Systembc proxy botnet operators are hunting for weak commercial virtual private servers (VPS) and are maintaining an average of 1,500 bots every day that offers a highway for malicious traffic.
The compromised servers are located all over the world and have at least one unique significant vulnerability, some of them are being plagued with tens of security issues.
The Systembc has been around 2019 and has been used by various danger actors, including several ransomware gangs to pay for payload.
This routes the attackers through an infected host and makes the command-end-control (C2) activity more difficult to hide the activity.
Customer of Systembc
According to researchers at Lumen Technology’s Black Lotus Labs, the Systembc Proxy Network is designed for volume with a little concern for secret. It also provides strength to other criminal proxy networks and “a very long average infection is lifetime.”
Depending on the findings of the researchers, neither the customers nor the Systembc operators take care of keeping a low profile, as the IP addresses of the bots are not preserved in any way (eg through obfuscation or rotation).
The Systembc has over 80 command-end-control (C2) servers, connecting the client to an infected proxy server, and it fuels other proxy network services.
A malicious service called REM proxy depends on about 80% of the botts of the systembc, providing tier services to its customers based on the required proxy quality.
A large Russian web-scrapping service is another important systembc customer, as well as a Vietnamese-based proxy network called VN5Socks or Shopsocks5.
Source: Black Lotus Labs
However, researchers say that Systembc operators use it the most for Brut-Fores WordPress credentials, which are possibly sold to brokers who injected sites with malicious codes.
Targets weak VPS
About 80% of the Systembc network of 1,500 daily bots consists of the VPS system compromised by several “large commercial providers”.
Black Lotus Labs says that it allows for a long time average infection for a lifetime, with about 40% of the systems compromise for more than a month.
All infected servers have several “easy-to-explosion” weaknesses, average 20 unpublished security issues, and at least one significant-seriousness is one.
Researchers also found a system in Alabama, which the sensor internet intelligence platform and search engine were listed as 161 security weaknesses.
Source: Black Lotus Labs
By compromising with the VPS system, Systembc enables high-volume, stable traffic to its customers, which is not possible with residential proxy networks based on Soho devices.
By running Systembc malware in a fake environment, researchers saw “a special IP address 16 gigabytes proxy data” in just 24 hours.
Researchers at Black Lotus Labs said, “This volume of data is usually a sequence of magnitude seen in specific proxy networks.” Report Shared with bleepingcomputer.
Based on the company’s global IP telemetry, an address, 104.250.164 (.) 214, appears to be at the core of the victim recruitment activity and also hosts all 180 systembc malware samples.
According to the analysis of the researchers, a new infected server downloads a shell script, which has comments in the dandruff and directs the bot to run every systembC sample at the same time.
The proxy network has been active for a long time and has also opposed law enforcement operations such as endgeams, which has targeted malware droppers for several boatnets including Systembc.
The Black Lotus Labs provides a detailed technical analysis of the Systembc proxy malware, as well as with indicators of the agreement, to help organizations identify attempts or disrupt the operation.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
