The Evolving MyloBot Botnet

PUBLISHED ON February 24, 2023
LAST UPDATED Feb 24, 2023

What Is MyloBot? 

MyloBot is a sophisticated botnet that controls thousands of systems in Iran, Indian, the US, and Indonesia. It is now infecting more than 50,000 devices per day, according to BitSight. But BitSight also acknowledges that this is probably only part of the botnet. 50,000 is actually a reduction for this botnet first discovered in 2017, which had a peak of 250,000 unique hosts in 2020.  

What Is New With MyloBot

MyloBot’s suspected connection to BHProxies, a residential proxy service, is a new development that could make it more dangerous and difficult to detect. The ongoing attacks by and evolution of MyloBot show how botnet attacks can become more sophisticated over time. In fact, MyloBot was even used in an extortion campaign, where it demanded a ransom of $2,700 BTC to avoid leaking target information. 

How MyloBot Evades Detection 

This botnet’s activities clearly illustrate a trend ThreatX has been observing in attack data recently – multi-vector attacks – or orchestrated API and application attacks that include several phases, leverage multiple techniques, and involve evasion tactics. Taking a “low and slow” approach to avoid detection is a key tactic of MyloBot as it will sit idle for 14 days before connecting back to the command-and-control (C2) server. While idle, it has also been observed to leverage a residential proxy to avoid detection.  

In addition, researchers have seen attackers use the MyloBot botnet to carry out attacks featuring multiple tactics, including DDoS, code injection, installing ransomware, sending extortion emails, and more. Consequences of these attacks include platform outages, brand reputation, and potential revenue loss. 

To learn more about bots in API and application attacks, see our new whitepaper

To get a quick look at how ThreatX detects and blocks bot-based attacks, watch our short demo video


About the Author

Jeremy Ventura

Jeremy Ventura is a cybersecurity professional, specializing in advising organizations on information security best practices. He has years of experience in vulnerability management, email security, incident response and security center operations. At ThreatX, he is responsible for the development and presentation of thought leadership across all areas of cybersecurity. Ventura is an industry leader that can regularly be seen in media, blog posts, podcasts and at speaking events. Previously, Ventura has worked at Gong, Mimecast, Tenable and IBM, among other security organizations. Ventura holds a Master’s Degree in Cybersecurity and Homeland Security.