SystemBC long-running global proxy malware operation
Malware Activity
Summary
Hide ▲
Show ▼
SystemBC is a long-running proxy malware operation that turns compromised hosts into SOCKS5 relays and is repeatedly used to support ransomware activity. New reporting says the REM Proxy service is powered by SystemBC and sells access to about 80% of the botnet, while also marketing 20,000 Mikrotik routers and other open proxies. Lumen’s Black Lotus Labs says the botnet spans over 80 C2 servers and averages 1,500 victims per day, with nearly 80% of the compromised systems being VPS hosts and some customers using the network to brute-force WordPress credentials. Researchers also describe the infrastructure as long-lived and high-volume, with victims turned into proxies for broader criminal traffic and repeated abuse across multiple proxy services.
Related Happenings
Showboat / kworker Linux post-exploitation malware activity
Malware Activity
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
Showboat / kworker Linux post-exploitation malware activity
Malware ActivityAbout this happening: Researchers tied **Showboat** / **kworker** to a stealthy **Linux post-exploitation framework** being reused across multiple Chinese threat clusters, raising concern that a shared...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
Incident
First: 06.05.2026 16:00
Last: 06.05.2026 16:00
Sources 1
About this happening:
The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
Ministry of Justice and Legal Affairs of Oman hit by network compromise
IncidentAbout this happening: The **Ministry of Justice and Legal Affairs of Oman** suffered an **active intrusion** that exposed **session logs** and **more than 26,000 user records**, raising risk to judicia...
ABCDoor backdoor activity in Silver Fox attacks
Malware Activity
First: 04.05.2026 14:35
Last: 04.05.2026 14:35
Sources 1
About this happening:
The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
ABCDoor backdoor activity in Silver Fox attacks
Malware ActivityAbout this happening: The newly identified **ABCDoor** backdoor is being used in **real-world attacks** by **Silver Fox**, expanding the group's malware set and increasing the risk of covert remote acc...
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Timeline
-
04.02.2026 18:15 3 articles · 3mo ago
Silent Push maps global SystemBC infections and Linux variant
Technical Analysis UpdateSilent Push published findings linking SystemBC, also known as Coroxy or DroxiDat, to more than 10,000 infected IP addresses worldwide since 2019, including systems associated with sensitive government infrastructure. The researchers said they began systematically tracking SystemBC activity in 2025 after repeatedly seeing it ahead of ransomware incidents, then built a SystemBC-specific tracking fingerprint that exposed infections and supporting infrastructure at scale. Their analysis also identified a previously undocumented Perl variant targeting Linux with no detections across 62 antivirus engines, C2 infrastructure tied to abuse-tolerant hosting such as BTHoster and AS213790/BTCloud, and long-lived infections averaging 38 days, with some persisting for more than 100 days.
Show sources
- Global SystemBC Botnet Found Active Across 10,000 Infected Systems — www.infosecurity-magazine.com — 04.02.2026 18:15
- Global SystemBC Botnet Found Active Across 10,000 Infected Systems — www.infosecurity-magazine.com — 04.02.2026 18:15
- SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation — thehackernews.com — 21.04.2026 21:18
-
19.09.2025 17:26 1 articles · 8mo ago
SystemBC powers REM Proxy and botnet leasing
Campaign Scope UpdateLumen Technologies’ Black Lotus Labs reports that REM Proxy is powered by SystemBC and sells access to about 80% of the botnet, while also marketing 20,000 Mikrotik routers and other open proxies. The same infrastructure is described as supporting over 80 C2 servers and a daily average of 1,500 victims, with nearly 80% of the compromised systems being VPS hosts and some customers using the network to brute-force WordPress credentials.
Show sources
- SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers — thehackernews.com — 19.09.2025 17:26