LAST UPDATED Feb 24, 2023
What Is MyloBot?
MyloBot is a sophisticated botnet that controls thousands of systems in Iran, Indian, the US, and Indonesia. It is now infecting more than 50,000 devices per day, according to BitSight. But BitSight also acknowledges that this is probably only part of the botnet. 50,000 is actually a reduction for this botnet first discovered in 2017, which had a peak of 250,000 unique hosts in 2020.
What Is New With MyloBot?
MyloBot’s suspected connection to BHProxies, a residential proxy service, is a new development that could make it more dangerous and difficult to detect. The ongoing attacks by and evolution of MyloBot show how botnet attacks can become more sophisticated over time. In fact, MyloBot was even used in an extortion campaign, where it demanded a ransom of $2,700 BTC to avoid leaking target information.
How MyloBot Evades Detection
This botnet’s activities clearly illustrate a trend ThreatX has been observing in attack data recently – multi-vector attacks – or orchestrated API and application attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Taking a “low and slow” approach to avoid detection is a key tactic of MyloBot as it will sit idle for 14 days before connecting back to the command-and-control (C2) server. While idle, it has also been observed to leverage a residential proxy to avoid detection.
In addition, researchers have seen attackers use the MyloBot botnet to carry out attacks featuring multiple tactics, including DDoS, code injection, installing ransomware, sending extortion emails, and more. Consequences of these attacks include platform outages, brand reputation, and potential revenue loss.
To learn more about bots in API and application attacks, see our new whitepaper.
To get a quick look at how ThreatX detects and blocks bot-based attacks, watch our short demo video.