MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems.

Chief among its methods to evade detection and stay under the radar included a delay of 14 days before accessing its command-and-control servers and the facility to execute malicious binaries directly from memory. MyloBot also leverages a technique called process hollowing, wherein the attack code is injected into a suspended and hollowed process in order to circumvent process-based defenses. This is achieved by unmapping the memory allocated to the live process and replacing it with the arbitrary code to be executed, in this case a decoded resource file.

“The second stage executable then creates a new folder under C:\ProgramData,”. “It looks for svchost.exe under a system directory and executes it in suspended state. Using an APC injection technique, it injects itself into the spawned svchost.exe process.”

The next phase of the infection involves establishing persistence on the compromised host, using the foothold as a stepping stone to establish communications with a remote server to fetch and execute a payload that, in turn, decodes and runs the final-stage malware.

This malware is designed to abuse the endpoint to send extortion messages alluding to the recipients’ online behaviors, such as visiting porn sites, and threatening to leak a video that was allegedly recorded by breaking into their computers’ webcam.

Effected Locations

Country Number of IPs
Iraq 3,014
Iran 2,788
Argentina 2,602
Russia 1,919
Vietnam 1,786
China 1,202
India 926
Saudi Arabia 914
Chile 844
Egypt 798


  1. Avoid clicking links in advertisements
  2. Use trusted antivirus software with anti-spyware features.
  3. Quarantining suspicious emails.
  4. Get your password security under control (Eg.2FA).
  5. Don’t click on online pop-ups.
  6. Try to avoid installation of third-party software’s.
  7. Keep software patched and updated.


C2 IP Port FQDN Number of IPs 7432 2,675 7432 2,511 7432 2,420 7432 2,289 7432 2,259 7432 2,133 7432 2,128 7432 2,108 7432 2,082 7432 1,632 7432 1,532 7432 1,119 7432 986 7432 971 7432 943 7432 917 7432 840 7432 683 7432 666 9529 344 7432 184 7432 135