Silent Push Research Finds SystemBC Botnet Operating 10,000+ Infected Proxies
Silent Push reported that the long-running SystemBC (aka Coroxy / DroxiDat) malware family has expanded into a botnet of more than 10,000 unique infected IPs globally. SystemBC primarily functions as a SOCKS5 proxy and backdoor, enabling threat actors to relay command-and-control and other malicious traffic through victim systems to obscure attribution and maintain persistent access; some variants have also been linked to ransomware-adjacent activity dating back to 2019.
The research indicates infections are concentrated in the United States (with additional hotspots including Germany, France, Singapore, and India) and includes compromises in sensitive infrastructure, such as IPs hosting government websites in Burkina Faso and Vietnam. Silent Push observed SystemBC infrastructure using abuse-tolerant/bulletproof hosting (including bthoster[.]com and AS213790 / BTCloud) and identified a previously undocumented Perl-based variant, suggesting ongoing development. Reporting also notes the botnet’s resilience following Europol’s Operation Endgame disruption efforts, with indications that operators have adapted their infrastructure and targeting to sustain long-lived infections.
Related Entities
Malware
Organizations
Sources
Related Stories
New Botnet Research Highlights Linux SSH Compromise and SystemBC Proxy Malware at Scale
New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed **SSHStalker**, observed via an SSH honeypot and characterized by *IRC-based* command-and-control with multiple bot variants (including legacy families such as **Tsunami** and **Keiten**), automated scanning and staging (including a Golang scanner masquerading as `nmap` behavior and a compile-and-run workflow), and noisy but effective persistence via `cron` jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., `utmp/wtmp/lastlog` manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to **Outlaw/Maxlas**-style operations but did not claim definitive attribution. Separately, reporting on a Silent Push analysis described a large **SystemBC** (aka **Coroxy/DroxiDat**) botnet comprising **10,000+** infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as **SOCKS5 proxy malware** commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to **government-related domains** based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.
1 months ago
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
3 weeks ago
Kimwolf Botnet Abuse of Residential Proxies to Infect Devices Behind Routers
Security researchers reported explosive growth of the **Kimwolf** botnet to **2+ million infected devices** globally, with heavy concentrations including Vietnam, Brazil, India, Saudi Arabia, Russia, and the United States. Synthient assessed that roughly **two-thirds of infections are insecure Android TV boxes**, and described Kimwolf’s primary impact as large-scale abuse traffic (ad fraud, account takeover attempts, scraping) and **high-capacity DDoS** capable of disrupting major websites for extended periods. A key concern is Kimwolf’s propagation method: leveraging **residential proxy networks** to effectively tunnel “back” into home/SMB networks via proxy endpoints and then infect additional devices that users assume are protected behind NAT/firewalls and consumer routers. KrebsOnSecurity further tied operational activity to the botnet controller, a threat actor using the handle **“Dort,”** who allegedly retaliated against a vulnerability discloser and the journalist with **DDoS, doxing, email flooding**, and an apparent **SWATing** incident. Open-source and commercial intelligence cited in the reporting linked “Dort” to historical aliases (e.g., **CPacket**, **M1ce**) and to accounts on cybercrime forums, and noted prior involvement in enabling abuse tooling (e.g., CAPTCHA-bypass code and temporary email services) and presence in communities associated with cybercrime groups (including references to **LAPSUS$** chat activity).
2 weeks ago