Please update your browser.

Our site no longer supports this browser. Using another one will help provide a better experience.


Welcome to the Lumen Newsroom

News Releases

Mylobot botnet delivers one-two punch with Khalesi malware
November 14, 2018
CenturyLink Threat Research Labs identifies new infection tactic by globally distributed malware

MONROE, La., Nov. 14, 2018 /PRNewswire/ -- With the ability to download other types of malware after infecting a computer, the Mylobot botnet is demonstrating the capability of information stealing, according to a new report from CenturyLink, Inc. (NYSE: CTL). Mylobot contains sophisticated anti-virtual machine and anti-sandboxing techniques to avoid detection and analysis, such as lying dormant for 14 days before attempting to contact the command and control server (C2). However, since being identified in June 2018, CenturyLink Threat Research Labs has observed Mylobot downloading Khalesi, a pervasive information-stealing malware family, as a second stage attack on infected hosts.

Read the CenturyLink Threat Research Labs report on Mylobot:

"What makes Mylobot so dangerous is its ability to download and execute any other type of payload the attacker wants, and we now have evidence one of those payloads is Khalesi," said Mike Benjamin, head of CenturyLink's Threat Research Labs. "By analyzing global botnet attack trends and methods, CenturyLink is better able to anticipate and respond to evolving threats like Mylobot in defense of our own network and those of our customers."

Key Takeaways

  • CenturyLink Threat Research Labs observed approximately 18,000 unique IPs communicating with Mylobot C2s.
  • The top 10 countries where the infected IPs originated were Iraq, Iran, Argentina, Russia, Vietnam, China, India, Saudi Arabia, Chile and Egypt.
  • CenturyLink blocked the Mylobot infrastructure on its network to mitigate risk to its customers and notified the providers of infected devices to help mitigate Mylobot infections.
  • For enterprises that are monitoring DNS, Mylobot can be detected through the up to 60,000 domain name system (DNS) queries infected hosts perform while attempting to contact the C2. 

Additional Resources

About CenturyLink

CenturyLink (NYSE: CTL) is the second largest U.S. communications provider to global enterprise customers. With customers in more than 60 countries and an intense focus on the customer experience, CenturyLink strives to be the world's best networking company by solving customers' increased demand for reliable and secure connections. The company also serves as its customers' trusted partner, helping them manage increased network and IT complexity and providing managed network and cyber security solutions that help protect their business.

Media Contact:
Stephanie Walkenshaw
+1 720-888-3084                                   

CenturyLink logo. (PRNewsfoto/CenturyLink, Inc.)



SOURCE CenturyLink, Inc.

Latest News
January 6, 2022

Researchers at Black Lotus Labs®, the threat intelligence team at Lumen Technologies, discovered new evidence of a months-long campaign against the Russian Ministry of Foreign Affairs (MID). The...

January 5, 2022

Lumen Technologies (NYSE: LUMN), will release its fourth quarter 2021 results on Feb. 9, 2022. The company will broadcast a live conference call on its Investor Relations website at...

January 5, 2022

The recently constructed 300,000-square foot MidAmerican Energy Company RecPlex integrates innovative technology into its design to support and enhance a variety of athletic and recreational activities—including Esports.

More news