MyloBot Botnet Spreads Globally, 50,000+ Devices Infected Daily

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Feb 23, 2023 02:09 am PST

Most of the thousands of systems that MyloBot has seized control of are in Iran, India, the US, Indonesia, and Indonesia. A high of 250,000 unique hosts was reached in 2020. However, new research from BitSight claims that “more than 50,000 unique infected systems are seen every day.”

Moreover, connections to BHProxies, a residential proxy service, were discovered through an investigation of MyloBot’s architecture. This indicates that BHProxies is making use of vulnerable systems. The threat of MyloBot initially surfaced in 2017. In 2018, Deep Instinct was the first to write about it, highlighting how it can dodge analysis and how it can function as a downloader.

MyloBot is risky because it can download and execute any payload after infecting a host, according to Lumen’s Black Lotus Labs in November 2018. This implies that it could download any virus the attacker chooses. In an effort to obtain more than $2,700 in Bitcoin last year, the virus was detected sending extortion emails from compromised endpoints.

The multi-step procedure MyloBot Botnet Bot malware uses to unpack and run is well known. Notably, it waits 14 days before attempting to connect with the command-and-control (C2) server. To avoid being discovered, one does this.

The basic function of the botnet is to connect to an embedded C2 domain and wait for future instructions. Mylobot botnet transforms the infected machine into a proxy when it receives a command from the C2, according to BitSight. The compromised machine will be able to manage numerous connections and relay communications from the command-and-control server.

In more recent iterations of the virus, the downloader makes contact with a C2 server, which replies with an encrypted message and a link to the location of the MyloBot botnet payload.

One of the IP addresses in the botnet’s C2 infrastructure was found to be connected to a domain named “clients.bhproxies[.]com” through a reverse DNS query. This demonstrates that MyloBot might be a component of a larger system.

The Boston-based cybersecurity firm claimed that MyloBot was first “sunkholed” in November 2018 and that the botnet is still evolving today.

Characteristics Of The Mylobot Botnet:

Anti-virtual machine (VM) techniques:  Malware looks for indications of a virtual machine in its immediate environment and stops functioning if it does.

Anti-sandbox methods: They are very similar to anti-VM methods.

Anti-debugging techniques: By changing behavior when particular debugging applications are present, they effectively and efficiently prevent a security researcher from working on a malware sample.

Embedding internal components in an encrypted resource file is equivalent to further encrypting the malware’s internal code.

Code injection strategies: Mylobot attacks the system by running custom code and injecting that code into system processes to obtain access and obstruct normal operation.

Process hollowing: occurs when an attacker substitutes a hidden process with a new one that was created in a suspended state.

Reflective EXE: Instead of using the disk to run the EXE file, it runs from memory.

Delay Mechanism: The malware waits 14 days before connecting to command and control servers as its delay technique.

This malware can be used to steal confidential information, encrypt it, and render it inaccessible to you unless you pay a ransom. Even then, there is no assurance that you will be able to access your data.


Tens of thousands of systems have been infiltrated by the sophisticated botnet “Mylobot,” which primarily targets computers in Iran, India, the United States, and Indonesia. For those who are unaware, a botnet is a network of computers infected with malware managed by third parties without the owner’s knowledge to transmit spam messages, spread malware, and steal confidential information. According to BitSight, a cybersecurity assessment firm, the Mylobot botnet infects over 50,000 different systems daily. BitSight believes that they are only seeing a portion of the entire botnet, despite the fact that this is a decrease from the 250,000 at the beginning of 2020.

Deep Instinct, a cybersecurity firm, discovered Mylobot for the first time in 2018 and discovered that the botnet has downloader and anti-analysis capabilities. A few months later, IT company Lumen’s Black Lotus Labs also noticed the botnet. Mylobot can download and execute any payload after infecting a host, which makes it dangerous, according to the blog for the program. This implies that it could download any further malware the attacker wants.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x