{
	"id": "ec5ff146-5643-49fd-95a7-44cd5b990de7",
	"created_at": "2026-04-06T01:31:38.618896Z",
	"updated_at": "2026-04-10T13:13:01.959403Z",
	"deleted_at": null,
	"sha1_hash": "9961863d4269d503b6e15e2e4f68fd57a5944e17",
	"title": "Meet MyloBot, a new highly sophisticated Botnet thats out in the wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 199751,
	"plain_text": "Meet MyloBot, a new highly sophisticated Botnet thats out in the\r\nwild\r\nBy Dalya Guttman\r\nPublished: 2018-06-20 · Archived: 2026-04-06 00:18:43 UTC\r\nOver the past few years, we have seen various ways of spreading malicious code, one main infrastructure of\r\nspreading malware being the dark web.\r\nLately, we have noticed a highly complicated botnet (number of internet-connected devices, where the owner can\r\ncontrol them using command and control servers), which was detected and prevented in one of our client’s live\r\nenvironment and devices - by our deep learning cybersecurity solution. This botnet presents three different layers\r\nof evasion techniques, including usage of command and control servers to download the final payload. the\r\ncombination and complexity of these techniques were never seen in the wild before.\r\nBotnets can theoretically perform anything – depending on the payload. The payload can vary from DDoS attacks,\r\nsteal data, and even installation ransomware which can cause tremendous damage.\r\nWhat it does\r\nThis highly sophisticated botnet incorporates different malicious techniques:\r\nAnti VM techniques\r\nAnti-sandbox techniques\r\nAnti-debugging techniques\r\nWrapping internal parts with an encrypted resource file\r\nCode injection\r\nProcess hollowing - a technique where an attacker creates a new process in a suspended state, and replaces\r\nits image with the one that is to be hidden\r\nReflective EXE - executing EXE files directly from memory, without having them on disk. This kind of\r\nreflection is not very common and was first published by Deep Instinct in Blackhat USA 2016\r\nIt also has a delaying mechanism of 14 days before accessing its command and control servers.\r\nThe fact that everything takes place in memory (while executing the main business logic of the botnet in an\r\nexternal process using code injection) makes it even harder to detect and trace.\r\nWhen we traced the command and control server we revealed that it was used by other malware campaigns as\r\nwell which originated from the dark web.\r\nThe dark web plays a critical part in the spread of malware: Its rather simple accessibility of services and\r\nknowledge has made it easy for any attacker to gain much more abilities in minimum effort. The first example for\r\nhttps://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/\r\nPage 1 of 4\n\nthis, is the shared knowledge in forums: in the dark web, attackers trade methods and techniques in underground\r\nforums, thus exposing knowledge to additional malware developers.\r\nAnother example, which has increased in the past couple of years, is the amount of malware for sale on dark web\r\nmarkets. By using the dark web, anyone today can access an online market and purchase a malware. Prices vary,\r\nfrom simple malware that costs several dollars to malware sold at hundreds of dollars as “fully undetectable”.\r\nOther than the malware itself, malware developers can purchase services that assist in the infection process. An\r\nattacker can purchase access to exploit kits, buy traffic of tens of thousands of users to a web page, or even buy a\r\nfull ransomware-as-a-service for his own use.\r\nMalware vs. Malware\r\nPart of this malware process is terminating and deleting instances of other malware. It checks for known folders\r\nthat malware “lives” in (“Application Data” folder), and if a certain file is running – it immediately terminates it\r\nand deletes its file. It even aims for specific folders of other botnets such as DorkBot.\r\nWe estimate this rare and unique behavior is because of money purposes within the Dark web. Attackers compete\r\nagainst each other to have as many “zombie computers” as possible in order to increase their value when\r\nproposing services to other attackers, especially when it comes to spreading infrastructures. The more computers –\r\nthe more money an attacker can make. This is something we’re seeing here as well.\r\nComparing current running process on the list to a file located in %APPDATA% (“LoadOrd.exe” in this\r\ncase)\r\nhttps://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/\r\nPage 2 of 4\n\nIn case there is a match, terminate the process and delete it\r\nThe Expected Damage\r\nOnce installed, the botnet shuts down Windows Defender and Windows Update while blocking additional ports on\r\nthe Firewall. It also shuts down and deletes any EXE file running from %APPDATA% folder, which can cause\r\nloss of data. The main functionality of the botnet enables an attacker to take complete control of the user’s system\r\n- it behaves as a gate to download additional payloads from the command and control servers. The expected\r\ndamage here depends on the payload the attacker decides to distribute. It can vary from downloading and\r\nexecuting ransomware and banking trojans, among others. This can result in loss of tremendous amount of data,\r\nthe need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that\r\nthe botnet behaves as a gate for additional payloads, puts the enterprise in risk for leak of sensitive data as well,\r\nfollowing the risk of keyloggers / banking trojans installations.\r\nAlthough this kind of complexity in the malware’s structure is extremely rare, Deep Instinct detected and\r\nprevented it on a client’s production environment. Once again, this is a true testament for the superiority of deep\r\nlearning based solutions in the cybersecurity warfare.\r\nhttps://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/\r\nPage 3 of 4\n\nFor a full detailed analysis of Mylobot, download our free research paper on botnets\u003e\u003e\r\nSource: https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/\r\nhttps://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/"
	],
	"report_names": [
		"meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild"
	],
	"threat_actors": [],
	"ts_created_at": 1775439098,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9961863d4269d503b6e15e2e4f68fd57a5944e17.pdf",
		"text": "https://archive.orkl.eu/9961863d4269d503b6e15e2e4f68fd57a5944e17.txt",
		"img": "https://archive.orkl.eu/9961863d4269d503b6e15e2e4f68fd57a5944e17.jpg"
	}
}