The SystemBC malware loader has survived a law enforcement takedown attempt and has ensnared over 10,000 machines in a botnet, cybersecurity firm Silent Push warns.
Also known as Coroxy and DroxiDat, SystemBC has been around since at least 2019 and is known for acting as a backdoor and for abusing infected machines for traffic proxying.
Historically, the malware has also been involved in the distribution of ransomware and other malicious payloads, and was targeted by authorities in May 2024 as part of Operation Endgame.
Despite the coordinated international law enforcement effort, the botnet’s activity did not cease, and its developer was seen posting updates on Russian-language underground forums, Silent Push notes.
Now, there are more than 10,000 IP addresses generating SystemBC-specific traffic, most of them in the US (4,300). Large numbers of victims were also identified in Germany (829), France (448), Singapore (419), and India (294), the cybersecurity firm says.
The malware mainly targets hosting providers, and Silent Push identified high-density IP addresses hosting official domains in Burkina Faso and Vietnam associated with SystemBC infections.
The malware is designed to turn infected machines into SOCKS5 proxies, allowing it to relay traffic, likely to hide malicious infrastructure and generate financial gain.
SystemBC uses a rotating architecture, where the clients connect to internet-exposed command-and-control (C&C) servers that proxy traffic through the infected hosts.
Analysis of the C&C communication associated with the botnet revealed the existence of a Perl-based SystemBC variant targeting Linux systems, which in turn showed that the malware’s developer is a Russian speaker.
While SystemBC is known for dropping malware on Windows systems, Silent Push’s investigation also revealed that many of the infected hosts have been involved in attacks targeting WordPress websites.
“SystemBC-associated infrastructure presents a sustained risk due to its role early in intrusion chains and its use across multiple threat actors. Proactive monitoring is critical, as activity tied to SystemBC is often a precursor to ransomware deployment and other follow-on abuse,” Silent Push notes.
Related: Google Disrupts IPIDEA Proxy Network
Related: Hugging Face Abused to Deploy Android RAT
Related: Jordanian Admits in US Court to Selling Access to 50 Enterprise Networks
Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
