SystemBC Botnet Resurfaces with 10,000+ Infected IPs, Targeting Hosting Providers and Government Infrastructure
Researchers at Silent Push have uncovered a resurgent SystemBC botnet, now controlling over 10,340 unique infected IP addresses worldwide. The malware, first identified in 2019 as "Coroxy" or "DroxiDat," converts compromised systems into SOCKS5 proxies, enabling attackers to launch DDoS attacks and obscure malicious operations.
Scope and Persistence
The botnet maintains an average of 2,888 daily active infections, with some systems remaining compromised for over 100 days. Unlike typical consumer-focused malware, SystemBC disproportionately targets hosting providers, with top affected networks including Network Solutions, UnifiedLayer, Namecheap, GoDaddy, and IONOS. This concentration in data centers ensures high-bandwidth, persistent access for cybercriminals.
Global Distribution and High-Value Targets
The U.S. leads in infections (4,300+ IPs), followed by Germany (829), France (448), Singapore (419), and India (294). Notably, compromised IPs have been linked to government infrastructure, including:
- Vietnam’s Phutho provincial government (
duchop[.]gov[.]vnon103.28.36[.]105) - Burkina Faso domains (
196.13.207[.]92)
Many infected systems also scanned WordPress sites for vulnerabilities, suggesting ties to broader exploitation campaigns, including ransomware deployment.
Evasion and Command Infrastructure
SystemBC’s command-and-control (C2) servers rely on bulletproof hosting providers like bthoster[.]com and AS213790 (BTCloud) to resist takedowns. The malware uses RC4-encrypted custom protocols in a backconnect setup, functioning as both a backdoor and ransomware loader.
A newly discovered Perl-based Linux variant evaded detection by all 62 VirusTotal scanners, while droppers like SafeObject (SHA256: 0f5c81eaf357...) unpack to deploy 264 payloads, with Russian-language artifacts hinting at its origins. The botnet’s developer, "psevdo," continues to post updates on the underground forum forum[.]exploit[.]in, despite Europol’s 2024 Operation Endgame targeting similar threats.
Key Indicators of Compromise (IOCs)
- Perl variant SHA256:
c729bf6ea292116b3477da4843aaeec73370e2bd46e7a27674671e9a65fb473a - C2 IPs:
36.255.98[.]159(and others)
The botnet’s resilience underscores its role in DDoS operations and stealthy cyberattacks, with hosting providers and government entities remaining prime targets.
Source: https://cyberpress.org/systembc-botnet-hijacks-10000-devices/
UnitedLayer® cybersecurity rating report: https://www.rankiteo.com/company/unitedlayer
Namecheap, Inc cybersecurity rating report: https://www.rankiteo.com/company/namecheap-inc
IONOS Group cybersecurity rating report: https://www.rankiteo.com/company/ionos-group
GoDaddy cybersecurity rating report: https://www.rankiteo.com/company/godaddy
"id": "UNINAMIONGOD1770273279",
"linkid": "unitedlayer, namecheap-inc, ionos-group, godaddy",
"type": "Cyber Attack",
"date": "7/2018",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'Network Solutions',
'type': 'Hosting Provider'},
{'industry': 'Technology',
'location': 'Global',
'name': 'UnifiedLayer',
'type': 'Hosting Provider'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Namecheap',
'type': 'Hosting Provider'},
{'industry': 'Technology',
'location': 'Global',
'name': 'GoDaddy',
'type': 'Hosting Provider'},
{'industry': 'Technology',
'location': 'Global',
'name': 'IONOS',
'type': 'Hosting Provider'},
{'industry': 'Public Sector',
'location': 'Vietnam',
'name': 'Vietnam’s Phutho provincial government',
'type': 'Government'},
{'industry': 'Public Sector',
'location': 'Burkina Faso',
'name': 'Burkina Faso government domains',
'type': 'Government'}],
'attack_vector': ['Compromised systems',
'SOCKS5 proxies',
'Vulnerability scanning (WordPress)'],
'data_breach': {'data_encryption': 'RC4-encrypted custom protocols'},
'description': 'Researchers at Silent Push have uncovered a resurgent '
'SystemBC botnet, now controlling over 10,340 unique infected '
'IP addresses worldwide. The malware converts compromised '
'systems into SOCKS5 proxies, enabling attackers to launch '
'DDoS attacks and obscure malicious operations. The botnet '
'disproportionately targets hosting providers and government '
'infrastructure, with infections linked to high-value targets '
'like Vietnam’s Phutho provincial government and Burkina Faso '
'domains. The malware uses RC4-encrypted custom protocols and '
'bulletproof hosting to resist takedowns.',
'impact': {'operational_impact': ['DDoS attacks', 'Stealthy cyberattacks'],
'systems_affected': '10,340+ unique infected IPs'},
'initial_access_broker': {'backdoors_established': 'SOCKS5 proxies, '
'Perl-based Linux variant',
'high_value_targets': ['Hosting providers',
'Government infrastructure']},
'investigation_status': 'Ongoing',
'motivation': ['Cybercrime', 'DDoS attacks', 'Ransomware deployment'],
'post_incident_analysis': {'root_causes': ['Vulnerability scanning '
'(WordPress)',
'Bulletproof hosting',
'RC4-encrypted protocols']},
'ransomware': {'data_encryption': 'RC4-encrypted custom protocols'},
'references': [{'source': 'Silent Push Research'},
{'source': 'forum[.]exploit[.]in',
'url': 'http://forum[.]exploit[.]in'}],
'threat_actor': 'psevdo (developer)',
'title': 'SystemBC Botnet Resurfaces with 10,000+ Infected IPs, Targeting '
'Hosting Providers and Government Infrastructure',
'type': ['Botnet', 'DDoS', 'Malware'],
'vulnerability_exploited': ['WordPress vulnerabilities']}