MITRE ATT&CK Technique
Description
Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. Internet-facing edge devices and related network appliances that are end-of-life (EOL) and unsupported by their manufacturers are commonly acquired for botnet activities. Adversaries may lease operational relay box (ORB) networks – consisting of virtual private servers (VPS), small office/home office (SOHO) routers, or Internet of Things (IoT) devices – to serve as a botnet.(Citation: ORB Mandiant) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter) Acquired botnets may also be used to support Command and Control activity, such as [Hide Infrastructure](https://attack.mitre.org/techniques/T1665) through an established [Proxy](https://attack.mitre.org/techniques/T1090) network.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:49:05.467Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may buy, lease, or rent a network of compromised '
'systems\xa0that can be used during targeting. A botnet is a '
'network of compromised systems that can be instructed to '
'perform coordinated tasks.(Citation: Norton Botnet) '
'Adversaries may purchase a subscription to use an existing '
'botnet from a booter/stresser service. \n'
'\n'
'Internet-facing edge devices and related network appliances '
'that are end-of-life (EOL) and unsupported by their '
'manufacturers are commonly acquired for botnet activities. '
'Adversaries may lease operational relay box (ORB) networks – '
'consisting of virtual private servers (VPS), small '
'office/home office (SOHO) routers, or Internet of Things '
'(IoT) devices – to serve as a botnet.(Citation: ORB '
'Mandiant) \n'
'\n'
'With a botnet at their disposal, adversaries may perform '
'follow-on activity such as large-scale '
'[Phishing](https://attack.mitre.org/techniques/T1566) or '
'Distributed Denial of Service (DDoS).(Citation: Imperva DDoS '
'for Hire)(Citation: Krebs-Anna)(Citation: '
'Krebs-Bazaar)(Citation: Krebs-Booter) Acquired botnets may '
'also be used to support Command and Control activity, such as '
'[Hide '
'Infrastructure](https://attack.mitre.org/techniques/T1665) '
'through an established '
'[Proxy](https://attack.mitre.org/techniques/T1090) network.\n'
'\n',
'external_references': [{'external_id': 'T1583.005',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1583/005'},
{'description': 'Brian Krebs. (2016, October 27). Are '
'the Days of “Booter” Services '
'Numbered?. Retrieved May 15, 2017.',
'source_name': 'Krebs-Booter',
'url': 'https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/'},
{'description': 'Brian Krebs. (2016, October 31). '
'Hackforums Shutters Booter Service '
'Bazaar. Retrieved May 15, 2017.',
'source_name': 'Krebs-Bazaar',
'url': 'https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/'},
{'description': 'Brian Krebs. (2017, January 18). Who '
'is Anna-Senpai, the Mirai Worm '
'Author?. Retrieved May 15, 2017.',
'source_name': 'Krebs-Anna',
'url': 'https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/'},
{'description': 'Imperva. (n.d.). Booters, Stressers '
'and DDoSers. Retrieved October 4, '
'2020.',
'source_name': 'Imperva DDoS for Hire',
'url': 'https://www.imperva.com/learn/ddos/booters-stressers-ddosers/'},
{'description': 'Norton. (n.d.). What is a botnet?. '
'Retrieved October 4, 2020.',
'source_name': 'Norton Botnet',
'url': 'https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html'},
{'description': 'Raggi, Michael. (2024, May 22). IOC '
'Extinction? China-Nexus Cyber '
'Espionage Actors Use ORB Networks to '
'Raise Cost on Defenders. Retrieved '
'July 8, 2024.',
'source_name': 'ORB Mandiant',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks'}],
'id': 'attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:36.255Z',
'name': 'Botnet',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}