Do you need thousands of free VMs running your code? It requires some work, but it’s relatively simple if your code seems to be interesting. AV sandboxes around the world are offering a lot of computing power for you and the only thing you need to do is to feed them with interesting URLs. They will pick anything that resembles an executable file and run it blindly, not caring too much about potential effects. I allowed my code to run for ~20 hours and now I can share some statistics: - 1 entry level machine (on me) to make my solution run, - 10k+ IP addresses actively grabbing my exe files, - 2M+ total downloads, and only about 10% of them not launched immediately after downloading, - 500k+ separate machines starting an entire flow from scratch, - 50+ different exes downloaded and launched on single sandbox VMs only because I was curious if it happens, - A lot of thinking, some optimization, and 1.5k+ lines of C code. The payload I have created contacted other domain names using queries with intentionally high entropy (I have collected some details about sandboxes hardware BTW) and at some point, I had to throttle it down to make my server survive the storm. I have used SleepEx() to make requests appear at lower pace, but I easily could put some real workload to be executed if I am not such a nice person. 😇 I was able to change my code on the fly and observe the changing behavior in effect, which proofs that I keep kind of control over "my" botnet. It’s easily scalable (Round Robin would work without changing any single line of code) and I observe it gains momentum instead of slowing down. Now it’s time to analyze gigabytes of the telemetry I have collected. It will be fun for sure, but I am also thinking about how automated sandboxes actually work and I am not sure if we are heading into the right direction.