The SystemBC proxy botnet has quietly become one of the most persistent pillars of the cybercrime ecosystem. First detected in 2019, SystemBC is less about stealth and more about scale. It maintains an average of 1,500 compromised commercial virtual private servers (VPS) around the world, providing a powerful, high-bandwidth proxy network for cybercriminal operations.
SystemBC enables a wide range of malicious activity: concealing command-and-control (C2) traffic, routing ransomware payloads, supporting brute-force campaigns against WordPress sites, and powering proxy networks like REM Proxy and VN5Socks. Researchers at Lumen’s Black Lotus Labs report that nearly 80% of its nodes are compromised VPS systems riddled with unpatched vulnerabilities—sometimes with more than 100 critical flaws per machine. This prioritization of high volume and long infection lifespans over stealth makes SystemBC a “criminal workhorse” that is hard to shut down.
Despite past disruption attempts, including law enforcement takedown operations, SystemBC has proven remarkably resilient. Its operators maintain more than 80 C2 servers and even host all 180 known SystemBC malware samples on a single infrastructure hub. The botnet has been observed pushing over 16 gigabytes of proxy data per IP in just 24 hours, an order of magnitude higher than typical proxy networks.
In this episode, we break down how SystemBC operates, who uses it, why it continues to thrive despite international crackdowns, and why it has become a cornerstone of the modern cybercrime economy.
#SystemBC #Botnet #Cybercrime #Ransomware #Malware #ProxyNetwork #CyberThreats #VPS #WordPress #ThreatIntelligence #Lumen #BlackLotusLabs
