VỮNG MÃI MỘT NIỀM TIN

SystemBC: Turning VPS into “Highways” for Malicious Traffic

22/09/2025

SystemBC – A Growing Cybersecurity Threat. SystemBC is rapidly becoming a major threat to cybersecurity. This botnet leverages thousands of compromised Virtual Private Servers (VPS), transforming them into high-speed proxies that cybercriminals use to conceal command-and-control (C2) activities and reroute malicious traffic.

According to a report from Black Lotus Labs (Lumen Technologies), the wide scale, stability, and persistence of SystemBC have made it a favored tool for multiple threat groups, including ransomware operators.

1. Why is SystemBC More Dangerous Than Other Proxy Networks?

While SystemBC is not a new piece of malware, its attack methods and choice of targets make it significantly more dangerous than consumer-grade proxy networks.

Instead of exploiting home devices, attackers focus on commercial VPS infrastructure, which offers greater bandwidth, higher performance, and more stable IP addresses. This enables them to create a reliable “network highway” to support malicious activities such as data harvesting, reconnaissance, brute-force password attacks, and concealing C2 traffic.

2. How SystemBC Works

SystemBC is designed to transform infected servers into proxy intermediaries, masking communication with C2 servers.

First observed in 2019, it has been widely adopted by cybercriminal groups, including ransomware gangs, to launch large-scale malware distribution campaigns.
Approximately 80% of its 1,500 active daily bots are hosted on commercial VPS from major providers.
Reports show that each compromised VPS averages 20 unpatched vulnerabilities, including at least one critical flaw. Nearly 40% of infected servers remain compromised for over a month, highlighting its persistence.

3. Scale and Criminal Services

The SystemBC botnet consists of over 80 C2 servers and supports various underground proxy services.

A service named REM Proxy alone exploits up to 80% of SystemBC’s bots.
Other users include large-scale data harvesting operations and underground proxy networks such as VN5Socks and Shopsocks5 (originating in Vietnam).
SystemBC is also frequently used in WordPress brute-force attacks and for selling stolen login credentials.

Dịch vụ proxy của tội phạm mạng tận dụng mạng lưới SystemBC

Tests revealed that a single infected IP can generate 16 GB of proxy traffic within 24 hours, far exceeding residential proxy networks.

4. Resilience and Persistence

Analysts have identified IP addresses linked to both malware distribution and victim recruitment. Despite existing for several years and facing multiple takedown attempts, SystemBC continues to operate with remarkable resilience, maintaining a robust structure even when certain components are disrupted.

5. Warnings for VPS Administrators and Security Teams

To mitigate risks associated with SystemBC, VPS administrators and enterprise security teams should:

Patch all vulnerabilities immediately upon release.
Monitor abnormal signs such as unusual traffic spikes, suspicious processes, or outbound connections to C2 servers.
Isolate compromised VPS at the first sign of infection.
Follow security advisories and adopt strict patch management practices.

6. Conclusion

SystemBC has evolved into one of the most dangerous botnets today, turning VPS into high-speed “highways” for cybercrime. Its capabilities range from ransomware operations and data theft to brute-force attacks and the sale of stolen credentials.

Một VPS thuộc mạng SystemBC chứa đến 161 lỗ hổng chưa được vá

The best defense lies in proactive system security, continuous monitoring, and timely patching to prevent SystemBC and similar threats from taking hold.

(Source: WhiteHat)