Find notable cyber news and cases, enriched with sources, timelines, and signals.

SystemBC long-running global proxy malware operation

Malware Activity
First reported
Last updated
Happening score
H score 40
2 unique sources, 3 articles

Summary

Hide ▲

SystemBC is a long-running proxy malware operation that turns compromised hosts into SOCKS5 relays and is repeatedly used to support ransomware activity. New reporting says the REM Proxy service is powered by SystemBC and sells access to about 80% of the botnet, while also marketing 20,000 Mikrotik routers and other open proxies. Lumen’s Black Lotus Labs says the botnet spans over 80 C2 servers and averages 1,500 victims per day, with nearly 80% of the compromised systems being VPS hosts and some customers using the network to brute-force WordPress credentials. Researchers also describe the infrastructure as long-lived and high-volume, with victims turned into proxies for broader criminal traffic and repeated abuse across multiple proxy services.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

AryStinger legacy-router reconnaissance and proxy network

Malware Activity
H score61 First: 22.06.2026 09:57 Last: 22.06.2026 09:57 Sources 1

About this happening: The **AryStinger** malware family is building a **distributed reconnaissance and proxy network** from legacy routers and NAS appliances, expanding a covert relay layer that helps...

SocGholish malware downloader hijacking WordPress sites

Malware Activity
H score57 First: 18.06.2026 16:25 Last: 18.06.2026 16:25 Sources 1

About this happening: **SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...

JDY botnet reconnaissance expansion to 1,500+ SOHO/IoT devices

Malware Activity
H score33 First: 10.06.2026 19:08 Last: 10.06.2026 19:08 Sources 1

About this happening: The **JDY botnet** has expanded to **more than 1,500 compromised SOHO/IoT devices**, making it a larger-scale **reconnaissance scanner** for exposed infrastructure and follow-on t...

Timeline

  1. 04.02.2026 18:15 3 articles · 5mo ago

    Silent Push maps global SystemBC infections and Linux variant

    Technical Analysis Update

    Silent Push published findings linking SystemBC, also known as Coroxy or DroxiDat, to more than 10,000 infected IP addresses worldwide since 2019, including systems associated with sensitive government infrastructure. The researchers said they began systematically tracking SystemBC activity in 2025 after repeatedly seeing it ahead of ransomware incidents, then built a SystemBC-specific tracking fingerprint that exposed infections and supporting infrastructure at scale. Their analysis also identified a previously undocumented Perl variant targeting Linux with no detections across 62 antivirus engines, C2 infrastructure tied to abuse-tolerant hosting such as BTHoster and AS213790/BTCloud, and long-lived infections averaging 38 days, with some persisting for more than 100 days.

    Show sources
  2. 19.09.2025 17:26 1 articles · 9mo ago

    SystemBC powers REM Proxy and botnet leasing

    Campaign Scope Update

    Lumen Technologies’ Black Lotus Labs reports that REM Proxy is powered by SystemBC and sells access to about 80% of the botnet, while also marketing 20,000 Mikrotik routers and other open proxies. The same infrastructure is described as supporting over 80 C2 servers and a daily average of 1,500 victims, with nearly 80% of the compromised systems being VPS hosts and some customers using the network to brute-force WordPress credentials.

    Show sources