Botnets

The Botnets tab provides a structured view of devices compromised through stealer malware and botnet infections. Instead of abstract alerts, it delivers concrete forensic evidence for every infected endpoint. Each row in the table represents a specific compromised machine, enabling security teams to quickly identify affected assets, assess impact, and initiate remediation.

Unlike traditional monitoring platforms that only rely on public breach dumps, AttackMetricx takes a proactive intelligence approach. Our system collects, acquires, and even purchases data directly from attackers and underground markets including botnet panels and stealer malware operators. This guarantees that customers see real, raw, and exclusive evidence that is not available in public datasets.

Importantly, these machines are not limited to the organization’s assets. In many cases, they belong to customers or third parties, but still contain corporate-related data (e.g., stolen login credentials). AttackMetricx ensures such exposures are visible so teams can respond before attackers weaponize them.

Detailed Column Breakdown

  • Computer Name – Hostname of the infected device at the moment of compromise, mapped to internal assets.

  • IP Address – Public IP address of the device, useful for geolocation, attribution, and regional trend analysis.

  • Operating System – Exact OS version compromised (e.g., Windows 10 Pro [x64]), helping prioritize patching and endpoint security.

  • User Name – Logged-in account name, supporting account-level attribution and remediation.

  • Antivirus – Presence and status of endpoint protection (On, Off, or N/A), highlighting whether defenses were bypassed or disabled.

  • Compromised Date – Timestamp of the initial infection, critical for forensic timelines and attack vector identification.

  • Screenshot – Indicator if visual evidence was captured, often exposing sensitive applications or documents.

  • Status – Indicates the current state of the incident:

    • Resolved → The case has been investigated, mitigated (e.g., credential reset, system cleanup), and officially closed.

    • Not Resolved → The exposure is still active and requires action.

    • Notes – Each record allows analysts to add contextual notes directly within the incident.

Detailed Records

To gain full visibility into the incident, users can expand any record by clicking the >> icon on the right side of the row.

the above you can see:

Mark As Resolved

What it is:

A button that changes the status of an incident from Not Resolved to Resolved.

Why it matters:

It provides visibility into which cases are closed, keeps the dashboard organized, and ensures reports show an accurate reflection of remediation progress.

Example:

After cleaning a compromised device and resetting exposed accounts, the analyst clicks Mark As Resolved so the case moves into the resolved list.

the below you can see This action opens a detailed device profile, which includes:

Device Information

What it is:

A section that presents the main identifiers and technical details of the compromised device.

Information Provided:

  • Device Name

    The hostname of the machine. Used to identify the device within the organization’s asset inventory or Active Directory.

  • IP Address

    The network address seen during the compromise. Helps trace where the device was connected and supports correlation with firewall or SIEM logs.

  • Country

    The geographic location derived from the IP address. Indicates where the compromised device is operating from, which may reveal suspicious or unusual access regions.

  • Operating System

    The exact OS version and build running on the endpoint. Important for vulnerability assessment, since some threats exploit specific OS versions.

  • Compromised

    The timestamp showing when the system was confirmed compromised. Useful for incident timeline building and cross-checking with other security alerts.

  • User Name

    The account logged into the device at the time of compromise. Helps determine the user’s role and privileges (standard vs. administrator).

  • Antivirus

    Displays the security solution active on the machine. Indicates whether an antivirus was present and if it was bypassed or ineffective.

Why it matters:

This information provides the foundation for understanding which device was affected, where it is located, and how well it was protected. It guides both the technical response (patching, cleaning, isolating the device) and the organizational response (notifying the right user or department).

Credit Cards

What it is:

This section highlights any payment card information exposed during the compromise. If the malware captured financial data, the card details will be displayed here.

Information Provided:

  • Card Number – The unique identifier of the credit card account, often used in financial transactions.

  • Card Holder Name – The name of the individual associated with the card.

  • Expiration Date – Indicates the validity period of the card.

  • CVV – The security code required for online or card-not-present purchases.

Why it matters:

Leaked credit card data represents a high-risk exposure. Having this information displayed helps analysts quickly verify if sensitive financial details were stolen, so affected users can be notified, cards can be blocked, and fraud prevention measures can be activated.

Directory List

What it is:

This section provides direct access to the files and folders that were exfiltrated from the compromised device. Analysts can not only see the list of collected data but also open and download the files for deeper forensic analysis.

Information Provided (examples of possible content):

  • Clipboard data – Text captured from the user’s clipboard (e.g., passwords, tokens, or sensitive copy-paste data).

  • System reports – Files containing device configuration, OS version, and hardware information.

  • Browser folders (Chrome, Firefox, Edge) – Directories holding cached sessions, saved credentials, and browsing history.

  • Cookies – Authentication cookies that could allow attackers to reuse valid sessions.

  • Password dumps – Files such as all_passwords.txt containing extracted login credentials.

  • Brute-force logs – Lists of cracked or attempted passwords.

  • Software inventories – Lists of installed applications, helping attackers identify potential weaknesses.

Download Option:

A download button in the top-right corner allows analysts to export the entire set of stolen files for offline review or forensic archiving.

Why it matters:

Having both visibility and download capability ensures analysts can validate what data was taken, perform deeper investigations, and preserve evidence for incident reports or legal actions. It turns the Directory List into a practical tool for both threat assessment and forensic workflows.

Screenshots

What it is:

This section displays any desktop screenshots that the malware captured from the compromised device. If no screenshots were taken, the panel will indicate it (e.g., No Screenshot Found).

Information Provided:

  • Captured Screens – Images showing the user’s active desktop or applications at the time of compromise.

  • Contextual Evidence – Can reveal what the victim was doing (e.g., logged-in sessions, email inbox, online banking, internal systems).

  • Status Message – If no screenshots exist for this case, the system clearly states that none were found.

Download Option:

When screenshots are available, analysts can view them directly in the dashboard or download them for forensic storage and investigation.

Why it matters:

Screenshots provide strong visual evidence of compromise, confirming what the attacker could see and access. This helps in validating data exposure, assessing risk, and documenting the impact for incident response reports.

Path

What it is:

This section shows the exact file path where the malicious payload was executed on the compromised device. It reveals how and where the malware was introduced into the system.

Information Provided:

  • File Location – The full directory path on the endpoint, including user folders and subdirectories.

  • Executable Name – The specific malware file (e.g., set-up.exe) that ran during compromise.

  • Suspicious Indicators – Paths often include misleading names, unusual characters, or disguised executables that imitate legitimate files.

Why it matters:

Knowing the file path helps analysts understand the infection vector, confirm which user environment was targeted, and determine whether persistence mechanisms were created. It also provides guidance for remediation steps such as removing residual files, scanning the directory, or blocking similar paths across other endpoints.

Copy Option:

The copy-to-clipboard icon allows analysts to quickly copy the path for further investigation in forensic tools or endpoint queries.

Credentials Found

What it is:

This section lists all the credentials (usernames, emails, passwords) that were exposed during the compromise. It shows both the account details and the associated metadata, giving analysts full visibility into stolen access data.

Introduction:

At the top of this section, the dashboard displays a counter (e.g., Credentials Found: 1). This number represents the credentials directly linked to your organization that were identified in the breach.

  • The Search bar allows analysts to quickly filter results by URL, email, or password.

  • The Export button on the right enables downloading the full list of credentials for offline investigation, reporting, or integration with password reset workflows.

  • On the right, the Get All Victim Credentials button can be used to fetch all discovered credentials, not only those tied to your organization, giving broader visibility into leaked data.

Information Provided:

  • URL – The website or application where the stolen credentials were used.

  • Email – The account identifier captured by the malware.

  • Password – The exact password value that was extracted.

  • Password Strength – An evaluation (Weak, Medium, Strong) of the stolen password.

  • Breach Date – When the credential was originally compromised.

  • Detection Date – When it was identified by the system.

Why it matters:

Exposed credentials are one of the most critical data points for incident response. They indicate potential unauthorized access to systems, accounts, or applications. This section allows organizations to identify affected accounts quickly, reset compromised passwords, enforce MFA, and prevent credential stuffing attacks.

Information Provided:

  • URL – Shows the website, platform, or online service where the stolen credential was used. This helps analysts know which applications or systems are directly at risk (e.g., online banking, email, cloud services).

  • Email – The email address or username tied to the account. It identifies which user in your organization (or customer base) was exposed, allowing faster response such as notifying the individual or forcing a password reset.

  • Password – The actual password value that was captured. Having visibility on the exact password helps confirm whether it was weak, reused, or if it matches internal password policies.

  • Password Strength – A system-generated evaluation of how secure the exposed password is.

    • Weak → Short, common, or easily guessable passwords (e.g., "123456").

    • Medium → Better complexity but still vulnerable (e.g., dictionary words or patterns).

    • Strong → Complex passwords with a mix of letters, numbers, and symbols.

      This metric allows teams to prioritize weak/reused credentials for immediate action.

  • Breach Date – The date when the credential was originally stolen or leaked in the wild. Knowing this helps analysts understand how long the account has potentially been exposed.

  • Detection Date – The date when the our platform identified and logged the compromised credential. It shows how recent the discovery was and helps track detection timelines for reporting and auditing.

At the top of the interface, analysts are presented with quick-access filters that categorize all findings based on their review and resolution status. These options allow security teams to instantly identify which cases are new, which have already been checked, and which remain unresolved.

By structuring the data this way, the dashboard ensures that investigations remain organized, reduces the risk of overlooking active infections, and helps prioritize remediation efforts effectively.

Top-Level Views

Located directly above the botnet records table, these quick filters categorize incidents based on review and resolution status.

  • All

    Shows all botnet infection records regardless of status.

    Example: Displays all 39 detected infections in one view.

  • Viewed

    Shows cases that were already opened or checked by analysts.

    Example: 2 devices have been looked at by the team.

  • Not Viewed

    Highlights infections that no one has reviewed yet.

    Example: 37 devices still require initial investigation.

  • Resolved

    Lists infections marked as fully closed after remediation.

    Example: None are Resolved, meaning no cases have been closed.

  • Not Resolved

    Shows active infections that are pending action.

    Example: All 39 infections are still open.

This segmentation ensures that no incident is overlooked, while also highlighting open exposures that still require remediation.

Search Bar & Export

These options are located to the right above the table.

  • Search Bar

    Allows keyword search across IPs, usernames, OS, or other attributes.

    Example: Searching for Windows 10 Pro instantly filters relevant devices.

  • Export Button

    One-click export of filtered results for reporting or offline analysis.

    Example: Analysts export the Not Viewed (37) list for team review.

Group By Computer

What it is:

A feature that consolidates all botnet infection records belonging to the same endpoint into a single, unified view. Instead of showing every compromise as a separate row, the system groups them under the device they originated from.

Information Provided:

  • Computer Name – Shows the hostname to easily identify the device.

  • IP Address – The external IP linked to the device during compromise.

  • Operating System – The OS version installed on the endpoint.

  • User Name – The logged-in user associated with the compromise.

  • Antivirus – Displays whether an antivirus was present and its status.

  • # of Devices – Indicates how many compromise events were aggregated under this device.

  • First Seen / Last Seen – Timeline showing when the infection was first detected and the most recent activity.

  • Compromised Timeline – A visual timeline view that becomes visible when expanding a device record (by clicking Show on the right side of the row in Group By Computer). the system displays a visual timeline of compromise events. The compromised timeline is presented as a visual graph, making it easy to see when the same username password pair reappears across multiple breaches. Analysts can instantly recognize persistence, repeated exposures, and peaks of underground activity, rather than scanning through static lists.

    Why it matters:

    This feature helps analysts quickly determine if a device was compromised once or multiple times. By showing first seen and last seen timestamps, it highlights persistence, re-infections, and the duration of exposure. Instead of scrolling through many duplicate entries, the timeline condenses all events into a clear sequence.

Filters Tab

Located directly above the table headers, these dropdown filters refine results.

Status

Filters records by their investigation stage:

  • New – Refers to botnet cases that have been detected for the first time and have not yet been reviewed by analysts. These are fresh infections requiring immediate attention.

  • Conventional – Refers to cases that have already been categorized and are in the standard investigation process. They are not brand-new, but they still require analysis or follow-up.

Example: Selecting New shows infections that were just reported and still need triage.

Compromised Date

Filters records based on the timeframe when the compromise occurred:

  • Last Week – Shows infections detected within the past 7 days.

  • Last Month – Shows infections detected within the past 30 days.

  • Last Year – Shows infections detected in the past 12 months.

  • More than a Year – Lists older infections, useful for identifying long-term exposures.

Example: Filtering Last Month highlights devices compromised in the past 30 days.

Computer Systems

Narrows results down to specific operating systems:

  • Displays OS details such as Windows 10 Pro, Windows 10 Home, Windows 11 Pro, etc.

  • Helps analysts identify whether certain platforms are more vulnerable or more frequently infected.

Example: Analysts use this filter to check if Windows 10 Pro devices are consistently showing higher infection rates.

More

Expands filtering options to additional attributes:

  • IP Address – Refines results by network location, allowing analysts to track infections tied to specific subnets or regions.

  • Antivirus – Shows which antivirus software was installed on the compromised machine, and whether it was bypassed.

  • Screenshot – Displays devices where visual evidence of compromise (such as desktop screenshots) was collected.

Example: Selecting Antivirus: Windows Defender helps identify infections that successfully bypassed Microsoft’s built-in protection.

PreviousThreat ActorsNextMentions

Last updated

Was this helpful?