SystemBC Botnet Compromises 1,500 VPS Every Day to Rent Out for DDoS Attacks

SystemBC, a resilient socks5 malware network first spotted in 2019, has dramatically evolved its proxy infrastructure by compromising an average of 1,500 virtual private servers (VPS) each day.

This shift from residential devices to large-scale VPS nodes grants threat actors unprecedented bandwidth and longevity for malicious traffic, enabling sustained distributed denial-of-service (DDoS) and brute-force operations while evading typical proxy network limitations.

Traditional botnet proxies rely on home routers, IoT devices, or residential endpoints with constrained bandwidth.

Black Lotus Labs at Lumen Technologies recently uncovered an assemblage of more than 80 command-and-control servers fueling this botnet, nearly 80 percent of which leverage high-capacity commercial VPS providers.

Excessive traffic through these devices often disrupts legitimate user activity and triggers rapid detection. In contrast, SystemBC harnesses powerful VPS systems capable of sustaining gigabyte-scale data transfers without alerting hosting providers or end users.

Analysis of global telemetry revealed daily averages of 1,500 Systems deployed as proxies, including 300 that overlap with the GoBrut brute-forcing botnet.

Nearly 40 percent of these infections persist for over a month, underscoring the network’s resilience and the attackers’ disregard for stealth in favor of sheer volume.

Victim servers exhibit a stunning array of unpatched vulnerabilities—on average twenty per server, with some systems harboring more than 160 known CVEs.

Malicious actors exploit these flaws by probing port 443 for initial access and utilizing port 80 callbacks to download Russian-commented shell scripts that deploy over 180 malware samples simultaneously.

The resulting proxy pipeline routes user traffic from high-numbered entry ports through infected VPS hosts to end targets, as illustrated in the decoded configuration and encryption processes of the Linux-variant sample.

Criminal Ecosystem and Proxy Services

Black Lotus Labs has observed SystemBC proxies integrated into multiple criminal services. Two Russia-based and one Vietnamese proxy platforms repurpose these bots, marketing high-volume IP pools to clients indifferent to blacklisting.

Nearly 100 percent of these VPS-based proxies eventually surface on blocklist sites, yet operators prioritize traffic capacity over evasion.

We also see extremely long average infection lifetimes, where close to 40% stay infected for well over a month.

Among the most prominent users is REM Proxy, which rents approximately 80 percent of the SystemBC network. REM Proxy also aggregates 20,000 compromised MikroTik routers and freely discovered open proxies, offering tiered packages—Mix-Speed, Mix-Mix, and Mix-Economy—to fulfill reconnaissance, credential harvesting, and targeted exploitation needs.

Ransomware groups such as Morpheus and AvosLocker leverage REM Proxy for everything from phishing campaigns to exfiltration pipelines, demonstrating the service’s integral role across multiple attack vectors.

The largest use of the botnet is by the SystemBC operators themselves, using their own network to brute force WordPress credentials.

Global netflow data confirms that REM Proxy users connect to nearly one hundred user-entry C2 servers, which then funnel requests to both SystemBC and MikroTik hosts. Daily screening via an auxiliary domain, honipsiops[.]in, identifies new accessible IP addresses and feeds roughly 2,500 vetted proxies into the network.

Disruption and Defensive Measures

In response to these revelations, Lumen Technologies has null-routed traffic to all known SystemBC and REM Proxy infrastructure across its global backbone.

Indicators of compromise (IoCs) have been published to facilitate community defense efforts and to sever the revenue streams of criminal proxy services.

Black Lotus Labs acknowledges the collaboration of industry partners including Spur and Infoblox for supporting this research.

Network defenders are urged to monitor for anomalous login attempts from VPS IP ranges, implement web application firewall rules to block identified IoCs, and verify the security posture of cloud-hosted servers through services like Censys.

Consumers and small-office end users should regularly update and segment SOHO routers, disable default credentials, and restrict administrative access.

As the botnet landscape shifts toward commercial-grade infrastructure, defenders must adapt by prioritizing both volume-based detection and proactive vulnerability management to safeguard against the growing threat of VPS-powered proxy networks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.