Botnet Spotlight: Pressure rises on botnets — but the fight is far from over

Pressure mounts on miscreants…

The second half of 2025 saw two encouraging developments: Some operators of notoriously abused, legitimate networks started cracking down more effectively on botnet C&Cs on their platforms. Meanwhile law enforcement increased pressure on first-stage malware such as Remote Access Trojans (RATs) as well as bulletproof hosting providers. These efforts culminated in countermeasures such as another Operation Endgame season, and the takedown of CrazyRDP, a major bulletproof hoster physically located in the Netherlands.

Both phenomena combined mean fewer safe harbors for hosting botnet C&Cs (among other malicious infrastructure) and increasing abuse density at networks who continue maintaining a poor anti-abuse posture. By going after RATs, rather than focusing solely on follow-up malware, law enforcement efforts to curb cybercrime are more focused on the problems’ roots, rather than its symptoms.

Declines in live botnet controllers at networks such as huawei.com (-76%), tencent.com (-54%), alibaba-inc.com (-46%), amazon.com (-43%) and google.com (-41%) suggest abuse handling improvements, although more work needs to be done in the realm of abuse prevention at alibaba-inc.com and tencent.com, as indicated by an increase of newly observed botnet controllers (+16% and +14%, respectively).

… and those enabling them

As criminal demand for botnet controller hosting continues unabated, expect this situation to result in threat movements, rather than a lasting decline. Hosting providers already under siege (or deliberately turning a blind eye on abusive customers) may experience a further increase of botnet C&Cs on their networks. Such candidates may be contabo.de, digitalocean.com and colocrossing.com; all three networks saw significant increases in live and newly observed botnet C&Cs from July to December 2025 already. We urge these networks’ abuse desks to take note, and step up their efforts significantly.

As for bulletproof hosters, while alternatives remain available to fill the void CrazyRDP’s departure caused, we assess most are physically based in Western jurisdictions (such as virtualine.org, as210558.net and simplecarrier.net). Their widespread adoption of a “separation of liabilities” modus operandi may indicate that rogue hosting providers are already facing increased pressure. Becoming responsible for an even greater abuse concentration makes them even more of a takedown target.

Law enforcement intervention, however, painted an incoherent picture in the second half of 2025: While the arrest of VenomRAT’s alleged developer may likely cause a lasting decline of related botnet C&Cs, Latrodectus, a previous target of law enforcement intervention, resurfaced (see Botnet Threat Update Jul - Dec 2025: “Malware associated with botnet C&Cs” section), emphasizing an old anti-abuse saying of takedowns without arrests merely resulting in smarter criminals.

Disappointments in the domain dimension

Finally, the aforementioned improvements are balanced by a deteriorated situation in the realm of botnet controller domains: July to December 2025 saw increases almost across the board, including disappointing news from a variety of Western domain registrars.

Defenders are thus left with a mixed threat landscape: Should legitimate network operators and law enforcement continue tackling botnet C&C-related abuse effectively in 2026? Their protection of infrastructure by applying IP-based countermeasures may yield better results, as botnet controllers flock to internet areas already known for poor reputation. Simultaneously, however, a surge in botnet controller domains highlights the necessity of not relying on filtering botnet C&C traffic by IP alone.

With the Christmas break now over, we hope to see domain registrars and TLD operators waking up – and ensuring their part of making life harder for botnet controller operators is done, contributing to a safer internet for everyone.

Read the full Botnet Threat Update July to December 2025.