TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

2025 Advanced Persistent Bots Report

2025-03-28 · Read original ↗

ATT&CK techniques detected

22 predictions
T1090.002External Proxy
92%
“the given geo - targeting and session constraints and instructs the peer to establish a tunnel to the targeted destination. step 4. through the established end - to - end connection, the bot performs a tls handshake with the targeted destination site and makes http requests over …”
T1584.005Botnet
80%
“actors, whether they be nation state or organized crime, often change their behavior once security controls and other mitigation strategies are put in place. our research shows this is certainly true of bots and their operators. once bot defenses are activated bot operators often…”
T1090.002External Proxy
76%
“iot devices and home routers, enabling bot operators to proxy their traffic through these compromised devices, leveraging the trusted home ip addresses to mask their activities. the basic process of building out and making use of a residential ip proxy network is shown in figure …”
T1090Proxy
73%
“. probing a large network can reveal tens of millions of ips over long spans of time, but on any given day the reachable figure of even the largest networks is a few million at best, even with the most inclusive geo - targeting and ip rotation, a capacity that is nevertheless qui…”
T1090.002External Proxy
72%
“addresses associated with spam, scanning, malware, botnets, or other malicious activities. these databases are continually updated, enabling defenders to block risky connections by source ip. security teams may also restrict connections based on ip geolocation. for example, a u. …”
T1583.005Botnet
71%
“demand components of the proxylib ecosystem, monitoring both the proxyware and the traffic it transports as well as the distribution of proxy peers from the demand side. over time the ecosystem has been revealed as a veritable rat king with : - one beneficial entity that has deve…”
T1584.005Botnet
65%
“2025 advanced persistent bots report executive summary in today ’ s digital landscape, bots dominate the internet, with some estimates suggesting they account for over 50 % of all website and mobile api activity. beneficial bots support search engines, fulfill genuine business ne…”
T1090.002External Proxy
63%
“. probing a large network can reveal tens of millions of ips over long spans of time, but on any given day the reachable figure of even the largest networks is a few million at best, even with the most inclusive geo - targeting and ip rotation, a capacity that is nevertheless qui…”
T1090.003Multi-hop Proxy
57%
“iot devices and home routers, enabling bot operators to proxy their traffic through these compromised devices, leveraging the trusted home ip addresses to mask their activities. the basic process of building out and making use of a residential ip proxy network is shown in figure …”
T1189Drive-by Compromise
56%
“used to transact on a website and app on whatever that site or app was designed for, e. g. placing bets on a gambling site, watching a tv show on a streaming app, sending and receiving money on a money transfer app etc.”
T1090.001Internal Proxy
52%
“iot devices and home routers, enabling bot operators to proxy their traffic through these compromised devices, leveraging the trusted home ip addresses to mask their activities. the basic process of building out and making use of a residential ip proxy network is shown in figure …”
T1090.003Multi-hop Proxy
52%
“the given geo - targeting and session constraints and instructs the peer to establish a tunnel to the targeted destination. step 4. through the established end - to - end connection, the bot performs a tls handshake with the targeted destination site and makes http requests over …”
T1090Proxy
51%
“ecosystem. figure 21 provides an illustration of the varieties of supply and demand relationships we have observed in the residential proxy network ecosystem. network a is representative of a fully integrated network with its own supply and its own retail sales and branding. netw…”
T1090Proxy
51%
“demand components of the proxylib ecosystem, monitoring both the proxyware and the traffic it transports as well as the distribution of proxy peers from the demand side. over time the ecosystem has been revealed as a veritable rat king with : - one beneficial entity that has deve…”
T1583.005Botnet
51%
“2025 advanced persistent bots report executive summary in today ’ s digital landscape, bots dominate the internet, with some estimates suggesting they account for over 50 % of all website and mobile api activity. beneficial bots support search engines, fulfill genuine business ne…”
T1090Proxy
44%
“iot devices and home routers, enabling bot operators to proxy their traffic through these compromised devices, leveraging the trusted home ip addresses to mask their activities. the basic process of building out and making use of a residential ip proxy network is shown in figure …”
T1583.005Botnet
44%
“##edential stuffing bots across all industries and platforms. a full half of all login traffic targeting mobile apis within the telecom sector originated from advanced automation sources. residential ip proxies have become a must - have for bot operators. by routing their traffic…”
T1090.002External Proxy
38%
“ecosystem. figure 21 provides an illustration of the varieties of supply and demand relationships we have observed in the residential proxy network ecosystem. network a is representative of a fully integrated network with its own supply and its own retail sales and branding. netw…”
T1090.003Multi-hop Proxy
37%
“. probing a large network can reveal tens of millions of ips over long spans of time, but on any given day the reachable figure of even the largest networks is a few million at best, even with the most inclusive geo - targeting and ip rotation, a capacity that is nevertheless qui…”
T1110.004Credential Stuffing
33%
“. for web, three industries stood out as having a significantly larger proportion of basic credential stuffing attack : quick service retail ( 89. 55 % ), state and local government ( 67. 79 % ), and entertainment ( 60. 75 % ). since threat actors rarely expend more effort than i…”
T1090.003Multi-hop Proxy
31%
“ecosystem. figure 21 provides an illustration of the varieties of supply and demand relationships we have observed in the residential proxy network ecosystem. network a is representative of a fully integrated network with its own supply and its own retail sales and branding. netw…”
T1110.004Credential Stuffing
31%
“##s for all industries and both platforms. an even 50 % of all credential stuffing traffic aimed at mobile apis in the telecom ’ s industry were from advanced sophistication bots. for mobile, we observed the highest proportion of basic attacks were on healthcare, where 89. 69 % o…”

Summary

Uncovering the true scale of persistent bot activity, and the advanced techniques that bot operators use in order to remain hidden from bot defenses.