Windows malware sleeps for days then deploys additional payloads

Image from Deep Instinct / 

Security firm Deep Instinct recently uncovered a new malware that uses a more deceptive approach and then converts PCs to practically the hackers’ botnet. Mylobot also gives owners almost full control and spreading more damage to victims’ devices and systems.

Deep Instinct describes it as a “highly sophisticated botnet” that uses malicious techniques including anti-VMs, anti-sandbox, anti-debugging, code injection, and wrapping internal parts with an encrypted resource file. It also uses process hollowing “or a technique where an attacker creates a new process in a suspended state and replaces its image with the one that is to be hidden.” The technique called reflective EXE means “executing EXE files directly from memory, without having them on disk.”


The most alarming is its technique of delaying the full-blown attack for two weeks making it appear that the malware has been removed or is no longer active. It serves as a gateway to infiltrate the system and then deploys the other payloads. Through the control center, the owners can make the malware even more dangerous by delivering more attacks which may include DDoS, data theft, and installation of ransomware.

Deep Instinct’s investigation revealed that other malware campaigns have been coming from one command and control center and “originated from the dark web.”

Mylobot is also believed to delete other malware by first checking known folders with active malware then erases it when found. Sometimes, it also searches for specific folders of other botnets like DorkBot.


Mylobot can shut down Windows Defender and Windows Update “while blocking additional ports on the firewall.” By attacking any EXE file running from %APPDATA% folder, the malware steals and deletes all of the data in the device.

Aside from the loss of massive data, the malware can also download banking trojan, which can cause even more damage to the victims. They may have to shut down the entire system to recover what is left of or to at least prevent greater damage.

Deep Instinct said that such malware is “extremely rare” but organizations must not dismiss of possible attacks in their systems.

The method of how the malware is deployed remains unknown.