Nowadays, machine leing is widely used in malware detection system as a core component. The machine leing algorithm is designed under the assumption that all datasets follow the same underlying data distribution. But the real-world malware data distribution is not stable and changes with time. By exploiting the knowledge of the machine leing algorithm and malware data concept drift problem, we show a novel le-ing evasive botnet architecture and a stealthy and secure C&C mechanism. Based on the email communication channel, we construct a stealthy email-based P2P-like botnet that ex-ploit the excellent reputation of email servers and a huge amount of benign email commu-nication in the same channel. The experiment results show horizontal correlation leing al-gorithm is difficult to separate malicious email traffic from normal email traffic based on the volume features and time-related features with enough confidence. We discuss the malware data concept drift and possible defense strate-gies.