CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

SystemBC Proxy Botnet Targets Vulnerable VPS Systems

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

The SystemBC proxy botnet operators are actively targeting vulnerable commercial virtual private servers (VPS) to maintain an average of 1,500 bots daily. These compromised servers, located globally, are used to route malicious traffic and hide command-and-control (C2) activities, making detection more challenging. SystemBC has been operational since at least 2019 and is utilized by various threat actors, including ransomware gangs. The botnet's infrastructure includes over 80 C2 servers and supports multiple criminal proxy networks. The operators do not prioritize stealth, leading to long infection lifetimes and extensive exploitation of unpatched vulnerabilities. The botnet's primary use includes brute-forcing WordPress credentials and providing high-volume, stable traffic for malicious activities. The REM Proxy network is powered by SystemBC, offering about 80% of the botnet to its users. It also markets a pool of 20,000 Mikrotik routers and various open proxies. The botnet targets both Windows and Linux systems, with the Linux variant designed for corporate networks, cloud servers, and IoT devices. Nearly 80% of SystemBC's daily victims are compromised VPS systems from large commercial providers, with close to 40% having extremely long infection lifespans. Each victim has 20 unpatched CVEs and at least one critical CVE on average.

Timeline

  1. 18.09.2025 17:35 πŸ“° 2 articles Β· ⏱ 1d ago

    SystemBC Proxy Botnet Targets Vulnerable VPS Systems

    The SystemBC proxy botnet operators are actively targeting vulnerable commercial VPS systems to maintain an average of 1,500 bots daily. These compromised servers, located globally, are used to route malicious traffic and hide command-and-control (C2) activities, making detection more challenging. The botnet has been operational since at least 2019 and is utilized by various threat actors, including ransomware gangs. The botnet's infrastructure includes over 80 C2 servers and supports multiple criminal proxy networks. The operators do not prioritize stealth, leading to long infection lifetimes and extensive exploitation of unpatched vulnerabilities. The botnet's primary use includes brute-forcing WordPress credentials and providing high-volume, stable traffic for malicious activities. The REM Proxy network is powered by SystemBC, offering about 80% of the botnet to its users. It also markets a pool of 20,000 Mikrotik routers and various open proxies. The botnet targets both Windows and Linux systems, with the Linux variant designed for corporate networks, cloud servers, and IoT devices. Nearly 80% of SystemBC's daily victims are compromised VPS systems from large commercial providers, with close to 40% having extremely long infection lifespans. Each victim has 20 unpatched CVEs and at least one critical CVE on average.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).

Open in new tab

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

Open in new tab

SilentSync RAT delivered via malicious PyPI packages targeting Python developers

Two malicious packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages deliver the SilentSync remote access trojan (RAT) to Windows systems. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI. The sisaws package mimics the legitimate sisa package, while secmeasure masquerades as a security library. The trojan is designed to infect Windows systems but also supports Linux and macOS. It communicates with a command and control (C2) server to receive commands and exfiltrate data. The discovery highlights the risk of supply chain attacks within public software repositories.

Open in new tab

Raven Stealer Infostealer Targets Chromium Browsers and Applications

A new infostealer malware, Raven Stealer, targets Chromium-based browsers and other applications to steal credentials and data. Developed in Delphi and C++, Raven Stealer is distributed via underground forums and cracked software. It uses Telegram for command-and-control and data exfiltration, making it difficult to detect. The malware harvests cookies, autofill entries, browsing history, and other sensitive information from browsers like Google Chrome and Microsoft Edge. It also steals credentials from various applications and performs real-time data exfiltration. Raven Stealer represents a persistent threat to both personal and enterprise environments. Raven Stealer is promoted via a dedicated Telegram channel and offers a streamlined user interface and support for dynamic modules. Upon execution, the malware aggregates harvested data into a well-organized format and transmits it to the threat actor. It targets browser-based authentication data, including saved passwords and session cookies, and accesses local storage paths and credential vaults to extract this data. The malware uses Telegram for exfiltration, sending stolen data through encrypted messaging channels. After exfiltration, Raven Stealer reboots into Safe Mode with Networking and uses UltraAV antivirus to delete malicious files, eliminating any trace of its activity.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab