Information security engineers from ESET took down a fraction of a malware botnet consisting of at least 35,000 infected Windows systems that were used secretly by criminals to mine the cryptocurrency Monero.

Before we get started,

A botnet is a collection of devices connected to the Internet each operating one or more bots. Botnets are used to execute Distributed Denial-of-Service (DDoS) attacks, steal data, send spam and allow hackers to access the machine and its connection. Just like a puppet master, botnets have a Bot master, who can use command and control (C&C) software to control the botnet


The unidentified botnet is dubbed “VictoryGate”. It has been operating since May 2019 , in addition to about 10 secondary payloads that are downloaded from file sharing websites, three separate types of the initial module have been found. ESET security engineers identify the initial module as MSIL / VictoryGate.

This botnet is composed mainly of devices in Latin America, specifically Peru, where over 90% of the compromised devices are located.

Alan Warburton (Security Intelligence Analyst at ESET)

VictoryGate used only subdomains listed with dynamic DNS provider No-IP to manage its botnet. ESET reported this issue to No-IP, who quickly took them all offline, taking away the attacker’s control of the bots. ESET also collaborates with the non-profit Shadowserver Foundation to exchange sinkhole records in an attempt to mitigate this security risk further.


ESET has been actively sink holing several command and control (C&C) domains, allowing us to monitor this botnet’s activity. In the above figure you can see the number of unique IP addresses connecting to the C&C per day.

Sinkholing is a technique for manipulating data flow in a network; you redirect traffic from its intended destination to the server of your choosing. It can be used maliciously, to steer legitimate traffic away from its intended recipient, but security professionals more commonly use sinkholing as a tool for research and reacting to attacks.


As far as spreading of the botnet is concerned, VictoryGate propagates via USB drives, The USB when connected to the victim machine, installs a malicious payload into the system.


The victim is given a USB drive which was attached to an infected computer in the past. It obviously has all the files with the same names and icons that it originally included. Because of this, at first glance, the contents look almost similar. But behind the scenes the original files copied to an unknown directory inside the root of the drive.

The impacts on the victim’s device are:

  • High CPU usage.
  • Over heating.
  • Slowing down of other applications.
  • Suspicious creation of files.

Affected filesystems:

For a more technical understanding click the below link to view the source code, payloads and MITRE ATT&CK techniques.

ESET Forensics report: