SystemBC resurfaces as resilient proxy botnet, infecting over 10,000 hosts

Security researchers report that the SystemBC loader, a long-running malware family, has reconstituted a global proxy network despite a coordinated takedown effort. The botnet now produces SystemBC-specific network activity from over ten thousand distinct addresses, with the largest concentration observed in the United States and notable clusters in Germany, France, Singapore and India. Unlike simple information-stealers, this malware converts host machines into SOCKS5 relay points, letting operators obfuscate command-and-control links and funnel illicit traffic through victims. Silent Push’s analysis uncovered a multi-platform footprint, including a Perl-based variant aimed at Linux systems, and identified infections concentrated on hosting providers that expose domains tied to the campaign. The pattern of activity and timing suggest the loader is used as an initial foothold tool and as an anonymizing chassis for follow-on payloads, including ransomware distribution and website-targeting attacks against WordPress instances. Traces on underground forums indicate active development and updates, implying the author or operators have remained engaged after the May disruption. The persistence of this infrastructure demonstrates that sinkholing or takedown operations, while disruptive, do not always eliminate the operational capacity of distributed malware ecosystems. For defenders, the combination of high-volume proxying and hosting-provider compromise raises detection challenges: outbound proxy traffic can blend into legitimate service flows, and common web hosting environments can amplify reach. Proactive network-level monitoring for SOCKS5 proxy behaviors, close scrutiny of hosting-originated anomalies, and rapid takedown coordination with providers are recommended mitigations. The resurgence also carries practical intelligence value: the multi-country distribution and language artifacts in binaries and forum posts point to a Russian-speaking actor, which may help narrow attribution and inform threat-hunting priorities. Ultimately, the episode underlines a tactical shift where resilient, service-abusing loaders become reusable infrastructure for multiple criminal groups rather than one-off tools tied to a single campaign.