The operators behind the SystemBC proxy botnet are actively targeting vulnerable commercial virtual private servers (VPS) to maintain a network of roughly 1,500 compromised bots daily. These servers, located globally, typically contain multiple unpatched critical vulnerabilities, with some systems harboring over 100 security flaws. SystemBC, active since 2019, is used by ransomware groups and other threat actors to route malicious traffic and obscure command-and-control communications.
Researchers at Lumen’s Black Lotus Labs report that the network prioritizes volume over stealth, with infected IPs remaining openly visible. The infrastructure supports over 80 C2 servers and fuels other criminal services, including a Russian web-scraping platform and a Vietnamese proxy network called VN5Socks. A significant portion of the traffic is used for credential brute-forcing, likely for sale to code injection brokers.
Compromised VPS systems offer longer infection lifespans, with nearly 40% remaining active for more than a month. The botnet generates enormous data volumes—up to 16 GB per day from a single node—far exceeding typical proxy networks. Infection begins with a Russian-commented shell script that deploys multiple malware samples simultaneously. Despite law enforcement efforts, SystemBC remains resilient, underscoring the need for robust vulnerability management and threat detection.
Read more...