliances. For leaders, the significance is that the attacker can arrive with scale and anonymity already in place, enabling follow-on phishing, DDoS, or proxy-based command-and-control activity before the victim sees an intrusion attempt.

Executive priority

Treat this as an early-warning and resilience issue, not only a malware issue. Security leaders should ask whether the organization can withstand botnet-enabled DDoS, recognize phishing at scale, and investigate traffic that is intentionally routed through proxy or relay infrastructure. Budget and control decisions should prioritize pre-compromise measures: attack-surface reduction, replacement of unsupported internet-facing appliances, DDoS readiness, email and web telemetry retention, and threat-intelligence processes that can turn botnet/ORB indicators into timely SOC action.

Technical view

This technique sits under Acquire Infrastructure in the Resource Development tactic and is marked for the PRE platform, so direct observation of the adversary acquiring the botnet is usually limited. SOC and IR teams should validate downstream visibility for the ways ATT&CK says acquired botnets may be used: large-scale phishing, DDoS, and command-and-control through proxy infrastructure. The supplied relationship context includes DET0837, Detection of Botnet, but the ATT&CK object provides no official detection text; detection engineering should therefore focus on local telemetry, threat-intelligence enrichment, and behavior around traffic volume, relay/proxy use, and campaign correlation rather than assuming a single definitive analytic.

Likely telemetry

  • Threat-intelligence indicators and context for botnet, booter/stresser, ORB, VPS, SOHO router, and IoT relay infrastructure
  • DNS resolver logs and passive DNS context for domains or hosts associated with suspected relay/proxy infrastructure
  • Firewall, proxy, VPN, and network flow records showing unusual outbound connections through intermediary infrastructure
  • Email gateway and phishing-report metadata for large-scale or coordinated phishing waves
  • DDoS protection, CDN, WAF, ISP, and perimeter device logs for volumetric or coordinated inbound traffic

Detection direction

  • Validate whether DET0837-style botnet detection is operationalized in the environment, while noting that this ATT&CK object does not provide detection logic.
  • Correlate threat-intelligence indicators with DNS, proxy, firewall, mail, and DDoS telemetry; avoid relying on static IOCs alone because relay and ORB infrastructure can change quickly.
  • Tune detections around behavior consistent with botnet-enabled activity: sudden distributed traffic, high-volume phishing delivery patterns, or command-and-control paths hidden through proxy networks.
  • Separate likely false positives from normal cloud/VPS, CDN, VPN, and consumer ISP traffic by using business context, allowlists, baselines, and recent campaign intelligence.
  • Use ATT&CK relationship context carefully: Ke3chang, HAFNIUM, and APT5 are listed as using this technique, but that does not establish attribution for any local event.

Mitigation priorities

  • Prioritize M1056 Pre-compromise measures: reduce exposed attack surface, identify adversarial preparation signals, and make successful operations harder before intrusion begins.
  • Maintain an accurate inventory of internet-facing edge devices and related network appliances, with special attention to unsupported or end-of-life systems referenced by ATT&CK as commonly acquired for botnet activity.
  • Prepare DDoS response paths with providers, network teams, and crisis communications before an event, since botnet access can enable large-scale disruption.
  • Strengthen phishing resilience through email security controls, reporting workflows, and campaign-level monitoring, because acquired botnets may support large-scale phishing.
  • Ensure SOC playbooks connect threat intelligence, perimeter telemetry, mail telemetry, and incident response actions so botnet-linked infrastructure can be triaged quickly.
Analyst notes and limits

The object is a sub-technique of T1583 Acquire Infrastructure and describes adversary preparation rather than an on-host execution behavior. Its practical value is in validating whether the organization can detect and respond to botnet-enabled delivery, disruption, or proxy-based command-and-control activity. The relationship set includes one detection strategy, one pre-compromise mitigation, the parent technique, and three groups that use the technique; those relationships provide context but should not be treated as proof of local activity or attribution.

Official ATT&CK detection guidance is not provided for this object, and the platform is PRE, so visibility into the acquisition act itself is inherently limited. Local telemetry, provider logs, threat-intelligence quality, and asset inventory maturity will determine defensive value. This take does not claim active exploitation, guaranteed detection coverage, or organization-specific exposure.

Official MITRE ATT&CK definition

Botnet

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.[1] Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.

Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.[2]

With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).[3][4][5][6] Acquired botnets may also be used to support Command and Control activity, such as Hide Infrastructure through an established Proxy network.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1583 Acquire Infrastructure This object subtechnique of Acquire Infrastructure.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0125: HAFNIUM

HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]

Group Enterprise

G1023: APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]

Group Enterprise

G0004: Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0125: HAFNIUM Enterprise uses · Group G1023: APT5 Enterprise subtechnique of · Technique T1583: Acquire Infrastructure Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise detects · Detection Strategy DET0837: Detection of Botnet Enterprise uses · Group G0004: Ke3chang Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
2b1353d99f28f204...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 2b1353d99f28…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Norton Botnet

    Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020.

    Open source URL
  2. [2]
    ORB Mandiant

    Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.

    Open source URL
  3. [3]
    Imperva DDoS for Hire

    Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020.

    Open source URL
  4. [4]
    Krebs-Anna

    Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.

    Open source URL
  5. [5]
    Krebs-Bazaar

    Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.

    Open source URL
  6. [6]
    Krebs-Booter

    Brian Krebs. (2016, October 27). Are the Days of “Booter” Services Numbered?. Retrieved May 15, 2017.

    Open source URL
  7. [7]
    mitre-attack T1583.005
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use