The Avzhan DDoS bot has been known since 2010, but recently we saw it in wild again, being dropped by a Chinese drive-by attack. In this post, well take a deep dive into its functionality and compare the sample we captured with the one described in the past. After being deployed, the malware copies itself under a random name into a system folder, and then deletes the original sample. Its way to achieve persistence is by registering itself as a Windows Service. There are no UAC bypass capabilities inside the bot, so it can only rely on some external droppers.”]