New Botnet Research Highlights Linux SSH Compromise and SystemBC Proxy Malware at Scale
New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed SSHStalker, observed via an SSH honeypot and characterized by IRC-based command-and-control with multiple bot variants (including legacy families such as Tsunami and Keiten), automated scanning and staging (including a Golang scanner masquerading as nmap behavior and a compile-and-run workflow), and noisy but effective persistence via cron jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., utmp/wtmp/lastlog manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to Outlaw/Maxlas-style operations but did not claim definitive attribution.
Separately, reporting on a Silent Push analysis described a large SystemBC (aka Coroxy/DroxiDat) botnet comprising 10,000+ infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as SOCKS5 proxy malware commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to government-related domains based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Silent Push Research Finds SystemBC Botnet Operating 10,000+ Infected Proxies
Silent Push reported that the long-running **SystemBC** (aka **Coroxy** / **DroxiDat**) malware family has expanded into a botnet of **more than 10,000 unique infected IPs** globally. SystemBC primarily functions as a **SOCKS5 proxy** and **backdoor**, enabling threat actors to relay command-and-control and other malicious traffic through victim systems to obscure attribution and maintain persistent access; some variants have also been linked to **ransomware-adjacent activity** dating back to 2019. The research indicates infections are concentrated in the **United States** (with additional hotspots including **Germany, France, Singapore, and India**) and includes compromises in **sensitive infrastructure**, such as IPs hosting government websites in **Burkina Faso** and **Vietnam**. Silent Push observed SystemBC infrastructure using **abuse-tolerant/bulletproof hosting** (including `bthoster[.]com` and **AS213790 / BTCloud**) and identified a **previously undocumented Perl-based variant**, suggesting ongoing development. Reporting also notes the botnet’s resilience following Europol’s **Operation Endgame** disruption efforts, with indications that operators have adapted their infrastructure and targeting to sustain long-lived infections.
1 months ago
Research Highlights Malware and Post-Compromise Abuse Targeting Linux Network and Server Infrastructure
Security researchers reported several distinct but related findings showing how attackers are abusing **Linux-based infrastructure** for botnets, cryptomining, and post-compromise operations. Eclypsium identified a new **CondiBot** variant labeled `QTXBOT` and a previously undocumented **Monaco** cryptominer targeting network devices and exposed SSH services, with Monaco using brute-force access and exfiltrating stolen credentials to a command-and-control server hosted on Alibaba Cloud Singapore. Separately, Hunt.io exposed an Iranian-operated relay and botnet environment through an open directory, revealing a **15-node** tunnel network, SSH-based mass deployment tooling, on-host compilation of DDoS malware, and active command-and-control infrastructure. Flare also documented how threat actors repeatedly use the legitimate open-source script **Bench.sh** after initial access to profile compromised systems, including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP-based environments, in order to assess CPU, memory, disk, and bandwidth for follow-on abuse such as cryptomining, proxying, or DDoS. The reporting does **not** describe a single shared intrusion campaign: the CondiBot/Monaco discovery, the Iranian botnet infrastructure exposure, and Bench.sh abuse are separate research items connected by the broader theme of attackers operationalizing compromised Linux and network infrastructure. A separate report on **FancyBear/APT28** email theft and a general weekly security recap are different topics and should be excluded.
Today
SSHStalker Linux Botnet Uses SSH Brute Force and Legacy Exploits for Dormant Persistence
Researchers reported a previously undocumented Linux botnet dubbed **SSHStalker** that has compromised roughly **7,000** systems by combining **SSH credential brute-forcing/scanning** with **legacy (circa-2009) exploit chains** and highly automated staging. The activity was observed over multiple weeks via SSH honeypots, with intrusions characterized by rapid deployment, on-host compilation, and automated enrollment into command infrastructure, indicating an operation optimized for mass compromise rather than targeted intrusion. SSHStalker uses **IRC-based command-and-control** and a mixed toolkit that includes C-based bots, Perl scripts, and known botnet malware families such as **Tsunami** and **Keiten**. Reporting highlighted an unusual “**dormant persistence**” pattern: infected hosts are kept under control without immediate visible monetization or impact operations, despite having capabilities associated with **DDoS** and **cryptomining**. Persistence is described as noisy but effective, including **cron-based relaunch** behavior that can restore the malware within about a minute after disruption, suggesting the operator may be staging infrastructure or retaining access for future use.
1 months ago