Spamhaus CERT Insight Portal: Enhanced botnet C&C intelligence

In 2025, botnet command & controller (C&C) activity detected by Spamhaus increased 56% - a stark reminder that the botnet threat landscape is evolving faster than ever. More than 100 Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Team (CSIRTs) already rely on Spamhaus data to help remediate malware infections in their countries. Today, we’re giving them even more data to work with.

The Spamhaus CERT Insight Portal has been updated with enriched threat intelligence and improved capabilities to help national and regional security teams take action against botnet C&Cs.

What is Spamhaus CERT Insight Portal?

For those unfamiliar with the portal, it is a free tool available to government-funded national or regional CERTs and CSIRTs. Through the portal, security teams can access free data and reporting features to help protect their critical infrastructure and IP address space from bot-related cyberthreats.

Enriched data: Botnet C&C activity in your region

The portal gives CERTs and CSIRTs access to two key reports:

Bot report: detected malware-infected computers (bots) within your country or region.

This data is sourced from the Spamhaus Exploits Blocklist (XBL), which collects botnet information using a large sensor network. When an IP address (e.g. a bot) attempts to connect to one of our sensors, the system tries to identify whether the remote host is infected with a certain type of malware.

Botnet C&C report: botnet C&C servers active within your country or region.

A botnet C&C server is infrastructure operated by cybercriminals to remotely issue commands to infected machines. This data is sourced from the Spamhaus Botnet Controller List (BCL), and now goes beyond identifying IP infrastructure actively used by cybercriminals to control bots, to provide enriched contextual data, including:

• Protocol - the communication protocol (e.g. TCP)
• Country Code - country in which the C&C server is located
• ASN - the Autonomous System Number
• Botname - the name assigned by Spamhaus researchers
• Botname_Malpedia - corresponding malware family name in Malpedia
• IP Address - of the C&C server
• Seen - date the C&C server was last observed

This enriched data allows security teams to cross-reference suspicious activity within their constituency against known botnet C&C metadata, enabling faster identification, escalation, and remediation.

Using the portal: Even better functionality

The CERT insight portal is now even easier to navigate, making access to the threat intelligence for your constituency straightforward.

Here’s what you can do:

Share resources: you want to report data on. A resource must be within your constituency and can be one of:

• a 2-letter country code (ISO 3166-1)
• an ASN (16 or 32 bits)
• an IPv4 CIDR block

Access reports: of IP addresses in your resources that have shown bot and botnet C&C activity.

• Bot Report - Use the API to access a file containing the latest resources, or view the entire list of bots currently published in XBL.
• NEW: Enriched Botnet C&C report - View the data in JSON, or use your API key to download a JSON file containing the botnet C&C listings and contextual data.

Your API Key is accessed via your account to retrieve the threat intelligence data through Spamhaus APIs.

Set alerts: to notify you when infrastructure in your constituency is identified on certain Spamhaus lists:

• Botnet Controller List (BCL) - IPs actively coordinating botnet C&C related activities.
• Spamhaus Blocklist (SBL) - IPs involved in sending or supporting spam operations.

How can I access the portal?

To be eligible, your organisation must be a government-funded CERT or CSIRT with clearly defined national or regional responsibility. If you are unsure whether your organisation qualifies, don't hesitate to contact the Spamhaus CERT Outreach team at: cert-team@spamhaus.org.

Once your request is received, the team will verify your eligibility and get back to you with next steps.