Rented a VPS? Congratulations, you are sponsoring Russian cybercrime
The SystemBC botnet has turned vulnerable VPSs into a global network for stealing passwords.
The SystemBC botnet has turned vulnerable VPSs into a global network for stealing passwords.
The operators of the SystemBC botnet have built a global network that relies on hacked commercial virtual servers and maintains about 1,500 active nodes daily. These machines are turned into infrastructure for redirecting malicious traffic and hiding command servers. Specialists from Black Lotus Labs note that this system relies on scale, not stealth: the addresses of infected systems are not masked or changed, which is unusual for criminal proxy networks.
SystemBC itself has been known since 2019 and is used both to deliver malware and to rent out resources to other criminal services. For example, the REM Proxy service is based on approximately 80% of SystemBC's infrastructure, offering clients different pricing tiers depending on proxy quality. Other major users include a Russian web scraping service and the Vietnamese network VN5Socks (also known as Shopsocks5). However, the operators themselves most often use the network for brute-forcing passwords for WordPress sites and then resell the access to intermediaries who inject malicious code.
Over 80% of the machines involved are virtual servers from large hosting providers. Their key feature is an extremely high level of vulnerabilities: the average server has about twenty security holes, including at least one critical one. The Black Lotus Labs report mentions a specific server in Alabama where the Censys system detected 161 unpatched vulnerabilities. Due to this poor security state, almost 40% of nodes remain infected for more than a month, providing the network with stability and high bandwidth. For comparison: a compromised node can transmit over 16 gigabytes of proxy traffic per day—significantly more than in residential proxy networks based on home routers.
The management is handled by over 80 command servers that connect clients to the infected proxies. A central address—104.250.164[.]214—has been identified, which stores all 180 known SystemBC samples and is used to recruit new victims. After infection, the machine downloads a shell script with Russian-language comments that launches all variants of the malware simultaneously. This ensures maximum resource utilization and resilience to takedown attempts. Even large-scale law enforcement operations, such as Endgame, have failed to shut the network down.
According to Black Lotus Labs' observations, the long-lived SystemBC infrastructure has become a foundation for numerous criminal services and is still used as a primary channel for transmitting illegal traffic. In their research, the company publishes a technical breakdown of the proxy botnet's operations and indicators of compromise (IOCs) to help detect infections and prevent server exploitation.
