T1583.005 Botnet
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.5 Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service.
Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.6
With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).4321 Acquired botnets may also be used to support Command and Control activity, such as Hide Infrastructure through an established Proxy network.
| Item | Value |
|---|---|
| ID | T1583.005 |
| Sub-techniques | T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.2 |
| Created | 01 October 2020 |
| Last Modified | 24 October 2025 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1023 | APT5 | APT5 has acquired a network of compromised systems – specifically an ORB (operational relay box) network – for follow on activities.6 |
| G0125 | HAFNIUM | HAFNIUM has incorporated leased devices into covert networks to obfuscate communications.7 |
| G0004 | Ke3chang | Ke3chang has utilized an ORB (operational relay box) network for reconnaissance and vulnerability exploitation.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
References
-
Brian Krebs. (2016, October 27). Are the Days of “Booter” Services Numbered?. Retrieved May 15, 2017. ↩
-
Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017. ↩
-
Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017. ↩
-
Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020. ↩
-
Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. ↩
-
Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024. ↩↩↩
-
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. ↩