SystemBC Botnet Uncovered: 1,500 Servers Hijacked for Cybercrime

Operators of the SystemBC botnet have assembled a global fabric built on compromised commercial virtual servers, sustaining roughly 1,500 active nodes each day. These machines have been repurposed into an infrastructure for relaying malicious traffic and concealing command-and-control endpoints. Black Lotus Labs researchers note that the network’s strength derives from scale rather than stealth: infected hosts’ addresses are left exposed and static—an unusual choice for criminal proxy ecosystems.

SystemBC, active since 2019, serves both as a delivery mechanism for malware and as a rental platform for other illicit services. For example, the REM Proxy service relies on approximately 80% of SystemBC’s infrastructure, offering tiered proxy products according to quality. Other prominent customers include a Russian web-scraping service and the Vietnamese VN5Socks (also known as Shopsocks5). The botnet’s operators, however, primarily exploit the network to brute-force WordPress credentials and then resell access to intermediaries who implant malicious code.

More than 80% of the compromised machines are virtual servers hosted by major providers. These hosts exhibit an alarmingly high density of vulnerabilities—on average some twenty security flaws per server, often including at least one critical bug. Black Lotus Labs cites a specific Alabama server on which the Censys scanner logged 161 open vulnerabilities. Because of this poor security posture, nearly 40% of nodes remain infected for over a month, granting the network persistent capacity and high throughput. A single compromised host can push more than 16 gigabytes of proxy traffic per day—orders of magnitude greater than consumer-grade router-based proxy farms.

The botnet’s control plane comprises over 80 command servers that link clients to the abused proxies. Analysts identified a central repository at 104.250.164\[.]214 that houses all 180 known SystemBC samples and serves as a recruitment hub for new victims. Once infected, a host downloads a shell script annotated in Russian that simultaneously launches the assortment of malicious components—maximizing resource utilization and bolstering resilience against takedown attempts. Even substantial law-enforcement interventions such as Operation Endgame have failed to dismantle the network entirely.

Black Lotus Labs observes that SystemBC’s enduring infrastructure has become the backbone for a multitude of criminal services and continues to act as a primary channel for illicit traffic. Their report includes a technical dissection of the proxy botnet and a set of indicators of compromise intended to help defenders detect infections and hinder the abuse of vulnerable servers.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy