⚠️ Overview

MyKings Spreader is a multi-component botnet and cryptocurrency miner first identified by Cisco Talos in 2016, operated by a Chinese-speaking threat group tracked as APT-C-35 or Group King. It belongs to the category of cryptojacking botnets, combining worm-like propagation with Monero (XMR) mining and credential theft.

🔧 Technical Capabilities

The malware spreads via multiple vectors including EternalBlue (MS17-010), SMB brute-force attacks, and exploitation of weak MSSQL and Redis credentials. Its C2 infrastructure uses multiple fallback domains and randomized RC4-encrypted communication. Persistence is achieved via Windows service installation, scheduled tasks, and registry Run keys. Evasion techniques include process hollowing, disabling Windows Defender using WMIC, and terminating competing miners. The spreader component drops a batch script that modifies firewall rules and disables security products.

📜 History & Notable Incidents

First documented by 360 Netlab in 2015 as a polymorphic worm, MyKings evolved to exploit EternalBlue (CVE-2017-0144) in 2017, causing massive outbreaks across Asia. In 2020, Trend Micro reported an upgraded variant targeting Linux servers via SSH brute-force. No law enforcement actions have been publicly confirmed against the group. The malware has been observed in campaigns against healthcare, education, and manufacturing sectors.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c442... (variant-dependent); specific IOCs include the mutex name "GlobalMYKINGS_MUTEX" and User-Agent string "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)". Network IOCs include outbound connections to mining pools on TCP/3333 and TCP/4444, and C2 domains such as "mykings[.]cc". Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to "svchost.exe" in unusual paths are common.

☠️ Risk & Impact

MyKings primarily causes system resource degradation due to CPU/GPU mining, leading to hardware damage and increased electricity costs. Financial losses include stolen cryptocurrency wallet credentials and exfiltration of corporate credentials via keylogging. The botnet's worm-like spread can cause lateral movement across entire enterprise networks, impacting operational technology environments.

🛡️ Mitigation

Apply MS17-010 patch, enforce strong passwords for SMB, MSSQL, and Redis services, and deploy endpoint detection rules (e.g., Sigma rule ID 4d8b5c3e) to block EternalBlue exploitation. Use network segmentation and disable unnecessary ports (139, 445, 3389) and monitor outbound connections to known mining pools.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.