SystemBC operators are actively hunting for vulnerable commercial virtual private servers (VPS) and running a persistent proxy botnet that averages about 1,500 active bots daily. The network repurposes compromised servers worldwide to route malicious traffic, obscure command-and-control (C2) activity, and provide high-capacity proxy services to other criminal operators.
Proxy Network Scale and Customers
Researchers at Lumen Technology’s Black Lotus Labs report that SystemBC is not a boutique operation. It runs more than 80 C2 servers that connect paying clients to infected proxies. One commercial service, REM Proxy, depends on roughly 80% of SystemBC’s bots to deliver tiered proxy quality. Other known customers include a large Russian web-scraping service and a Vietnamese proxy operation identified as VN5Socks or Shopsocks5.
SystemBC’s tenant list also reflects typical cybercrime demand: the botnet supports high-volume scraping, anonymized access for downstream proxy resellers, and credential harvesting services. Black Lotus Labs notes the operators themselves use the network to brute-force WordPress credentials, which are likely sold to site infection brokers who insert malicious code.
Targeting Vulnerable VPSs and Long Infection Lifetimes
Almost 80% of SystemBC’s roughly 1,500 daily bots are commercial VPS systems provided by large hosting companies. Infected servers typically have many known security flaws: the average compromised host contains about 20 unpatched issues and at least one critical vulnerability. Black Lotus Labs found examples far worse — one system in Alabama registered 161 vulnerabilities via internet scanning platforms.
This choice of infrastructure gives SystemBC unusually long infection lifetimes. Nearly 40% of compromised VPS hosts remain under attacker control for more than a month, enabling stable, high-throughput proxy services not possible with residential or SOHO proxies that tend to be transient.
Operational Behavior and Traffic Volumes
SystemBC’s operators favor volume over stealth. Bots are not aggressively obfuscated or rotated, and IP addresses tied to infected hosts remain usable for large daily traffic volumes. In a simulated run, researchers observed a single SystemBC-controlled IP generate “an excess of 16 gigabytes of proxy data” in 24 hours — an order of magnitude higher than typical proxy networks, the report says.
Black Lotus Labs’ telemetry points to a focal IP address, 104.250.164[.]214, as a hub for recruiting victims and hosting SystemBC samples. Newly infected servers download a shell script containing Russian comments that instruct the host to run multiple SystemBC samples simultaneously. The package model enables fast scaling and mass deployment across VPS fleets.
SystemBC has been active since at least 2019 and has been tied to payload delivery for various ransomware groups and other threat actors. The botnet has withstood takedown efforts in the past, including law enforcement operations such as Endgame that targeted malware droppers shared across multiple botnets.
Research Findings and Indicators of Compromise
Black Lotus Labs published a technical analysis that details SystemBC’s deployment patterns, client relationships, and the infection script behavior. The researchers also released indicators of compromise (IOCs) to help network defenders detect infected hosts and investigate unusual proxy traffic patterns. These IOCs include known C2 addresses, sample hashes, and behavioral traits observed across compromised VPS instances.
Organizations that host VPS fleets, run public-facing services on virtual servers, or monitor traffic egress should consider the research as an operational brief on how a commercial VPS footprint can be abused at scale.
