The Nsocks botnet leverages vulnerabilities in specific Internet-facing applications, such as VMWare Horizon servers with a known critical vulnerability (CVE-2021-21972). Once compromised, the attacker uses a custom protocol over TCP for command and control (C2) communication. This protocol involves various commands to manage the botnet, including downloading and executing files, launching DDoS attacks, and stealing credentials.