Blog
/
Network
/
December 6, 2023

How Darktrace Triumphed Over MyKings Botnet

Darktrace has provided full visibility over the MyKings botnet kill chain from the beginning of its infections to the eventual cryptocurrency mining activity.
Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Dec 2023

Botnets: A persistent cyber threat

Since their appearance in the wild over three decades ago, botnets have consistently been the attack vector of choice for many threat actors. The most prevalent of these attack vectors are distributed denial of service (DDoS) and phishing campaigns. Their persistent nature means that even if a compromised device in identified, attackers can continue to operate by using the additional compromised devices they will likely have on the target network. Similarly, command and control (C2) infrastructure can easily be restructured between infected systems, making it increasingly difficult to remove the infection.  

MyKings Botnet

One of the most prevalent and sophisticated examples in recent years is the MyKings botnet, also known as Smominru or DarkCloud. Darktrace has observed numerous cases of MyKings botnet compromises across multiple customer environments in several different industries as far back as August 2022. The diverse tactics, techniques, and procedures (TTPs) and sophisticated kill chains employed by MyKings botnet may prove a challenge to traditional rule and signature-based detections.

However, Darktrace’s anomaly-centric approach enabled it to successfully detect a wide-range of indicators of compromise (IoCs) related to the MyKings botnet and bring immediate awareness to customer security teams, as it demonstrated on the network of multiple customers between March and August 2023.

Background on MyKings Botnet

MyKings has been active and spreading steadily since 2016 resulting in over 520,000 infections worldwide.[1] Although verified attribution of the botnet remains elusive, the variety of targets and prevalence of crypto-mining software on affected devices suggests the threat group behind the malware is financially motivated. The operators behind MyKings appear to be highly opportunistic, with attacks lacking an obvious specific target industry. Across Darktrace’s customer base, the organizations affected were representative of multiple industries such as entertainment, mining, education, information technology, health, and transportation.

Given its longevity, the MyKings botnet has unsurprisingly evolved since its first appearance years ago. Initial analyses of the botnet showed that the primary crypto-related activity on infected devices was the installation of Monero-mining software. However, in 2019 researchers discovered a new module within the MyKings malware that enabled clipboard-jacking, whereby the malware replaces a user's copied cryptowallet address with the operator's own wallet address in order to siphon funds.[2]

Similar to other botnets such as the Outlaw crypto-miner, the MyKings botnet can also kill running processes of unrelated malware on the compromised hosts that may have resulted from prior infection.[3] MyKings has also developed a comprehensive set of persistence techniques, including: the deployment of bootkits, initiating the botnet immediately after a system reboot, configuring Registry run keys, and generating multiple Scheduled Tasks and WMI listeners.[4] MyKings have also been observed rotating tools and payloads over time to propagate the botnet. For example, some operators have been observed utilizing PCShare, an open-source remote access trojan (RAT) customized to conduct C2 services, execute commands, and download mining software[5].

Darktrace Coverage

Across observed customer networks between March and August 2023, Darktrace identified the MyKings botnet primarily targeting Windows-based servers that supports services like MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and Remote Desktop (RDP).  In the initial phase of the attack, the botnet would initiate a variety of attacks against a target including brute-forcing and exploitation of unpatched vulnerabilities on exposed servers. The botnet delivers a variety of payloads to the compromised systems including worm downloaders, trojans, executable files and scripts.

This pattern of activity was detected across the network of one particular Darktrace customer in the education sector in early March 2023. Unfortunately, this customer did not have Darktrace RESPOND™ deployed on their network at the time of the attack, meaning the MyKings botnet was able to move through the cyber kill chain ultimately achieving its goal, which in this case was mining cryptocurrency.

Initial Access

On March 6, Darktrace observed an internet-facing SQL server receiving an unusually large number of incoming MySQL connections from the rare external endpoint 171.91.76[.]31 via port 1433. While it is not possible to confirm whether these suspicious connections represented the exact starting point of the infection, such a sudden influx of SQL connection from a rare external endpoint could be indicative of a malicious attempt to exploit vulnerabilities in the server's SQL database or perform password brute-forcing to gain unauthorized access. Given that MyKings typically spreads primarily through such targeting of internet-exposed devices, the pattern of activity is consistent with potential initial access by MyKings.[6]

Initial Command and Control

The device then proceeded to initiate a series of repeated HTTP connections between March 6 and March 10, to the domain www[.]back0314[.]ru (107.148.239[.]111). These connections included HTTP GET requests featuring URIs such as ‘/back.txt',  suggesting potential beaconing and C2 communication. The device continued this connectivity to the external host over the course of four days, primarily utilizing destination ports 80, and 6666. While port 80 is commonly utilized for HTTP connections, port 6666 is a non-standard port for the protocol. Such connectivity over non-standard ports can indicate potential detection evasion and obfuscation tactics by the threat actors.  During this time, the device also initiated repeated connections to additional malicious external endpoints with seemingly algorithmically generated hostnames such as pc.pc0416[.]xyz.

Darktrace UI image
Figure 1: Model breach showing details of the malicious domain generation algorithm (DGA) connections.

Tool Transfer

While this beaconing activity was taking place, the affected device also began to receive potential payloads from unusual external endpoints. On April 29, the device made an HTTP GET request for “/power.txt” to the endpoint 192.236.160[.]237, which was later discovered to have multiple open-source intelligence (OSINT) links to malware. Power.txt is a shellcode written in PowerShell which is downloaded and executed with the purpose of disabling Windows Defenders related functions.[7] After the initial script was downloaded (and likely executed), Darktrace went on to detect the device making a series of additional GET requests for several varying compressed and executable files. For example, the device made HTTP requests for '/pld/cmd.txt' to the external endpoint 104.233.224[.]173. In response the external server provided numerous files, including ‘u.exe’, and ‘upsup4.exe’ for download, both of which share file names with previously identified MyKings payloads.

MyKings deploys a diverse array of payloads to expand the botnet and secure a firm position within a compromised system. This multi-faceted approach may render conventional security measures less effective due to the intricacies of and variety of payloads involved in compromises. Darktrace, however, does not rely on static or outdated lists of IoCs in order to detect malicious activity. Instead, DETECT’s Self-Learning AI allows it to identify emerging compromise activity by recognizing the subtle deviations in an affected device’s behavior that could indicate it has fallen into the hands of malicious actors.

Figure 2: External site summary of the endpoint 103.145.106[.]242 showing the rarity of connectivity to the external host.

Achieving Objectives – Crypto-Mining

Several weeks after the initial payloads were delivered and beaconing commenced, Darktrace finally detected the initiation of crypto-mining operations. On May 27, the originally compromised server connected to the rare domain other.xmrpool[.]ru over port 1081. As seen in the domain name, this endpoint appears to be affiliated with pool mining activity and the domain has various OSINT affiliations with the cryptocurrency Monero coin. During this connection, the host was observed passing Monero credentials, activity which parallels similar mining operations observed on other customer networks that had been compromised by the MyKings botnet.

Although mining activity may not pose an immediate or urgent concern for security unauthorized cryptomining on devices can result in detrimental consequences, such as compromised hardware integrity, elevated energy costs, and reduced productivity, and even potential involvement in money laundering.

Figure 3: Event breach log showing details of the connection to the other.xmrpool[.]ru endpoint associated with cryptocurrency mining activity.

Conclusion

Detecting future iterations of the MyKings botnet will likely demand a shift away from an overreliance on traditional rules and signatures and lists of “known bads”, instead requiring organizations to employ AI-driven technology that can identify suspicious activity that represents a deviation from previously established patterns of life.

Despite the diverse range of payloads, malicious endpoints, and intricate activities that constitute a typical MyKing botnet compromise, Darktrace was able successfully detect multiple critical phases within the MyKings kill chain. Given the evolving nature of the MyKings botnet, it is highly probable the botnet will continue to expand and adapt, leveraging new tactics and technologies. By adopting Darktrace’s product of suites, including Darktrace DETECT, organizations are well-positioned to identify these evolving threats as soon as they emerge and, when coupled with the autonomous response technology of Darktrace RESPOND, threats like the MyKings botnet can be stopped in their tracks before they can achieve their ultimate goals.

Credit to: Oluwatosin Aturaka, Analyst Team Lead, Cambridge, Adam Potter, Cyber Analyst

Appendix

IoC Table

IoC - Type - Description + Confidence

162.216.150[.]108- IP - C2 Infrastructure

103.145.106[.]242 - IP - C2 Infrastructure

137.175.56[.]104 - IP - C2 Infrastructure

138.197.152[.]201 - IP - C2 Infrastructure

139.59.74[.]135 - IP - C2 Infrastructure

pc.pc0416[.]xyz - Domain - C2 Infrastructure (DGA)

other.xmrpool[.]ru - Domain - Cryptomining Endpoint

xmrpool[.]ru - Domain - Cryptomining Endpoint

103.145.106[.]55 - IP - Cryptomining Endpoint

ntuser[.]rar - Zipped File - Payload

/xmr1025[.]rar - Zipped File - Payload

/20201117[.]rar - Zipped File - Payload

wmi[.]txt - File - Payload

u[.]exe - Executable File - Payload

back[.]txt - File - Payload

upsupx2[.]exe - Executable File - Payload

cmd[.]txt - File - Payload

power[.]txt - File - Payload

ups[.]html - File - Payload

xmr1025.rar - Zipped File - Payload

171.91.76[.]31- IP - Possible Initial Compromise Endpoint

www[.]back0314[.]ru - Domain - Probable C2 Infrastructure

107.148.239[.]111 - IP - Probable C2 Infrastructure

194.67.71[.]99 - IP- Probable C2 Infrastructure

Darktrace DETECT Model Breaches

  • Device / Initial Breach Chain Compromise
  • Anomalous File / Masqueraded File Transfer (x37)
  • Compromise / Large DNS Volume for Suspicious Domain
  • Compromise / Fast Beaconing to DGA
  • Device / Large Number of Model Breaches
  • Anomalous File / Multiple EXE from Rare External Locations (x30)
  • Compromise / Beacon for 4 Days (x2)
  • Anomalous Server Activity / New User Agent from Internet Facing System
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Server Activity / New Internet Facing System
  • Anomalous File / EXE from Rare External Location (x37)
  • Device / Large Number of Connections to New Endpoints
  • Anomalous Server Activity / Server Activity on New Non-Standard Port (x3)
  • Device / Threat Indicator (x3)
  • Unusual Activity / Unusual External Activity
  • Compromise / Crypto Currency Mining Activity (x37)
  • Compliance / Internet Facing SQL Server
  • Device / Anomalous Scripts Download Followed By Additional Packages
  • Device / New User Agent

MITRE ATT&CK Mapping

ATT&CK Technique - Technique ID

Reconnaissance – T1595.002 Vulnerability Scanning

Resource Development – T1608 Stage Capabilities

Resource Development – T1588.001 Malware

Initial Access – T1190 Exploit Public-Facing Application

Command and Control – T15568.002 Domain Generated Algorithms

Command and Control – T1571 Non-Standard Port

Execution – T1047 Windows Management Instrumentation

Execution – T1059.001 Command and Scripting Interpreter

Persistence – T1542.003 Pre-OS Boot

Impact – T1496 Resource Hijacking

References

[1] https://www.binarydefense.com/resources/threat-watch/mykings-botnet-is-growing-and-remains-under-the-radar/

[2] https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-since-2019

[3] https://www.darktrace.com/blog/outlaw-returns-uncovering-returning-features-and-new-tactics

[4] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-mykings-report.pdf

[5] https://www.antiy.com/response/20190822.html

[6] https://ethicaldebuggers.com/mykings-botnet/

[7] https://ethicaldebuggers.com/mykings-botnet/

Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge

Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability

July 2, 2025
Watch the NIS2 Webinar
Trending blogs
1
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
Network
June 25, 2025

Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36)

Since 2018, Blind Eagle has targeted Latin American organizations using phishing and RATs. Darktrace detected Blind Eagle activity on a customer network involving C2 connectivity, malicious payload downloads and data exfiltration. Without Autonomous Response, the attack escalated, highlighting the need for proactive detection and response defense to counter fast-evolving threats.
Charlotte Thompson
Cyber Analyst
Read more
Network
June 17, 2025

Customer Case Study: Leading Petrochemical Manufacturer

An industry leading petrochemical manufacturer uses the Darktrace ActiveAI Security Platform to improve visibility, protect against supply chain attacks, and save the security team hundreds of hours of incident investigation.
The Darktrace Community
Read more
Network
June 16, 2025

Tracking CVE-2025-31324: Darktrace’s detection of SAP Netweaver exploitation before and after disclosure 

A critical SAP vulnerability, CVE-2025-31324, allows unauthenticated remote code execution via NetWeaver Visual Composer. Despite early mitigation guidance, many systems remain exposed. Darktrace detected exploitation attempts six days before public disclosure, highlighting the importance of proactive, threat-agnostic detection.
Signe Zaharka
Principal Cyber Analyst
Read more

Blog

/

Identity

/

July 3, 2025

Top Eight Threats to SaaS Security and How to Combat Them

Default blog imageDefault blog image

The latest on the identity security landscape

Following the mass adoption of remote and hybrid working patterns, more critical data than ever resides in cloud applications – from Salesforce and Google Workspace, to Box, Dropbox, and Microsoft 365.

On average, a single organization uses 130 different Software-as-a-Service (SaaS) applications, and 45% of organizations reported experiencing a cybersecurity incident through a SaaS application in the last year.

As SaaS applications look set to remain an integral part of the digital estate, organizations are being forced to rethink how they protect their users and data in this area.

What is SaaS security?

SaaS security is the protection of cloud applications. It includes securing the apps themselves as well as the user identities that engage with them.

Below are the top eight threats that target SaaS security and user identities.

1.  Account Takeover (ATO)

Attackers gain unauthorized access to a user’s SaaS or cloud account by stealing credentials through phishing, brute-force attacks, or credential stuffing. Once inside, they can exfiltrate data, send malicious emails, or escalate privileges to maintain persistent access.

2. Privilege escalation

Cybercriminals exploit misconfigurations, weak access controls, or vulnerabilities to increase their access privileges within a SaaS or cloud environment. Gaining admin or superuser rights allows attackers to disable security settings, create new accounts, or move laterally across the organization.

3. Lateral movement

Once inside a network or SaaS platform, attackers move between accounts, applications, and cloud workloads to expand their foot- hold. Compromised OAuth tokens, session hijacking, or exploited API connections can enable adversaries to escalate access and exfiltrate sensitive data.

4. Multi-Factor Authentication (MFA) bypass and session hijacking

Threat actors bypass MFA through SIM swapping, push bombing, or exploiting session cookies. By stealing an active authentication session, they can access SaaS environments without needing the original credentials or MFA approval.

5. OAuth token abuse

Attackers exploit OAuth authentication mechanisms by stealing or abusing tokens that grant persistent access to SaaS applications. This allows them to maintain access even if the original user resets their password, making detection and mitigation difficult.

6. Insider threats

Malicious or negligent insiders misuse their legitimate access to SaaS applications or cloud platforms to leak data, alter configurations, or assist external attackers. Over-provisioned accounts and poor access control policies make it easier for insiders to exploit SaaS environments.

7. Application Programming Interface (API)-based attacks

SaaS applications rely on APIs for integration and automation, but attackers exploit insecure endpoints, excessive permissions, and unmonitored API calls to gain unauthorized access. API abuse can lead to data exfiltration, privilege escalation, and service disruption.

8. Business Email Compromise (BEC) via SaaS

Adversaries compromise SaaS-based email platforms (e.g., Microsoft 365 and Google Workspace) to send phishing emails, conduct invoice fraud, or steal sensitive communications. BEC attacks often involve financial fraud or data theft by impersonating executives or suppliers.

BEC heavily uses social engineering techniques, tailoring messages for a specific audience and context. And with the growing use of generative AI by threat actors, BEC is becoming even harder to detect. By adding ingenuity and machine speed, generative AI tools give threat actors the ability to create more personalized, targeted, and convincing attacks at scale.

Protecting against these SaaS threats

Traditionally, security leaders relied on tools that were focused on the attack, reliant on threat intelligence, and confined to a single area of the digital estate.

However, these tools have limitations, and often prove inadequate for contemporary situations, environments, and threats. For example, they may lack advanced threat detection, have limited visibility and scope, and struggle to integrate with other tools and infrastructure, especially cloud platforms.

AI-powered SaaS security stays ahead of the threat landscape

New, more effective approaches involve AI-powered defense solutions that understand the digital business, reveal subtle deviations that indicate cyber-threats, and action autonomous, targeted responses.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

/

July 2, 2025

Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability

Default blog imageDefault blog image

Vulnerabilities are weaknesses in a system that can be exploited by malicious actors to gain unauthorized access or to disrupt normal operations. Common Vulnerabilities and Exposures (or CVEs) are a list of publicly disclosed cybersecurity vulnerabilities that can be tracked and mitigated by the security community.

When a vulnerability is discovered, the standard practice is to report it to the vendor or the responsible organization, allowing them to develop and distribute a patch or fix before the details are made public. This is known as responsible disclosure.

With a record-breaking 40,000 CVEs reported for 2024 and a predicted higher number for 2025 by the Forum for Incident Response and Security Teams (FIRST) [1], anomaly-detection is essential for identifying these potential risks. The gap between exploitation of a zero-day and disclosure of the vulnerability can sometimes be considerable, and retroactively attempting to identify successful exploitation on your network can be challenging, particularly if taking a signature-based approach.

Detecting threats without relying on CVE disclosure

Abnormal behaviors in networks or systems, such as unusual login patterns or data transfers, can indicate attempted cyber-attacks, insider threats, or compromised systems. Since Darktrace does not rely on rules or signatures, it can detect malicious activity that is anomalous even without full context of the specific device or asset in question.

For example, during the Fortinet exploitation late last year, the Darktrace Threat Research team were investigating a different Fortinet vulnerability, namely CVE 2024-23113, for exploitation when Mandiant released a security advisory around CVE 2024-47575, which aligned closely with Darktrace’s findings.

Retrospective analysis like this is used by Darktrace’s threat researchers to better understand detections across the threat landscape and to add additional context.

Below are ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

Trends in pre-cve exploitation

Often, the disclosure of an exploited vulnerability can be off the back of an incident response investigation related to a compromise by an advanced threat actor using a zero-day. Once the vulnerability is registered and publicly disclosed as having been exploited, it can kick off a race between the attacker and defender: attack vs patch.

Nation-state actors, highly skilled with significant resources, are known to use a range of capabilities to achieve their target, including zero-day use. Often, pre-CVE activity is “low and slow”, last for months with high operational security. After CVE disclosure, the barriers to entry lower, allowing less skilled and less resourced attackers, like some ransomware gangs, to exploit the vulnerability and cause harm. This is why two distinct types of activity are often seen: pre and post disclosure of an exploited vulnerability.

Darktrace saw this consistent story line play out during several of the Fortinet and PAN OS threat actor campaigns highlighted above last year, where nation-state actors were seen exploiting vulnerabilities first, followed by ransomware gangs impacting organizations [2].

The same applies with the recent SAP Netweaver exploitations being tied to a China based threat actor earlier this spring with subsequent ransomware incidents being observed [3].

Autonomous Response

Anomaly-based detection offers the benefit of identifying malicious activity even before a CVE is disclosed; however, security teams still need to quickly contain and isolate the activity.

For example, during the Ivanti chaining exploitation in the early part of 2025, a customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device.

This pre-CVE detection and response by Darktrace occurred 11 days before any public disclosure, demonstrating the value of an anomaly-based approach.

In some cases, customers have even reported that Darktrace stopped malicious exploitation of devices several days before a public disclosure of a vulnerability.

For example, During the ConnectWise exploitation, a customer informed the team that Darktrace had detected malicious software being installed via remote access. Upon further investigation, four servers were found to be impacted, while Autonomous Response had blocked outbound connections and enforced patterns of life on impacted devices.

Conclusion

By continuously analyzing behavioral patterns, systems can spot unusual activities and patterns from users, systems, and networks to detect anomalies that could signify a security breach.

Through ongoing monitoring and learning from these behaviors, anomaly-based security systems can detect threats that traditional signature-based solutions might miss, while also providing detailed insights into threat tactics, techniques, and procedures (TTPs). This type of behavioral intelligence supports pre-CVE detection, allows for a more adaptive security posture, and enables systems to evolve with the ever-changing threat landscape.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO), Emma Fougler (Global Threat Research Operations Lead), Ryan Traill (Analyst Content Lead)

References and further reading:

  1. https://www.first.org/blog/20250607-Vulnerability-Forecast-for-2025
  2. https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
  3. https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html

Related Darktrace blogs:

*Self-reported by customer, confirmed afterwards.

**Updated January 2024 blog now reflects current findings

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI