A sophisticated botnet called MyloBot has infected thousands of systems worldwide, with the majority of compromised devices located in India, the U.S., Indonesia, and Iran. According to cybersecurity company BitSight, the botnet is currently infecting more than 50,000 unique systems every day, down from a high of 250,000 unique hosts in 2020. MyloBot was first documented in 2018 and is known for its anti-analysis techniques and ability to function as a downloader.
The botnet's primary function is to establish a connection to a hard-coded command-and-control (C2) domain and await instructions, which can include downloading and executing any type of payload. MyloBot also sits idle for 14 days before attempting to contact the C2 server to avoid detection. BitSight's analysis of MyloBot's infrastructure found connections to a residential proxy service called BHProxies, indicating that compromised machines are being used by the latter. The malware was also observed sending extortion emails as part of a financially motivated campaign last year.