> series: anatomy_of_a_breach —— part: 014 —— target: 12,700,000_computers —— countries: 190 —— operators: 3_amateurs<span class="cursor-blink">_</span>_
In February 2010, Spain's Guardia Civil arrested three men in connection with the Mariposa botnet — a network of 12.7 million infected computers that spanned 190 countries and had compromised over half of the Fortune 1,000 companies and at least 40 major banks. The botnet's name, Spanish for 'butterfly', belied its destructive capability: Mariposa was used to steal banking credentials, launch denial-of-service attacks, and install additional malware including the Zeus banking trojan on victim machines.
But the most striking aspect of the Mariposa case was not the scale — it was the operators. Captain Cesar Lorenzana of the Guardia Civil described them as 'normal people who are earning a lot of money with cybercrime.' They had not written the malware themselves — they had purchased it from a Slovenian developer known as 'Iserdo' for as little as $500. Security researcher Brian Krebs noted that the operators did not have advanced hacking skills. They were, in modern parlance, script kiddies — and they controlled one of the largest botnets in history.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe Mariposa Working Group — a coalition of Panda Security, Canadian firm Defence Intelligence, the Georgia Tech Information Security Center, the FBI, and Spain's Guardia Civil — spent months infiltrating the botnet's command-and-control infrastructure. On 23 December 2009, the group seized control of the C2 servers and disabled the botnet.
The botnet operators fought back. The ringleader, known as 'Netkairo', bribed an employee at a Spanish domain registrar to regain control of the domains, then launched a denial-of-service attack against Defence Intelligence at 900 megabits per second — an attack so powerful it knocked out internet connectivity for an ISP's entire customer base, including several Canadian universities and government agencies. The Working Group regained control, and Netkairo made his fatal error: connecting directly from his home computer without using a VPN, exposing his real IP address.
Mariposa demonstrated that botnet infections can persist inside corporate networks — including Fortune 1,000 companies — without detection by anti-virus, IDS, or firewalls. The malware evolved every 48 hours, outpacing signature-based detection. This is exactly why SOC in a Box uses behavioural detection alongside signature matching — identifying the anomalous command-and-control communications, unusual network traffic patterns, and credential theft indicators that botnet infections produce.
Our infrastructure penetration testing assesses whether your network's defences would detect and block botnet-style command-and-control traffic. Our vulnerability scanning identifies the unpatched systems and insecure configurations that botnets exploit for initial infection. And Cyber Essentials certification establishes the baseline controls — patching, access control, malware protection — that reduce botnet infection risk. For threat intelligence on active botnets targeting your sector, UK Cyber Defence provides the intelligence feeds that inform proactive defence.
If Fortune 1,000 companies and major banks had Mariposa infections without knowing it, the question for every organisation is not whether you could be infected — but whether you would know if you were. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring that detects botnet C2 communications. <a href="/penetration-testing/infrastructure">Penetration testing</a> validates your detection capabilities.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call