{
	"id": "3a90cd74-ec10-4832-bcea-0773b7eeb2cc",
	"created_at": "2026-04-06T00:22:30.927537Z",
	"updated_at": "2026-04-10T03:21:26.638362Z",
	"deleted_at": null,
	"sha1_hash": "7e4e076d38c08f4ae2e667fac8057cfeeea9160a",
	"title": "Mylobot: Investigating a proxy botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1759068,
	"plain_text": "Mylobot: Investigating a proxy botnet\r\nArchived: 2026-04-05 15:08:25 UTC\r\nMylobot is a malware that targets Windows systems, it first appeared in 2017 and until now hasn’t received much\r\nattention over the years. In this article, we'll focus on its main capability, which is transforming the infected\r\nsystem into a proxy. We'll also see how it's distributed and the capabilities of its downloader. We'll try to make a\r\nconnection between Mylobot and BHProxies (a residential proxy service), and finally we'll present the telemetry\r\nwe were able to collect since we started tracking it in 2018.\r\nThe first Mylobot sample we found has a size of 106496 bytes and a compilation timestamp of October 20, 2017.\r\nAt that time, the malware had three different stages, with the third stage being the actual Mylobot proxy bot\r\npayload and the one responsible for performing the network communications.\r\nBefore going into details, Figure 1 details the execution of Mylobot's samples.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 1 of 20\n\nFigure 1 - Execution of Mylobot's samples\r\nFirst stage - WillExec dropper\r\nThe first stage embeds an encrypted resource and performs some anti-debug checks using windows API\r\nCreateTimerQueueTimer and SetUnhandledExceptionFilter that are well-described on Minerva blog post from\r\n2022. After those checks, the sample fetches from its resource a very long base64 encoded string and decodes it.\r\nThe resulting buffer has the following structure:\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 2 of 20\n\nstruct decoded_res\r\n{\r\n   uint32_t sz_next_stage;\r\n   uint32_t sz_shellcode;\r\n   char rc4_key[5];\r\n   char padding[19];\r\n   char encrypted_blob[sz_shellcode + sz_next_stage];\r\n}\r\nIn all samples we found, sz_shellcode was equal to 0x820. The function that decodes and decrypts the resource\r\n(figure 2a) and ends with the instructions listed in figure 2b, resulting in the execution of the decoded shellcode.\r\nFigure 2a - Decryption code\r\nFigure 2b - Epilogue of the decrypting function\r\nThe shellcode is short and straightforward and has the purpose of running the decrypted PE file following it in the\r\ndecrypted blob. The shellcode creates a new process and does a process hollowing on it, in order to run the\r\ndecrypted PE. The concept of process hollowing is the way of replacing an executable image at runtime with\r\nanother executable.  All the hollowing procedure is detailed in figure 3.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 3 of 20\n\nFigure 3 - Process hollowing\r\nOne noticeable thing is that this stage is executing multiple times the following API call\r\nMessageBoxA(0xffffa481, \"Will exec\", 0, 0);\r\nThis call is failing because of the unknown HWND value 0xffffa481. We'll refer to this dropper as WillExec in the\r\nrest of this document.\r\nSecond stage\r\nThe second stage is quite straightforward as well. It contains 2 resources: \r\nan encrypted resource, this time unencoded (with resource ID equal to 101)\r\nA very small 4 bytes resource (with resource ID equal to 102)\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 4 of 20\n\nThe 4 bytes resource is a RC4 key that is used by the program to decrypt resource 101. The decrypted resource is\r\na PE file.\r\nOnce the program has mapped the decrypted PE file in memory, it locates one of its exported functions named\r\n_ep@4, and executes it.\r\nOne interesting thing to notice in this stage is the comparison of the command line argument with the string\r\nwusaupdate:\r\nFigure 4 - Command line check\r\nIf it matches, the program disables Windefender (Figure 5) and adds a firewall rule that blocks all outgoing TCP\r\nconnections trying to connect to the following ports:\r\n2900\r\n1100\r\n2200\r\n3300\r\n4400\r\n5500\r\n6600\r\n7700\r\n8800\r\n9900\r\nThe function responsible for disabling Windefender executes a series of shell commands and changes the registry:\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 5 of 20\n\nFigure 5 - Function disabling windefender\r\nThird stage\r\nThe third stage is the most interesting one as it's the one turning the infected computer into a proxy. Before\r\nstarting its communication with the remote command and control server, the third stage writes itself on disk, then\r\nruns cmd.exe with the attribute PROCESSINFORMATION.wShowWindow equal to 0 (the program's window\r\nwon't appear to the user)\r\nThen, it will inject itself into the newly created process using the APIs WriteProcessMemory and\r\nCreateRemoteThread. More specifically, the program injects:\r\nitself as a raw file\r\nan array containing functions pointer to useful ntdll.dll and kernel32.dll apis\r\na small binary blob that can be seen as a Portable Executable manual mapper. \r\nOnce the manual mapper has mapped the raw file in memory, the original process will run the exported function\r\n_re@4 in the newly created process, then terminate itself.\r\nThe binary will achieve persistence by writing itself to the following registry key:\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nThe value stored in this registry key is the path on disk of the second stage.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 6 of 20\n\nThe malware will remove potential other malware presence by changing the filename of executable files in\r\nmultiple directories. It checks for the presence of files ending with .exe in:\r\n%APPDATA%\r\n%APPDATA%\\WindowsAudio\r\n%APPDATA%\\Windows Live\r\n%APPDATA%\\Update\r\n%APPDATA%\\Adobe\r\n%APPDATA%\\WindowsUpdate\r\n%APPDATA%\\Identities\r\n%APPDATA%\\Microsoft\r\n%APPDATA%\\Microsoft\\Windows\r\n%APPDATA%\\Microsoft\\Windows\\Themes\r\nIf an executable file is found, it will replace the .exe extension  with .local.backup.Moreover, the binary will create\r\na new process of its second stage with the command line argument wusaupdate to disable Windows defender and\r\ncreate the firewall rules detailed above.\r\nFinally the binary will store an encoded FILETIME on the filesystem in %TEMP%\\dd.te if the file does not exist.\r\nThe malware will start communicating with the command and control server only if 12 days have passed since the\r\ndate written down in this file.\r\nCommunication protocol\r\nThe first version of Mylobot had a very unique network fingerprint. The sample usually embeds more than 1000\r\nhard-coded domains, mostly ending with top level domain (TLD) .ru or .com. All domains look like they have\r\nbeen generated by some sort of domain generation algorithm (DGA). An overview of some of the hardcoded\r\ndomains:\r\nzdrussle.ru:2173\r\npseyumd.ru:5492\r\nstydodo.ru:2619\r\ntqzknrx.com:1123\r\nmdcqrxw.com:4984\r\ntpwtgyw.com:9631\r\ncnoyucn.com:9426\r\nqhloury.com:4759\r\nfnjxpwy.com:3863\r\ncsxpzlz.com:5778\r\nwlkjopy.com:8778\r\nmynfwwk.com:8427\r\nuuitwxg.com:6656\r\nagnxomu.com:8881\r\nwcagsib.com:3547\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 7 of 20\n\nfmniltb.com:9582\r\noapwxiu.com:3922\r\nFor each of these domains, the sample tries to connect to many of its subdomains. Most subdomains will start with\r\nthe letter x, w, or m, followed by a number. In this sample, the first hardcoded domain is fywkuzp[.]ru:7432, and\r\nwe could observe a infected machine trying to connect to the following domains:\r\nm1.fywkuzp[.]ru:7432\r\nm2.fywkuzp[.]ru:7432\r\n…\r\nm42.fywkuzp[.]ru:7432\r\nIn the end, Mylobot produces thousands of DNS requests, which makes it quite noisy. If the sample successfully\r\nconnects to one of those domains, it keeps the connection open and waits for an instruction from the command\r\nand control server (C2).\r\nWhen Mylobot receives an instruction from the C2, it transforms the infected computer into a proxy. The infected\r\nmachine will be able to handle many connections and relay traffic sent through the command and control server.\r\nHere's a list of the different instructions supported by Mylobot:\r\nMessage ID (msg_id) Description\r\n1 Connect to an IP:port\r\n2 Close connection (specified by its ID (data)\r\n3 Send data to a connected IP/domain:port (specified by its ID (data)\r\n4 Restart the client networking stuff\r\n5 End all active connections\r\n6 Echo\r\n7 Download a binary using HTTP\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 8 of 20\n\n8 Download multiple binaries using HTTP + delay (8 hours)\r\n17 Connect to an domain:port\r\n19 Force re-read from socket (specified by its ID)\r\nA typical message exchanged between the C2 and the client has the following structure:\r\nstruct msg\r\n{\r\n   uint32_t conn_id;\r\n   uint8_t msg_id;\r\n   char* msg_data;\r\n}\r\nThe figure below shows an example of a C2 instruction telling the infected machine to connect to google.com on\r\nport 443.\r\nFigure 5a - A message from the command and control\r\nIt has been reported by Lumen that, at that time, infected computers were receiving samples of Khalesi or Zusy\r\nmalwares using the msg_id 7 and 8. We only observed self binary updates through those commands, as well as\r\nnew versions of its downloader (see section below).\r\nSince the samples we found contain many hardcoded domain names, we started to monitor them to get infection\r\ntelemetry and get an idea about the botnet size.\r\nIn the end, Mylobot is nothing more than a proxy bot, with some ability to download and run other samples. The\r\nsample that is implementing the proxy functionality will be referred to as \"Mylobot's proxy bot\" in the rest of this\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 9 of 20\n\npost.\r\nIn 2018, we started seeing Mylobot's proxy bot being distributed by a new malware sample.\r\nThis new binary presents a lot of similarities with Mylobot, but the last stage acts as a downloader. Let's begin by\r\nexposing the similarities between this new sample and Mylobot's proxy bot sample, and describe how it is\r\ndownloading Mylobot on an infected system.\r\nThe first thing to note is that the new sample uses WillExec, the same dropper used for Mylobot samples. The\r\ndropped file performs anti virtual machine checks, and tries to remove other malware running on the system as\r\nwell, after that, it connects to its command and control, and downloads the next stages. This sample has been well\r\ndescribed by Minerva, so we won't go into too much detail.\r\nThe downloader has a huge list of hard-coded encrypted command and control domains (more than 1000).\r\nFigure 6 - Hardcoded encrypted domain names\r\nThose domains are AES-ECB encrypted with the key GD!brWJJBeTgTGSgEFB/quRcfCkBHWgl, and have\r\nprobably been generated using the same DGA mentioned in the first part of this post. Indeed, there's a strong\r\nsimilarity between Mylobot downloader's domain names and Mylobot proxy's ones.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 10 of 20\n\nFigure 7 - Decryption of domain names\r\nThe downloader decrypts the domains at runtime, and tries to connect to the subdomain buy1, v1 or up1\r\n (depending on the sample) of those domains. In the end, it tries to connect to the following domains:\r\nv1.flkpuod[.]ru:5796\r\nv1.iqaagar[.]ru:2919\r\nv1.fchbwme[.]ru:7533\r\n…\r\nThe command and control server responds with an AES encrypted message that, when decrypted, contains a link\r\nto download the next stage.\r\nFigure 8 - Decryption of the response from the command and control\r\nOnce again, as the sample we found contains many hardcoded domain names, we started to monitor some of them\r\nto get an overview of the botnet.\r\nThe downloaded payload is a Mylobot sample, embedded in a WillExec dropper, the same way it was distributed\r\nin 2017. We've seen Mylobot's downloader distributing other samples than Mylobot's proxy bot (Minerva is\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 11 of 20\n\nshowing an example), but it was quite rare. \r\nThe distribution has evolved in the way described in figure 9.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 12 of 20\n\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 13 of 20\n\nFigure 9 - Execution of the downloader sample downloading Mylobot\r\nRegarding the Mylobot sample that is downloaded, it hasn't evolved much over the years. The only major change\r\nis the number of command and control domains hardcoded in the binary, that evolved from ~1000 in the first\r\nversions, to only 3 since the beginning of 2022:\r\nfywkuzp[.]ru:7432\r\ndealpatu[.]ru:8737\r\nrooftop7[.]ru:8848\r\nWe decided to have an overview of Mylobot's infrastructure. We started by looking at the 3 domain names used in\r\nthe last version of the proxy. Starting with the domain fywkuzp[.]ru, we looked at the IP addresses that were\r\npointed by the subdomains  from m0.fywkuzp[.]ru to m42.fywkuzp[.]ru. We were able to identify 25 IP addresses\r\nthat were used between 2017 and 2022, all associated with cloud providers from Netherlands (worldstream.nl),\r\nLithuania (cherryservers.com) and Latvia (bite.lv).\r\nWe looked for other domain names pointing to those IP addresses. Unsurprisingly, we found other fywkuzp[.]ru\r\nsubdomains that were using other prefixes (w5.fywkuzp[.]ru, x6.fywkuzp[.]ru,...), and other Mylobot domains\r\n(pseyumd[.]ru, stydodo[.]ru, zdrussle[.]ru) as well.\r\nOne domain caught our attention in our research because of its name: clients.bhproxies[.]com. From June 22,\r\n2016 to September 17, 2017, this domain resolved to the IP address 46.166.173.180. The next day (September\r\n18th 2017), clients.bhproxies[.]com started to resolve to 109.236.80.135, and up1.pseyumd[.]ru (which is a\r\ndomain used by Mylobot)  started to resolve to 46.166.173.180. During the following months, many Mylobot\r\ndomains will resolve to this IP address.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 14 of 20\n\nFigure 10 - History of reverse DNS lookup for the ip 46.166.173.180\r\nThe website bhproxies[.]com is pretty explicit: it provides a service of \"Backconnect residential proxies'', with IP\r\naddresses from all over the world. They mention that they could provide custom packages to clients, with up to\r\n150,000 unique IP addresses.\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 15 of 20\n\nFigure 11 - BHProxies website\r\nWhen looking for BHProxies on search engines, a post from BlackHatWorld forum shows up. This post was\r\nwritten on May 12, 2014. The post author using the alias BHProxies, is still very active on this post, as his last\r\nmessages were posted in December 2022. The author promotes bhproxies[.]com, and provides a Telegram channel\r\nand a Skype account to discuss with the potential customers. He also provides a free trial to convince users to buy\r\nhis service. The free trial is available at the address http://clients.bhproxies.com/panel/trial.php\r\nAt this point, we cannot prove that BHProxies is linked to Mylobot, but we have a strong suspicion, since\r\nMylobot and BHProxies used the exact same IP 46.166.173.180 on an interval of 24 hours.\r\nTo confirm our hypothesis, we tested the trial version of BHProxies. Once you enter your public IP address on the\r\nservice, you receive an IP address and a list of ports to connect to.\r\nFigure 12 - BHProxies free trial\r\n \r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 16 of 20\n\nFigure 13 - BHProxies trial proxies\r\nEach of those pairs of IP and port is a frontend for the residential proxies of BHProxies. We recovered the\r\nresidential proxies IP addresses by performing an HTTP request to a server we control.\r\nOn the 50 frontend proxies provided, we were able to perform a HTTP request for 48 of those. Among these 48\r\nrecovered residential proxies IP addresses, 28 (58.3%) of those were already present in our sinkhole systems,\r\nassociated with the Mylobot malware family. This number is probably higher, but we don't have a full visibility of\r\nthe botnet. This gave us clear evidence that Mylobot infected computers are used by the BHProxies service.\r\nThe trial proxies list is another indicator of the strong ties between BHProxies and Mylobot, since\r\nm41.fywkuzp[.]ru, one of Mylobot proxy C2, resolves to IP 89.39.107[.]82:\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 17 of 20\n\nWe started sinkholing Mylobot in November 2018. At that time, Mylobot's proxy sample contained a lot of\r\nhardcoded DGA domains, so we were able to observe the majority of the botnet. It had led us to a maximum of\r\n250,000 unique daily infected machines in the beginning of 2020.\r\nSince the beginning of 2022, we're not able to get infection telemetry from the latest Mylobot version as the\r\nsample doesn't contain unregistered DGA domains anymore. Instead, we started monitoring Mylobot downloader's\r\ndomains and continue to see the evolution of Mylobot's botnet. \r\nWe are currently seeing more than 50,000 unique infected systems every day, but we believe we are only seeing\r\npart of the full botnet, which may lead to more than 150,000 infected computers as advertised by BHProxies’\r\noperators.\r\nFigure 14 - Unique mylobot's infected system per day\r\nFigure 15 shows the countries where the most computers infected with Mylobot are found. India appears to be the\r\nmost targeted country, followed by the US, Indonesia, then Iran.\r\nFigure 15 - Heat map of infected computers\r\nMylobot proxy\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 18 of 20\n\n84733af3b60b966042d5cd17e12fd8d90650e0731297d203bd913dc5c663b91c\r\n11fc02dd825c8e67d58cc40a47e3f4c572097bd58c6aae80591a5fb73b9167f2\r\n392f1054815c5f805d50b60ea261210012bdda386158a1da92d992a929eb77c2\r\n03b2164da6318fff63b6cad2fc613c3d885bd65432a7b8744c2b1709f2f9a479\r\n69a36e6f12b4e9b9cd15528a068385f2311b0c540336c142aabdd73c2a2e2015\r\na63a5639d0cb6a10f7af5bd0dd30ca1800958a0f5bb47f358b6d37f51d0f0a31\r\n2ae61c8c2a8e83cde33f38b89599032a6fb455256aa414a15f2724c94d3460d2\r\n40cfb7b7fad1602276ebf3fa63514ba91be6186d5d3bd190f593bdec0b6d8d64\r\nMylobot downloader\r\ncfde42903367d77ab7d5f7c2a8cfc1780872d6f1bfac42e9c2577dfd4b6cdeb2\r\nfcdb7247aa6e41ff23dc1747517a3682e5a89b41bfd0f37666d496a1d3faa4ba\r\nad53ad1d3e4ac4cc762f596af8855fd368331d9da78f35d738ae026dd778eb9f\r\nMylobot proxy C2 IPs\r\n89.39.105.47\r\n89.38.96.140\r\n89.38.96.14\r\n217.23.12.80\r\n178.132.3.12\r\n168.119.15.229\r\n89.38.98.48\r\n49.12.128.181\r\n37.48.112.111\r\n109.236.82.28\r\n49.12.128.180\r\n144.76.8.93\r\n194.88.106.18\r\n95.211.203.197\r\n89.39.104.201\r\n95.168.169.43\r\n95.211.198.102\r\n91.229.23.112\r\n217.23.13.104\r\n95.211.140.149\r\n62.112.11.245\r\n178.132.2.82\r\n116.202.114.236\r\n217.23.12.50\r\n89.39.104.58\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 19 of 20\n\n89.38.98.47\r\n194.88.105.108\r\n109.236.83.166\r\n109.236.91.239\r\n89.39.107.92\r\n190.2.134.165\r\n217.23.8.12\r\n89.39.104.62\r\n89.39.107.82\r\nSource: https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nhttps://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nPage 20 of 20\n\n   https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet \nshowing an example), but it was quite rare. \nThe distribution has evolved in the way described in figure 9.\n    Page 12 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet"
	],
	"report_names": [
		"mylobot-investigating-proxy-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434950,
	"ts_updated_at": 1775791286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e4e076d38c08f4ae2e667fac8057cfeeea9160a.pdf",
		"text": "https://archive.orkl.eu/7e4e076d38c08f4ae2e667fac8057cfeeea9160a.txt",
		"img": "https://archive.orkl.eu/7e4e076d38c08f4ae2e667fac8057cfeeea9160a.jpg"
	}
}