SystemBC proxy botnet vulnerable VPS proxy-relay activity
Malware Activity
Summary
Hide ▲
Show ▼
SystemBC is using a proxy botnet to recruit vulnerable commercial VPS systems and relay malicious traffic at scale. Lumen Technologies’ Black Lotus Labs says the network now spans over 80 C2 servers and averages about 1,500 victims per day, with roughly 80% of those bots coming from compromised VPS systems. The operation matters because the infected servers are used to hide C2 activity, support malicious traffic, and enable downstream abuse, including brute-forcing WordPress credentials. Researchers also tied key infrastructure to 104.250.164[.]214, which hosts artifacts and is used in victim recruitment.
Related Happenings
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
Campaign
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
CampaignAbout this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
FBI, DOJ, and Poland take FrostArmada infrastructure offline
Law Enforcement
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
Authorities carried out a **takedown** of **FrostArmada** infrastructure, disrupting an **APT28** credential-theft operation that hijacked router traffic to steal Microsoft logins...
FBI, DOJ, and Poland take FrostArmada infrastructure offline
Law EnforcementAbout this happening: Authorities carried out a **takedown** of **FrostArmada** infrastructure, disrupting an **APT28** credential-theft operation that hijacked router traffic to steal Microsoft logins...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
Timeline
-
18.09.2025 17:35 3 articles · 8mo ago
SystemBC proxy botnet targets vulnerable VPS worldwide
Initial DisclosureSystemBC proxy botnet is targeting vulnerable commercial VPS systems worldwide and maintaining about 1,500 bots every day to relay malicious traffic and hide C2 activity. The network is built for volume, with compromised hosts averaging 20 unpatched security issues, nearly 40% staying compromised for more than a month, and roughly 80% of the bots coming from compromised VPS systems at large commercial providers. Researchers also identified 104.250.164[.]214 as a node tied to victim recruiting activity that hosts 180 SystemBC malware samples, and observed a newly infected server downloading a shell script with Russian comments that directs the bot to run every SystemBC sample at the same time.
Show sources
- SystemBC malware turns infected VPS systems into proxy highway — www.bleepingcomputer.com — 18.09.2025 17:35
- SystemBC malware turns infected VPS systems into proxy highway — www.bleepingcomputer.com — 18.09.2025 17:35
- SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers — thehackernews.com — 19.09.2025 17:26