In August 2018, we began to record mass scans of phpMyAdmin systems. Scans were accompanied by bruteforcing of 159 various web shells with the command die(md5(Ch3ck1ng)). This information became the starting point of our investigation. Step by step, me and my colleagues have uncovered the whole chain of events and ultimately discovered 2 large malware campaigns ongoing since 2013. In my presentation I will give the details of this notable botnet and the whole story, from start to finish.