Ddos 
The Black Lotus Labs team at Lumen Technologies has uncovered major new infrastructure behind the SystemBC botnet, a malware-powered proxy network that has quietly grown into one of the largest criminal proxy providers on the internet. The network is composed of over 80 command-and-control (C2) servers and maintains a daily average of 1,500 victims, nearly 80% of which are compromised VPS systems from large commercial providers.
According to the researchers, “the victims are made into proxies that enable high volumes of malicious traffic for use by a host of criminal threat groups.”
Originally documented in 2019 by Proofpoint, SystemBC was known for its commoditized SOCKS5 malware sold on underground forums and its role in facilitating ransomware distribution. Over the years, it has been used in conjunction with malware families such as IcedID and Trickbot.
But the latest Black Lotus Labs findings reveal a shift: instead of hijacking residential IP space, SystemBC operators now focus on virtual private servers (VPS). This provides massive bandwidth advantages and longer infection lifespans. The report highlights, “close to 40% [of VPS victims] stay infected for well over a month.”
One of the primary users of the SystemBC network is REM Proxy, which offers roughly 80% of the SystemBC pool to its customers. REM Proxy itself is a sizeable service, marketing access to 20,000 Mikrotik routers, open proxies, and SystemBC victims.
Black Lotus Labs found that REM Proxy is directly linked to ransomware groups: “REM Proxy is a proxy service that has been leveraged by ransomware threat actors for multiple facets of their operations, including the initial distribution of phishing emails, interaction with exfiltration servers, and access to victim data.”
Other services making use of SystemBC include Russian-based proxy services, a Vietnamese proxy network, and a Russian parsing service. Collectively, these users generate enormous malicious traffic — with researchers observing a single IP producing over 16 GB of proxy data in 24 hours.
Black Lotus Labs identified both Linux and Windows variants of SystemBC malware. Each sample decrypts its embedded C2 configuration, using a combination of XOR and RC4 encryption, before establishing a persistent proxy connection.
The C2s operate within a single Autonomous System (AS), with 80 servers making up around 10% of the provider’s total network. This unusual concentration highlights the scale and centralization of SystemBC’s infrastructure.
Researchers also noted that recruitment of new bots is highly automated. One host, 104.250.164[.]214, was observed distributing over 180 samples of SystemBC malware simultaneously, forcing victims to run each copy under a different filename.
Unlike traditional botnets built on consumer IoT or residential devices, SystemBC overwhelmingly compromises commercial VPS providers. This means:
- Higher bandwidth and stability for criminal operations.
- Longer infection lifespans before remediation.
- Easier integration into large-scale brute force, credential harvesting, and spam campaigns.
The study warns that “nearly all victimized servers appeared to be riddled with easy to exploit vulnerabilities… with one address shown as having over 160 unpatched CVEs.”
In response, Lumen Technologies has blocked all traffic across its global network associated with SystemBC and REM Proxy infrastructure. Black Lotus Labs has also released a comprehensive list of indicators of compromise (IoCs) to aid defenders.
Donate