Malware SystemBC Turns Vulnerable VPS into Proxies
Specialists at Lumen Technology have warned that the operators of the SystemBC botnet are actively exploiting vulnerable Virtual Private Servers (VPS), converting them into proxies for criminal use. On any given day, researchers observe roughly 1,500 active bots, each providing a channel for malicious activity.
Global Reach of the Botnet
According to researchers, compromised servers are scattered across the globe. All are affected by at least one unpatched critical vulnerability, while some suffer from dozens.
SystemBC, active since at least 2019, has long been a tool of choice for cybercriminals. Ransomware gangs and other threat actors have used it for payload delivery and to route traffic through infected hosts, obscuring the activity of command-and-control (C2) servers.
Built for Scale, Not Stealth
Researchers note that SystemBC is engineered to process large traffic volumes, and its operators show little concern for stealth. The botnet is also a foundation for other proxy services and is characterized by what experts call an “extremely long average infection time.”
Neither clients nor operators attempt to disguise the bots’ IP addresses. No obfuscation, rotation, or other protective measures are in place. Instead, SystemBC relies on more than 80 C2 servers to link clients with infected proxies and provide additional proxy services.
Feeding Other Proxy Networks
One such service, REM Proxy, uses SystemBC bots for 80% of its infrastructure, offering proxy access that varies in quality depending on client needs. Researchers also identified other SystemBC customers, including:
- A large Russian-language web scraping service
- A Vietnamese proxy network known as VN5Socks (also called Shopsocks5)
Attack Methods and Persistence
Most often, SystemBC operators exploit the botnet to brute-force WordPress credentials. These stolen credentials are likely sold to brokers, who then inject malicious code into legitimate websites.
Nearly 80% of SystemBC’s infrastructure consists of compromised VPS belonging to major commercial providers. This setup extends infection lifetimes: about 40% of compromised systems remain under attacker control for more than a month.
Compared to proxies based on small office/home office (SOHO) devices, VPS compromises allow SystemBC to deliver large and stable traffic volumes. In one observed case, a single IP address generated more than 16 GB of proxy traffic in 24 hours—a scale researchers describe as “an order of magnitude greater than common proxy botnets.”
Signs of Centralized Operations
Telemetry data indicates that one IP address (104.250.164[.]214) plays a central role in the botnet’s spread. It has been linked both to scanning for new victims and to hosting all 180 observed samples of SystemBC malware.
