{
	"id": "e113984f-c3ec-4f46-921c-e9d65391e6cb",
	"created_at": "2026-04-06T00:14:11.451029Z",
	"updated_at": "2026-04-10T03:20:45.496014Z",
	"deleted_at": null,
	"sha1_hash": "fdbea8df41b56a5bc75570ddbf94e4b976abd839",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 869177,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 20:18:10 UTC\r\nThe Mylobot botnet is a family of zombies that target Windows operating systems. It has employed a significant\r\nnumber of Fake-DGA domains to counter traditional blacklisting detection techniques. In 2020, we published an\r\narticle titled \"Mylobot Botnet Still Active: Revealing the C2 Decryption Process,\" discussing the decryption\r\nmethod for embedded domains and providing insights into batch decryption. Despite our efforts, the group\r\nremains active, and we have conducted further analysis on their malicious software operations.\r\nThe Mylobot botnet was discovered and named by Deepinstinct in 2018. The main focus of their report was on the\r\nmylobot-proxy malware, primarily designed for network proxy functionality. Our decryption analysis in 2020 was\r\nalso centered around the mylobot-proxy sample. However, it's worth noting that mylobot-proxy is just one of the\r\nmalicious software operated by the Mylobot group. Other significant malicious software they run includes\r\nmylobot-core and others.\r\nPacker-Shellcode\r\nAll the malicious software used by Mylobot is packed and loaded by Packer-Shellcode. This packing includes\r\nbuilt-in WindowsAPI name hash values required for loading the Shellcode, which then retrieves the corresponding\r\nAPI addresses using these hash values.\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 1 of 9\n\nRC4 decryption of all-zero data results in a sequence of byte lists, with these byte lists used as the key to perform\r\nlogical operations with the ciphertext in the resources. This process leads to the creation of Shellcode and PE files.\r\nThe Shellcode creates a new process as the host process, hollows it, and maps the decrypted PE file into this\r\nprocess. The decrypted PE file is the next stage of malicious software of the Packer-Shellcode.\r\nThe purpose of packing the malicious software is to evade direct detection. However, the Mylobot group has not\r\nupdated the Packer they use. The latest Packer-Shellcode we have captured shows no significant differences from\r\nthe 2017 version and has a relatively high detection rate on VT (VirusTotal).\r\nmylobot-proxy\r\nMylobot-proxy transforms compromised machines into network proxy nodes, forwarding traffic through C2\r\n(Command and Control) issued proxy tasks. This malicious software serves as the primary profit generator for the\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 2 of 9\n\nMylobot group. Like other components, it is also loaded using the Packer-Shellcode tool but is controlled by a\r\ncontroller Loader. The loading process can be summarized in the following nested form:\r\nEarly versions of the QiAnXin Mylobot-proxy embedded a large number of Fake-DGA domains, and attackers\r\nonly registered some of these domains as actual C2 (Command and Control) servers. While this approach could\r\nprevent the domains from being blacklisted to some extent, it also created another drawback. Other analysts could\r\nchoose to register some of these domains and assess the scale of the botnet or even take control of it. In our\r\nobservation, the updated version of Mylobot-proxy in 2022 no longer uses the Fake-DGA technique.\r\nThe actual domain format that mylobot-proxy connects to is m\u003c0-42\u003e.\u003cC2-domain\u003e, and the m0 subdomain is\r\nparticularly significant. In the instruction processing part of mylobot-proxy, there are two privileged instructions,\r\nnamely the 7th and 8th instructions, which indicate downloading and executing new malicious software from\r\nsubsequent payloads and specified URLs. These two instructions are primarily used to update the mylobot-proxy\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 3 of 9\n\nsoftware. As of March 2023, we have captured a version of mylobot-proxy that employs a unique software update\r\nmechanism. During our analysis of the three domains with m0 subdomains, we have not found any IP bindings\r\nassociated with these domains, indicating that the latest version of mylobot-proxy is updated as of March 2023.\r\nMylobot-proxy is primarily used to provide proxy functionality. When the botnet reaches a sufficient scale,\r\nattackers can turn these resources into proxy service providers. Earlier this year, BitSight pointed out the\r\nconnection between Mylobot and the bhproxies proxy service. Through relevant analysis, we have come to the\r\nsame conclusion as BitSight, and the associations are as follows.\r\nThe domain client.bhproxies.com is one of the domains through which bhproxies provides services, and its two\r\nresolved IPs point to numerous assets belonging to the Mylobot group. Additionally, the IP 89.39.107.82 serves as\r\none of the proxy service provider nodes for bhproxies and is consistent with the resolution of the newest C2\r\ndomain, m20.onthestage[.]ru, used by the Mylobot group.\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 4 of 9\n\nIn late February 2023, the Mylobot group updated the C2 of mylobot-proxy. When tracking the connection status\r\nto the latest C2 domains, each unique IP represents a compromised machine. We observed that the botnet scale is\r\nshowing an expanding trend, as shown in the following data:\r\nmylobot-core\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 5 of 9\n\nCore is loaded by the Packer-Shellcode module and primarily serves as a downloader in the Mylobot group's\r\nattack chain, with mylobot-proxy being the main distributed malicious software. Core also utilizes fake-dga\r\ndomains, and the latest version has not removed this feature. The embedded domains are encrypted using AES,\r\nand the Key used for encryption has appeared in mylobot-proxy as well. It decrypts a significant number of\r\ndomain-port pairs, which exhibit high similarities with the early mylobot-proxy domains. It then selects these\r\ndomains' buy1, v1, up1 subdomains for connection.\r\nOnce successfully connected to the C2 domain, Core initially sends the machine's basic information for the bot's\r\nonline status. One of the fields is called \"name_id,\" which is a hardcoded string in the sample. It was named\r\nmylobot-core because the group had set this field to \"core\" in the past. In the samples we captured in July 2023, its\r\nid was set to \"feb23,\" which corresponds to February 23, aligning with the sample's compilation time and being\r\nrelatively close to mylobot-proxy's update time. The structure of its online information is as follows:\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 6 of 9\n\nAfter sending the online information, the server needs to reply with the online identifier \"\\x45\\x36\\x27\\x18\" and\r\nalso send the download information for the next stage of malicious software. The download information is also\r\nencrypted using AES, with the domain encryption utilizing the same Key. The subsequent malicious software\r\nprimarily includes mylobot-proxy, and below is the payload information we received for the next stage:\r\nmylobot-core mainly serves as a downloader for other malicious software. Besides mylobot-proxy, the group has\r\ndistributed other malicious software. Minerva Labs once detected that the Mylobot group issued a ransomware\r\nemail sender in core's instructions. The ransom letter described that the attacking group planted a Trojan on an\r\nadult website, which recorded compromised users' webcam and email address information. If the victims refused\r\nto pay, the attacker would send the webcam recordings to the victims' contacts, causing social humiliation.\r\nHowever, we have not yet detected any other malicious software being distributed through mylobot-core, except\r\nfor mylobot-proxy. From this, we can infer that mylobot-proxy remains the main focus of the group's operations.\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 7 of 9\n\nSummary\r\nDespite being exposed for five years, the Mylobot group is still relatively active. However, based on their main\r\nproducts, mylobot-proxy and mylobot-core, there haven't been significant changes in the functionality of the\r\nmalicious software code. This has resulted in a high detection rate, making it easier to be caught by security\r\nmeasures. We speculate that this might be because the operational center of the Mylobot group focuses on selling\r\nand operating proxy services, which is supported by the frequent instructions received by mylobot-proxy. The\r\nransomware email sender received through mylobot-core also indicates the group's involvement in other black\r\nmarket activities. However, we have not yet discovered any other related incidents, and we will continue to\r\nmonitor the Mylobot group's future activities.\r\nIOC\r\nDownload Server\r\nwipmania[.]net\r\nwipmsc[.]ru\r\nstcus[.]ru\r\n162.244.80.231:80\r\n212.8.242.104:80\r\n51.15.12.156:80\r\nmylobot-core（partial code）\r\nbcbxfme[.]ru\r\nbmazlky[.]ru\r\nbthmzsp[.]ru\r\nbyosnwr[.]ru\r\ncxxhtmb[.]ru\r\ndkqhmbi[.]ru\r\ndldzeoo[.]ru\r\ndlihgic[.]ru\r\ndnfojik[.]ru\r\nmylobot-proxy（from March 2023 to the present）\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 8 of 9\n\nonthestage[.]ru\r\nkrebson[.]ru\r\nstanislasarnoud[.]ru\r\nReference links\r\n[1].https://mp.weixin.qq.com/s/5YBvsb_pZGq_vxDlTNatEA\r\n[2].https://minerva-labs.com/blog/mylobot-2022-so-many-evasive-techniques-just-to-send-extortion-emails/\r\n[3].https://www.bitsight.com/blog/mylobot-investigating-proxy-botnet\r\nSource: https://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nhttps://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN/"
	],
	"report_names": [
		"Analysis-of-Recent-Activities-of-the-Mylobot-Botnet-EN"
	],
	"threat_actors": [],
	"ts_created_at": 1775434451,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdbea8df41b56a5bc75570ddbf94e4b976abd839.pdf",
		"text": "https://archive.orkl.eu/fdbea8df41b56a5bc75570ddbf94e4b976abd839.txt",
		"img": "https://archive.orkl.eu/fdbea8df41b56a5bc75570ddbf94e4b976abd839.jpg"
	}
}