Silent Push reported that the long-running SystemBC (aka Coroxy / DroxiDat) malware family has expanded into a botnet of more than 10,000 unique infected IPs globally. SystemBC primarily functions as a SOCKS5 proxy and backdoor, enabling threat actors to relay command-and-control and other malicious traffic through victim systems to obscure attribution and maintain persistent access; some variants have also been linked to ransomware-adjacent activity dating back to 2019.
The research indicates infections are concentrated in the United States (with additional hotspots including Germany, France, Singapore, and India) and includes compromises in sensitive infrastructure, such as IPs hosting government websites in Burkina Faso and Vietnam. Silent Push observed SystemBC infrastructure using abuse-tolerant/bulletproof hosting (including bthoster[.]com and AS213790 / BTCloud) and identified a previously undocumented Perl-based variant, suggesting ongoing development. Reporting also notes the botnet’s resilience following Europol’s Operation Endgame disruption efforts, with indications that operators have adapted their infrastructure and targeting to sustain long-lived infections.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Silent Push reported signals, including VirusTotal comments, suggesting some SystemBC-infected IPs were involved in WordPress exploitation activity, indicating the proxy network may be used to target WordPress sites.
Researchers reported a previously undocumented Linux-focused SystemBC variant written in Perl that had no VirusTotal detections at the time it was observed. They also described associated ELF droppers, including SafeObject and StringHash, used to deploy embedded payloads.
The investigation found SystemBC infections on infrastructure hosting government websites in Vietnam and Burkina Faso, indicating the botnet had reached sensitive hosting environments.
Silent Push identified 10,340 unique victim IP addresses tied to SystemBC worldwide, showing the botnet remained large and active despite prior law-enforcement disruption. The highest concentrations were observed in the United States, followed by countries including Germany, France, and Singapore.
During 2025, Silent Push created and used a tracking fingerprint for SystemBC that enabled researchers to identify victim IPs and measure infection persistence and geographic distribution.
In May 2024, Europol's Operation Endgame disrupted infrastructure associated with SystemBC, but later reporting indicates the botnet remained active afterward.
SystemBC, also known as Coroxy or DroxiDat, was first publicly documented in 2019 as a multi-platform malware family used for proxying and backdoor access on compromised systems.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcesilentpush.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.