SYSTEMBC has survived a law enforcement takedown and has ensnared over 10,000 machines in a botnet, according to SecurityWeek. The malware loader is also known as Coroxy and DroxiDat and is used to turn infected devices into SOCKS5 proxies, enabling traffic relaying and potential hiding of malicious infrastructure.
Silent Push notes that there are now more than 10,000 IP addresses generating SystemBC-specific traffic, with 4,300 in the United States, and substantial victims in Germany (829), France (448), Singapore (419), and India (294). The campaign includes a Perl-based SystemBC variant targeting Linux, indicating the malware’s developer may be a Russian speaker, and the infection set also involves WordPress-targeted sites.
Operation Endgame previously targeted SystemBC in May 2024 as part of a coordinated law enforcement effort, yet the botnet’s activity has not ceased. SystemBC-associated infrastructure is described by Silent Push as a sustained risk due to its role early in intrusion chains and its use across multiple threat actors.