Critical Infrastructure Caught in a Botnet

By: The Center for Internet Security® (CIS®) Countering Hybrid Threats (CHT) team

Published August 14, 2025

To facilitate malicious activity, cyber threat actors (CTAs) frequently leverage botnets, or networks of malware-infected devices, to automate, scale, and provide anonymity for attackers, including to target U.S. critical infrastructure. Botnets are difficult to detect due to their stealth and persistence, and CTAs can use them to conduct large-scale cyber attacks or pre-position for future malicious activity, including Distributed Denial of Service (DDoS) attacks and data theft, among others. Based on observed recent and historic botnet activity, analysts at the Center for Internet Security^® (CIS^®) assess with moderate confidence that critical infrastructure sectors, including energy, water and wastewater systems (WWS), and telecommunications will remain high-priority targets for state-sponsored, financially motivated, and ideologically motivated threat actors throughout 2025.

According to the U.S. Department of Justice (DOJ), state-sponsored threat actors will likely continue seeking opportunities to undermine the integrity and public confidence of vital services and attempt to establish footholds for disruptive future attacks via botnets. Opportunistic, financially motivated threat actors, such as ransomware groups, will likely continue targeting critical infrastructure sectors due to inherent vulnerabilities and challenges associated with updating legacy systems and devices, including routers and security cameras, that are no longer supported by the manufacturer, per ReliaQuest. Lastly, as noted by Cyble, ideologically motivated threat actors, such as hacktivists, will likely continue targeting sectors, including WWS, to undermine confidence in critical services and instill fear in targeted communities.

What Is a Botnet?

A botnet is a group of internet-connected devices infected with malware, which are remotely controlled by a CTA, or “bot herder,” while a bot is a single infected device. Bots often remain undetected and are frequently accessed for malicious purposes immediately after infection or leveraged for future attacks. Botnets are used by CTAs to facilitate other malicious activity, such as DDoS attacks, data exfiltration, espionage, cryptocurrency mining, and phishing campaigns, among others. As shared by CyberScoop, CTAs also create botnets for the purpose of commercial re-sale, enabling other threat actors to easily engage in malicious activity. Additionally, botnets often scan networks for other devices with known vulnerabilities in order to compromise additional network components.

Evolving History of Botnets

CTAs have relied on botnets to facilitate cyber attacks targeting critical infrastructure sectors for nearly a decade. The Mirai botnet, for example, was established in 2016 and originally targeted Internet of Things (IoT) devices. Mirai then used compromised IoT devices to target Programmable Logic Controllers (PLCs) operating hydroelectric power stations and solar farms, per Forescout. Mirai often scans for IoT devices using default login credentials left unchanged by the device operator, granting threat actors easy access to the device using a common username and password. CTAs exploit the inherent challenges associated with properly maintaining the wide range of IoT devices, including outdated IoT devices that are no longer supported by vendor patches. CTAs will likely continue leveraging botnets to target critical infrastructure due to the ease of access through misconfigured systems, the potential earnings from ransomware attacks, and in some cases, the appeal of causing service disruption to communities, as noted by Utility Dive.

Why Botnets Work

CTAs can deploy botnets against vulnerable IoT networks due to the numerous sectors within critical infrastructure reliant on poorly configured and legacy operational devices, explains ISS ESG. Legacy devices are more commonly found in operational technology (OT) networks than information technology (IT) due to the long lifecycles of OT systems that are often designed to operate for decades. These long lifecycles lead to outdated software and hardware that can contain known vulnerabilities, according to Claroty, making it easier for threat actors to gain initial unauthorized access and control devices to grow their botnets. Many utilities rely on an extensive network of connected devices that monitor and control circuit breakers in addition to pumps for water, gas, and energy distribution, which can then be further exploited and accessed. The average age of energy sector infrastructure is approximately 40 years old, as reported by Security Magazine, and 25% of energy facilities surpass 50 years. According to Morningstar Sustainanalytics, in 2022, 38% of the 445 utility companies participating in a study reported mismanagement and misconfigured cybersecurity controls, while only 19% had adequate security controls. In its 2023 study, the firm observed an improvement to 27% of participants reporting mismanagement and misconfigured cybersecurity controls, with most facilities remaining vulnerable to attacks. As critical infrastructure sectors continue migrating to remote management to facilitate operations across technologies, devices will likely continue to be overlooked for patches, replacement, and proper configurations.

Significant Botnet Activity

2025 near record-breaking DDoS attack. In May 2025, a cybersecurity blog was targeted by and subsequently reported on a near record-breaking — 6.3 terabits of data per second (Tbps) — botnet-related DDoS attack. Attacks reaching higher Tbps allow botnets to have significantly more impact and increase the likelihood of victim downtime. The attack lasted 45 seconds and appeared to be a test run for a new IoT botnet capable of conducting large-scale DDoS attacks, according to the blog. This attack shared similar techniques to Aisuru, which compromised a network of IoT devices, including routers, video recorders, and other internet-connected devices via default passwords and known vulnerabilities. As reported by the cybersecurity blog, the threat actors behind the Aisuru botnet have advertised access to their botnet on Telegram, with subscription tiers ranging from $150 per day to $600 per week.

Botnet used to target Eastern Asia Internet Service Provider (ISP). In late October 2024, a large-scale DDoS attack using a Mirai-based botnet comprised of 13,000 compromised devices reached 5.6 Tbps compared to the previous record of 3.8 Tbps, wrote Bleeping Computer. The attack, which was record-breaking at the time, targeted an internet ISP in Eastern Asia with the malicious intent to disrupt services. Cloudflare reported the DDoS attack lasted 80 seconds, but it ultimately had no impact on the target.

Threat actors target legacy security cameras. In early October 2024, CTAs targeted legacy Edimax IP security cameras to leverage the devices for botnet attacks, as shared by Akamai. Edimax IoT devices are often used in commercial facilities and industrial environments, and malicious targeting of these devices was initially observed in May 2024. Attackers accessed the devices by exploiting an unpatched vulnerability and using default login credentials, allowing threat actors to deliver variants of the Mirai botnet malware, per The Hacker News. There is currently no patch for this vulnerability, and organizations are encouraged to upgrade to a newer-model device, which can be challenging for sectors with limited resourcing.

State-Sponsored Threats

Chinese state-sponsored CTA leveraged botnet to target Cisco and Netgear routers. Volt Typhoon, a prolific botnet operator and People’s Republic of China (PRC) state-sponsored CTA, first emerged publicly in mid-2021 after Microsoft identified the group targeting various government, utilities, and other sectors, according to Ohio Capital Journal. The news organization reported that Volt Typhoon began using the KV-botnet to compromise vulnerable Cisco and Netgear routers two years after initial discovery. Volt Typhoon’s botnet-related attacks were disrupted in early 2024 when U.S. law enforcement removed the KV-botnet malware from hundreds of routers nationwide, but in September 2024, the group re-emerged by exploiting end-of-life Cisco and Netgear small office/home office (SOHO) routers as well as other IoT devices, per the U.S. DOJ and two separate reports from Bleeping Computer. According to SecurityScorecard’s STRIKE Team, Volt Typhoon compromised roughly 30% of all internet-exposed Cisco RV320/325 routers within the first 37 days of the September 2024 campaign. Volt Typhoon likely aims to pre-position compromised devices within U.S. critical infrastructure to establish an initial foothold for future disruptive or destructive cyber attacks. During a hearing in January 2024, FBI Director Christopher Wray told the U.S. House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party that Volt Typhoon was “the defining threat of our generation,” as quoted by Palo Alto Networks in its threat brief on the CTA.

Cloudflare explains that threat actors compromise these devices to form botnet infrastructure used in future malicious activity, including DDoS attacks. Threat actors often exploit routers for their botnets using MIPS-based malware that communicates over standard ports, making the attacks initially difficult to detect.

As a sophisticated state-sponsored threat actor, Volt Typhoon has consistently demonstrated the capability to evolve and expand its operations since emerging in mid-2021. CIS analysts assess that Volt Typhoon will likely continue to evolve its tactics and techniques to ensure persistent access to critical infrastructure within the United States.

Recommendations

CIS recommends organizations take the following steps to defend their networks from botnet-based attacks:

• Follow CIS Benchmarks^® for secure system configuration best practices.
• Review and implement CIS Critical Security Control 12: Network Infrastructure Management, which focuses on preventing attacks on vulnerable network services and access points.
• Segment networks, ensuring that all IoT devices are on a separate network from systems critical for daily operations.
• The FBI recommends organizations identify and replace vulnerable end-of-life routers within their network. If replacement is not feasible, organizations should disable the vulnerable router’s remote administration settings.
• Keep IoT devices up to date to ensure there is less of a chance for infection.
• Review the CIS blog post, The Mirai Botnet – Threats and Mitigations.
• Verify network devices are no longer using default passwords.
• See below for indicators of compromise (IOCs).

Indicators of Compromise

Analysts compiled and vetted the following IOCs to help organizations defend against the risks assessed in this blog post, including IP addresses associated with malicious activity. Organizations should upload these IOCs into their firewalls to be actively monitored, and organizations should consider connecting to CIS’s real-time indicator feeds to receive the most up-to-date indicators for their defenses.

Aisuru Botnet Related IoCs (Source: APNIC)

IP Addresses

• 190.123.46[.]21
• 190.123.46[.]55
• 95.214.52[.]167
• 162.220.163[.]14

Domains

• xlabresearch[.]ru
• xlabsecurity[.]ru
• foxthreatnointel[.]africa

Hashes (SHA1)

• 3c33aa8d1b962ec6a107897d80d34a5d0b99899e
• 0339415f8f3e2b1eb6b24ed08c3a311210893a6e
• 95c8073cc4d8b80ceddb8384977ddc7bbcb30d8c
• 12fda6d480166d8e98294745de1cfdcf52dbfa41
• 08b30f5ffa490e15fb3735d69545c67392ea24e9
• c8b8bd5384eff0fe3a3a0af82c378f620b7dc625

Volt Typhoon-Related IoCs

IP Addresses

• 45.32.174[.]131
• 144.202.49[.]189

Mirai-Related IoCs

IP Addresses

• 176.65.148[.]10
• 176.65.144[.]253
• 209.141.44[.]28
• 51.38.137[.]114
• 198.23.212[.]246
• 194.50.16[.]15
• 156.253.250[.]201

Domains

• connect[.]antiwifi[.]dev
• angela[.]spklove[.]com
• cnc[.]merisprivate[.]net
• bot[.]merisprivate[.]net

Hashes (SHA256)

• f05247a2322e212513ee08b2e8513f4c764bde7b30831736dfc927097baf6714
• 11c0447f524d0fcb3be2cd0fbd23eb2cc2045f374b70c9c029708a9f2f4a4114
• 75ad7e1857d39eb1554c75d1f52aa4c14318896a7aebbc1d10e673aee4c2ca36
• c792ce87ba1b0dc37cf3d2d2b4ad3433395ae93e0f1ae9c1140d097d093c1457
• 9f6bfe55961ae4b657dd1e7b3f488b49133cd2cd89d89d3f1052fc5d28287de6
• 4244ef7ff56a2dab17f06c98131f61460ec9ca7eec6f7cb057d7e779c3079a65
• 4d577320b4875fcd7e7e65aece5bd4e3040772e4030a0d671570fcc9337fab72
• ba8d7017545747bc1bc609277af26a0c8c1fa92541c0290dd9d8570d59faca97

Associated Common Vulnerability Exploits (CVEs)

CVEs Known to Be Exploited by Volt Typhoon

• CVE-2021-27860 — FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type
• CVE-2021-40539 — Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
• CVE-2022-42475 — Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability
• CVE-2023-27997 — Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability
• CVE-2024-39717 — Versa Director File Upload Vulnerability

Strengthen Your Defenses against Botnets and More

This blog post is just one of the ways CIS supports organizations with intelligence into threat actors like Volt Typhoon that blend techniques from the cyber, physical, and information operations domains. Our research is based on a briefing from ThreatWA™, a threat intelligence product which combines the insights from the law enforcement and security communities to provide actionable information and insights into multidimensional threats.

Ready to enhance your visibility of botnets and similar threats?