{
	"id": "f56c3b9c-dc56-44f3-85d5-04445c3f4a32",
	"created_at": "2026-04-06T00:19:59.719116Z",
	"updated_at": "2026-04-10T13:12:24.668323Z",
	"deleted_at": null,
	"sha1_hash": "2cc51788cc868a7b31899d4351444b75a1c58289",
	"title": "The King is Dead, Long Live MyKings! (Part 1 of 2)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3571679,
	"plain_text": "The King is Dead, Long Live MyKings! (Part 1 of 2)\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 19:34:50 UTC\r\nMyKings is a long-standing and relentless botnet which has been active from at least 2016. Since then it has\r\nspread and extended its infrastructure so much that it has even gained multiple names from multiple analysts\r\naround the world — MyKings, Smominru, and DarkCloud, for example. Its vast infrastructure consists of multiple\r\nparts and modules, including bootkit, coin miners, droppers, clipboard stealers, and more.\r\nOur research has shown that, since 2019, the operators behind MyKings have amassed at least $24 million USD\r\n(and likely more) in the Bitcoin, Ethereum, and Dogecoin cryptowallets associated with MyKings. While we can’t\r\nattribute that amount solely to MyKings, it still represents a significant sum that can be tied to MyKings activity.\r\nOur hunting for new samples brought us over 6,700 unique samples. Just since the beginning of 2020 (after the\r\nrelease of the Sophos whitepaper), we protected over 144,000 Avast users threatened by this clipboard stealer\r\nmodule. Most attacks happened in Russia, India, and Pakistan.\r\nMap illustrating targeted countries since 1.1.2020 until 5.10.2021\r\nIn this first part of our two-part blog series, we will peek into the already known clipboard stealer module of\r\nMyKings, focusing on its technical aspects, monetization, and spread. In addition, we’ll look into how the\r\nfunctionality of  the clipboard stealer enabled attackers to carry out frauds with Steam trade offers and Yandex\r\nDisk links, leading to more financial gain and infection spread. \r\nAvast has been tracking the MyKings’ clipboard stealer since the beginning of 2018, but we can’t rule out an even\r\nearlier creation date. Basic functionality of this module was already covered by Gabor Szappanos from\r\nSophosLabs, but we are able to contribute with new technical details and IoCs.\r\n1. Monetary gain\r\nWhen Sophos released their blog at the end of 2019, they stated that the coin addresses are “not used or never\r\nreceived more than a few dollars”. After tracing newer samples, we were able to extract new wallet addresses and\r\nextend the list of 49 coin addresses in Sophos IoCs to over 1300.\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 1 of 12\n\nBecause of the amount of new data, we decided to share our script, which can query the amount of cryptocurrency\r\ntransferred through a crypto account. Because not all blockchains have this possibility, we decided to find out how\r\nmuch money attackers gained through Bitcoin, Ethereum, and Dogecoin accounts. After inspecting these\r\naddresses we have confirmed that more than $24,700,000 worth in cryptocurrencies was transferred through these\r\naddresses. We can safely assume that this number is in reality higher, because the amount consists of money\r\ngained in only three cryptocurrencies from more than 20 in total used in malware. It is also important to note here\r\nthat not all of the money present in the cryptowallets necessarily comes from the MyKings campaign alone.\r\nAfter taking a closer look at the transactions and inspecting the contents of installers that dropped the clipboard\r\nstealer, we believe that part of this money was gained through crypto miners. The clipboard stealer module and the\r\ncrypto miners were seen using the same wallet addresses.\r\nTable with monetary gain (data refreshed 5.10.2021)\r\nHistogram of monetary gains for Bitcoin, Ethereum and Dogecoin wallets\r\n2. Attribution\r\nEven though the clipboard stealer and all related files are attributed in previous blog posts to MyKings, we wanted\r\nto confirm those claims, because of lack of definitive proof. Some articles (e.g. by Sophos) are saying that some\r\nscripts in the attribution chain, like c3.bat may kill other botnets or earlier versions of itself, which raises\r\ndoubts. Other articles (e.g by Guardicore) are even working with the theory of a rival copycat botnet deleting\r\nMyKings.  MyKings is a large botnet with many modules and before attributing all the monetary gains to this\r\nclipboard stealer, we wanted to be able to prove that the clipboard stealer is really a part of MyKings.\r\nWe started our attribution with the sample\r\nd2e8b77fe0ddb96c4d52a34f9498dc7dd885c7b11b8745b78f3f6beaeec8e191 . This sample is a NSIS installer which\r\ndrops NsCpuCNMiner in both 32 and 64 bit versions.\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 2 of 12\n\nIn the NSIS header was possible to see this Monero address used for miner configuration:\r\n41xDYg86Zug9dwbJ3ysuyWMF7R6Un2Ko84TNfiCW7xghhbKZV6jh8Q7hJoncnLayLVDwpzbPQPi62bvPqe6jJouHAsGNkg2\r\nNSIS header\r\nApart from the NsCpuCNMiner, the sample dropped an additional file with a name java12.exe into C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Local\\Temp\\java.exe . This file has SHA256\r\n0390b466a8af2405dc269fd58fe2e3f34c3219464dcf3d06c64d01e07821cd7a and according to our data, was\r\ndownloaded from http://zcop[.]ru/java12.dat by the installer. This file could be also downloaded from\r\nhttp://kriso[.]ru/java12.dat (both addresses contained multiple samples with different configurations at\r\ndifferent times). This file contains a clipboard stealer. Also, the same Monero address can be found in both the\r\nclipboard stealer and the NSIS configuration.\r\nAfter researching the Monero address, we found in blogpost written by Tencent Yujian Threat Intelligence Center,\r\nthat sample b9c7cb2ebf3c5ffba6fdeea0379ced4af04a7c9a0760f76c5f075ded295c5ce2 uses the same address. This\r\nsample is another NSIS installer which drops the NsCpuCNMiner and the clipboard stealer. This NSIS installer\r\nwas usually dropped under the name king.exe or king.dat and could be downloaded from\r\nhttp://kr1s[.]ru/king.dat .\r\nIn the next step, we looked into the address http://kr1s[.]ru/king.dat and we found that at different times,\r\nthis address contained the file f778ca041cd10a67c9110fb20c5b85749d01af82533cc0429a7eb9badc45345c usually\r\ndropped into C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\king.exe or C:\\Windows\\system32\\a.exe . This file is\r\nagain a NSIS installer that downloads clipboard stealer, but this time it contains URLs\r\nhttp://js[.]mys2016.info:280/helloworld.msi and http://js[.]mys2016.info:280/v.sct .\r\nURL http://js[.]mys2016.info:280/v.sct is interesting, because this URL is also contacted by the sample\r\nnamed my1.html or  my1.bat or my1.bat with SHA256\r\n5ae5ff335c88a96527426b9d00767052a3cba3c3493a1fa37286d4719851c45c .\r\nThis file is a batch script which is almost identical to the script with the same name my1.bat and SHA256\r\n2aaf1abeaeeed79e53cb438c3bf6795c7c79e256e1f35e2a903c6e92cee05010 , as shown further below.\r\nBoth scripts contain the same strings as C:\\Progra~1\\shengda , C:\\Progra~1\\kugou2010 . \r\nThere are only two important differences to notice:\r\n1. At line 12, one script uses address http://js[.]mys2016.info:280/v.sct and the other uses address\r\nhttp://js[.]1226bye.xyz:280/v.sct .\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 3 of 12\n\n2. Line 25 in the second script has commands that the first script doesn’t have. You can notice strings like\r\nfuckyoumm3 , a very well known indicator of MyKings.\r\nComparison of the batch scripts – script\r\n5ae5ff335c88a96527426b9d00767052a3cba3c3493a1fa37286d4719851c45c contacting the C\u0026C related to the\r\nclipboard stealer\r\nComparison of the batch scripts – script\r\n2aaf1abeaeeed79e53cb438c3bf6795c7c79e256e1f35e2a903c6e92cee05010 contacting the C\u0026C related to\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 4 of 12\n\nMyKings\r\nFurthermore, it is possible to look at the file c3.bat with SHA256\r\n0cdef01e74acd5bbfb496f4fad5357266dabb2c457bc3dc267ffad6457847ad4 . This file is another batch script which\r\ncommunicates with the address http://js[.]1226bye.xyz:280/v.sct and contains many MyKings specific\r\nstrings like fuckayoumm3 or task name Mysa1 .\r\nAttribution chain\r\n3. Technical analysis\r\nOur technical analysis of the clipboard stealer focuses primarily on new findings.\r\n3.1 Goal of the malware\r\nThe main purpose of the clipboard stealer is rather simple: checking the clipboard for specific content and\r\nmanipulating it in case it matches predefined regular expressions. This malware counts on the fact that users do\r\nnot expect to paste values different from the one that they copied. It is easy to notice when someone forgets to\r\ncopy and paste something completely different (e.g. a text instead of an account number), but it takes special\r\nattention to notice the change of a long string of random numbers and letters to a very similar looking string, such\r\nas cryptowallet addresses. This process of swapping is done using  functions OpenClipboard , EmptyClipboard ,\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 5 of 12\n\nSetClipboardData and CloseClipboard . Even though this functionality is quite simple, it is concerning that\r\nattackers could have gained over $24,700,000 using such a simple method.\r\nSimple routine of the clipboard content swap\r\nAs can be seen on image below, most of the regular expressions used for checking the clipboard content will\r\nmatch wallet formats of one specific cryptocurrency, but there are also regular expressions to match Yandex file\r\nstorage, links to the Russian social network VKontakte, or Steam trade offer links.\r\nList of regular expressions matching specific cryptocurrencies and URLs\r\nWe were able to find many comments from people at BlockChain Explorer services believing that they sent\r\nmoney to the incriminated accounts by a mistake and asking or demanding that their money be sent back. In\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 6 of 12\n\nresponse to this malicious activity, we want to increase awareness about frauds like this and we highly recommend\r\npeople always double-check transaction details before sending  money.\r\nComments from infected users connected to address 0x039fD537A61E4a7f28e43740fe29AC84443366F6\r\n3.2 Defense \u0026 features\r\nSome other blog posts describe a few anti-debugging checks and defense against system monitoring tools, but we\r\ncan’t confirm any new development.\r\nIn order to avoid multiple executions, the clipboard stealer checks for mutex on execution. The mutex name is\r\ncreated dynamically by checking on which version of OS it is launched on. This procedure is performed using\r\nfunctions RegOpenKeyExA which opens the registry key SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion .\r\nAfterwards, a function RegQueryValueExA is called which gets the value of ProductName . The value obtained is\r\nthen concatenated with the constant suffix 02 . Using this method, you can get many more possibilities of\r\nexisting mutexes. In the list below, you can find a few examples of mutex names:\r\nWindows 7 Professional02\r\nWindows 7 Ultimate02\r\nWindows 10 Enterprise02\r\nWindows 10 Pro02\r\nWindows XP02\r\n…\r\nIn a different version of the malware, an alternative value is used from registry key SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion   and value of BuildGUID . This value is then also appended with suffix 02 to create the\r\nfinal mutex name.\r\nAnother mechanism serving as a defense of this malware is trying to hide the addresses of cryptowallets belonging\r\nto attackers. When the malware matches any of the regular expressions in the clipboard, it substitutes the\r\nclipboard content with a value that is hardcoded inside the malware sample. For protection against quick analysis\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 7 of 12\n\nand against static extraction with regular expressions, the substitute values are encrypted. Encryption used is a\r\nvery simple ROT cipher, where the key is set to -1.\r\nFor a quick and static extraction of wallets from samples, it’s possible to decrypt the whole sample (which\r\ndestroys all data except wanted values) and then use regular expressions to extract the hidden substitute values.\r\nThe advantage of this approach is that the malware authors already provided us with all necessary regular\r\nexpressions; thus the extraction process of the static information can be easily automated.\r\n3.3 Newly uncovered functionality\r\nWith a larger dataset of samples, we were also able to reveal the intentions of regular expressions checking for\r\nURLs.\r\n3.3.1 Steam trade frauds\r\nOne of the regular expressions hardcoded in samples looks like this:\r\n((https://steamcommunit))(?!.*id|.*id)(([a-zA-Z0-9.-]+.[a-zA-Z]{2,4})|([0-9]{1,3}.[0-9]{1,3}.[0-9]\r\n{1,3}.[0-9]{1,3}))(/[a-zA-Z0-9%:/-_?.',27h,'~\u0026]*)?\r\nThis kind of expression is supposed to match Steam trade offer links. Users on the Steam platform can create trade\r\noffers to trade what are usually in-game items from their inventory with other users. The value of the items that\r\ncan be traded starts at only a few cents, but the most expensive items are being sold for hundreds or thousands\r\ndollars.\r\nThe clipboard stealer manipulates the trade offer URL and changes the receiving side, so Steam users send their\r\nitems to someone completely unknown. The exchanged link then looks like this one:\r\nhttps://steamcommunity[.]com/tradeoffer/new/?partner=121845838\u0026token=advSgAXy\r\nIn total we were able to extract 14 different Steam trade offer links that appeared in almost 200 samples. These\r\nlinks lead us to 14 Steam accounts — some of which were banned and some had set privacy restrictions — but\r\namong the working public accounts we were able to find information that assured us that these frauds happened.\r\nAn example is this is an account which was bound to the trade offer link listed above:\r\nhttps://steamcommunity.com/id/rosher\r\nAfter checking the comments section of this account, we could see multiple people getting angry and curious as to\r\nwhy their trade offer links are getting changed. Even though some people noticed the change in the trade offer\r\nlink, we suppose that some trades were completed. We were not able to estimate how much money could have\r\nbeen stolen through this technique.\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 8 of 12\n\nComments from https://steamcommunity.com/id/rosher\r\nTranslation of comments:\r\n1. 9 Oct, 2020 @ 7:47 pm why is my trade link changing to yours?\r\n2. 21 Jul, 2020 @ 2:16 pm Th for the garbage with a trade link !!! ???\r\n3. 27 Jun, 2020 @ 5:05 am what a fagot what did you do with the link\r\n3.3.2 Fake Yandex Disk links \r\nAnother functionality is related to the regular expression:\r\n((https://yad))+(([a-zA-Z0-9.-]+.[a-zA-Z]{2,4})|([0-9]{1,3}.[0-9]\r\nThis regular expression matches links to Yandex Disk storage. Yandex Disk is a cloud service created by\r\nmultinational Russian company Yandex and can be used similarly as Google Drive or Dropbox for sharing files.\r\nThe objective of this technique is to match links that users are sending to their friends and family to share files or\r\nphotos. If the malware runs on the sender’s machine, the infected victim is sending wrong links to all their\r\nacquaintances. If the malware runs on the machine of the user that receives the link and copy/pastes it to the\r\nbrowser address bar, the victim again opens a wrong link. In both cases, the wrong link gets opened by someone\r\nunaware that the content is wrong. In both cases, the victim downloads files from that link and opens them,\r\nbecause there is no reason to not trust the files received from someone they know.\r\nFrom the set of analyzed samples, we extracted following 4 links to Yandex Disk storage:\r\n1. https://yadi[.]sk/d/cQrSKI0591KwOg\r\n2. https://yadi[.]sk/d/NGyR4jFCNjycVA\r\n3. https://yadi[.]sk/d/zCbAMw973ZQ5t3\r\n4. https://yadi[.]sk/d/ZY1Qw7RRCfLMoQ\r\nAll of the links contain packed archives in a .rar or .zip format, protected with a password. The password is\r\nusually written in the name of the file. As you can see on the image below, the file is named, for example, as\r\n“photos,” with the password 5555 .\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 9 of 12\n\nContents on https://disk[.]yandex.ru/d/NGyR4jFCNjycVA\r\n4. Conclusion\r\nIn this first part of the blog series, we focused on the MyKings clipboard stealer module, going through the\r\nattribution chain and uncovering the amounts of money that attackers were able to obtain along the way. The\r\nclipboard stealer also focuses on frauds regarding Steam trade offers and Yandex Disk file sharing, distributing\r\nfurther malware to unaware victims.\r\nIn the next part of this blog series, we will go down the rabbit hole — exploring the contents of one of the\r\ndownloaded payloads and providing you with an analysis of the malware inside. Don’t miss it!\r\nIndicators of Compromise (IoC)\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 10 of 12\n\nComplete list in our GitHub.\r\nAppendix\r\n \r\nComplete list in our GitHub.\r\nComplete list in our GitHub.\r\nComplete list in our GitHub.\r\nScripts\r\nScript for querying amounts transferred through wallet addresses can be found in our GitHub.\r\nA group of elite researchers who like to stay under the radar.\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 11 of 12\n\nSource: https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nhttps://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/janrubin/the-king-is-dead-long-live-mykings/"
	],
	"report_names": [
		"the-king-is-dead-long-live-mykings"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775826744,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2cc51788cc868a7b31899d4351444b75a1c58289.pdf",
		"text": "https://archive.orkl.eu/2cc51788cc868a7b31899d4351444b75a1c58289.txt",
		"img": "https://archive.orkl.eu/2cc51788cc868a7b31899d4351444b75a1c58289.jpg"
	}
}