Subscribe to the Non-Human & AI Identity Journal
Home Glossary Cyber Security Relay botnet
Cyber Security

Relay botnet

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Cyber Security

A relay botnet is a network of compromised devices used to forward traffic, conceal origin, or provide infrastructure for criminal operations. Unlike noisy malware, relay botnets can remain hidden for long periods by blending into normal device communications and remote management patterns.

Expanded Definition

A relay botnet is less about visible destruction and more about covert infrastructure reuse. Compromised endpoints, servers, routers, or embedded devices are enrolled to relay traffic, proxy commands, mask source addresses, or stage criminal activity. The defining feature is not volume but plausibility: the traffic often resembles ordinary device chatter, remote administration, or legitimate service mediation. That makes relay botnets especially hard to separate from benign distributed systems unless telemetry is strong and baselined.

Definitions vary across vendors when the same infrastructure is used for proxying, spam delivery, credential abuse, or command-and-control support, so the term is often applied by function rather than by a single malware family. For security teams, the practical question is whether a device is being used as a transit point for someone else’s activity. In that sense, relay botnets sit at the intersection of endpoint compromise, network abuse, and identity abuse when stolen credentials or remote access tools are used to preserve persistence. NIST’s Cybersecurity Framework 2.0 is useful here because it emphasizes detecting abnormal activity, responding to incidents, and recovering affected assets without assuming that compromise will be immediately obvious. The most common misapplication is treating relay activity as routine proxying, which occurs when defenders fail to correlate traffic patterns with device ownership, authentication context, and repeated external destinations.

Examples and Use Cases

Implementing detection for relay botnets rigorously often introduces telemetry and privacy constraints, requiring organisations to weigh visibility into device communications against operational overhead and data handling limits.

  • A home router is hijacked and used as an exit point for spam or credential attacks, making the traffic appear to come from residential infrastructure rather than the attacker.
  • An IoT camera or gateway is repurposed as a proxy node so criminal traffic is distributed across many small devices instead of a single obvious server.
  • A compromised workstation runs a relay service that forwards remote access sessions, helping an intruder hide the true source of interactive activity.
  • A server enrolled into a botnet is used to relay API requests or scraping traffic, allowing the attacker to evade basic IP-based blocking and rate limits.
  • A device with stolen administrative credentials is maintained as a long-lived relay point because the attacker can re-enter through legitimate management channels.

The operational challenge is that each of these cases can look normal in isolation, so teams need baselines for egress destinations, session timing, and device roles. Guidance in MITRE ATT&CK is helpful for mapping how adversaries persist and move laterally, even though it is technique-oriented rather than definitional. For defenders, the key use case is not just blocking a malicious IP, but identifying the compromised asset that is carrying someone else’s traffic.

Why It Matters for Security Teams

Relay botnets matter because they turn ordinary assets into risk multipliers. A single compromised device can be used to evade geolocation controls, distribute malicious traffic, support phishing infrastructure, or obscure the origin of intrusion activity. That creates problems for incident response, fraud detection, and attribution, especially when defenders rely too heavily on source IP reputation. The issue also intersects with identity and access governance when attackers preserve relay access through valid accounts, remote administration tools, or weakly controlled service credentials.

Security teams need to think about relay botnets as a visibility problem and a trust problem at the same time. Network allowlists, asset inventories, and authentication logs all become more valuable when they are correlated rather than reviewed separately. For organisations managing non-human identities, the lesson extends to service accounts and automation: any credential that can launch persistent network activity can be abused to maintain relay infrastructure. A CISA advisory or similar threat bulletin often becomes relevant only after an outbreak, when blocked destinations are no longer enough and teams must identify every compromised relay node before the abuse can resume. Organisations typically encounter the full operational cost only after traffic abuse triggers customer complaints, law enforcement contact, or a widespread abuse listing, at which point relay botnet containment becomes unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0DE.CM-1Monitoring detects anomalous traffic that often exposes relay botnet activity.
OWASP Non-Human Identity Top 10Non-human credentials can be abused to keep relay services active and hidden.
NIST SP 800-63IAL2Identity proofing and session assurance help reduce abuse of access paths that enable relays.

Strengthen authentication assurance for administrative access that could be leveraged for botnet control.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org