Hacked & Hijacked: 2025’s Largest Botnet Attack Targets Businesses

A large-scale botnet campaign has been intensifying since January 2025, posing a major cybersecurity threat to businesses worldwide. According to The Shadowserver Foundation, cybercriminals are leveraging a vast network of compromised devices—up to 2.8 million unique IP addresses daily—to launch brute-force attacks on web login interfaces of VPNs, firewalls, and other edge devices. These attacks target well-known vendors such as Palo Alto Networks, Ivanti, and SonicWall, aiming to breach security systems and gain unauthorized access to corporate networks.

The distribution of these attacking IPs is heavily concentrated in specific regions, with Brazil alone accounting for 1.1 million of the total compromised addresses. Other significant sources include Turkey, Russia, Argentina, Morocco, and Mexico, indicating a well-coordinated global operation. The devices being exploited are primarily routers and IoT equipment from manufacturers like MikroTik, Huawei, Cisco, Boa, and ZTE. These internet-exposed devices, often used for remote access, are being hijacked and weaponized, making detection and mitigation more challenging for businesses relying on secure network infrastructures.

Once compromised, these devices allow attackers to anonymize their malicious traffic, effectively masking their operations and making it difficult to trace back to the source. The hacked routers and IoT systems can also be used as launchpads for further cybercrimes, such as spreading malware, stealing sensitive business data, or executing DDoS attacks against corporate and government infrastructures. The scale and persistence of this botnet campaign highlight how vulnerable unsecured network devices remain in today’s cybersecurity landscape.

Authorities, including CISA (Cybersecurity and Infrastructure Security Agency), are closely monitoring the situation, working alongside organizations like The Shadowserver Foundation to assess the impact and guide businesses on how to defend against these attacks. Cybersecurity experts urge corporate IT teams to take immediate precautions, including enforcing strong passwords, enabling multi-factor authentication (MFA), applying firmware updates, and restricting remote access to minimize exposure.

This ongoing surge in botnet activity serves as a critical warning for businesses that securing edge devices must be a top priority. As cybercriminals refine their tactics, companies must take a proactive stance by strengthening their cyber defenses, implementing strict security policies, and staying ahead of the evolving threat landscape to avoid becoming the next victim of 2025’s largest botnet attack.