Ddos 
Global distribution of IP addresses map | Image: Silent Push
A massive, silent army of compromised devices has been uncovered by researchers, revealing a sprawling botnet that has infiltrated networks across the globe—including sensitive government infrastructure. A new report from Silent Push identifies more than 10,000 unique IP addresses infected with SystemBC, a notorious proxy malware used by threat actors to hide their tracks and deploy ransomware.
The discovery paints a picture of a resilient and evolving threat. SystemBC, also known as “Coroxy” or “DroxiDat,” isn’t just a simple virus; it is a utility belt for cybercriminals, converting compromised systems into SOCKS5 proxies that mask malicious traffic.
Using a custom-built tracker, Silent Push analysts peeled back the layers of this botnet to reveal its true scale. “Our analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India,” the report states.
While the immediate damage is the compromise of the device itself, the potential for follow-on attacks is the real nightmare. Historically, SystemBC has been the precursor to devastation, often used as the bridge to deploy ransomware payloads. “While we don’t have immediate visibility on any follow-on malware payloads deployed via this current SystemBC botnet, historically, many threat actors have used SystemBC to deploy ransomware on compromised networks”.
Perhaps the most alarming finding is where these infections are located. This isn’t just hitting home routers; it’s hitting the halls of government.
During their investigation into Passive DNS (PADNS) data, researchers stumbled upon a critical anomaly: “infections tied to multiple government domains”.
- Vietnam: One infected host at IP address 103.28.36[.]105 was found hosting phutho.duchop[.]gov[.]vn, a Vietnamese provincial government website.
- Burkina Faso: Another infected IP, 196.13.207[.]92, was linked to domains associated with the Government of Burkina Faso in West Africa.
These compromises suggest that threat actors are using government infrastructure as “hop points” for their traffic, or worse, have established a beachhead inside these sensitive networks.
In a sign of continued development, Silent Push uncovered a “previously undocumented SystemBC variant written in Perl”. This evolution indicates that the group behind SystemBC is actively refining their toolkit to evade detection and maintain their grip on infected systems.
To keep this massive network alive, the operators rely on “bulletproof” hosting providers—services that ignore abuse complaints and protect criminal infrastructure. The investigation observed SystemBC command-and-control (C2) servers leveraging “abuse-tolerant bulletproof hosting, including BTHoster (bthoster[.]com) and AS213790 (BTCloud)”.
Furthermore, the report notes a disturbing trend in how these proxies are being used: “Many infected IP addresses have been reported in VirusTotal comments for engaging in WordPress exploitation activity”. This suggests that the botnet is actively being rented out or used to launch further attacks against vulnerable websites.
Related Posts:
- SystemBC Botnet Evolves Into High-Volume VPS Proxy Network, Powering Criminal Ecosystem
- Greedy Sponge Reemerges: New AllaKore RAT Variant and SystemBC Target Mexico’s Financial Sector
- Leak: NSA and US Army can capture Tor, I2P, VPNs to monitor Monero users
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
- Taiwan Faces 2.6 Million Cyberattacks Daily from China
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
