A new Silent Push report identifies a massive SystemBC botnet that has infected more than 10,000 unique IP addresses across global networks, including sensitive government infrastructure. SystemBC, also known as Coroxy or DroxiDat, functions as a SOCKS5 proxy toolkit that criminals use to hide traffic and deploy ransomware payloads.
The analysis notes a globally distributed infection with the highest concentration in the United States, followed by Germany, France, Singapore, and India, and highlights infections tied to multiple government domains, including a Vietnamese provincial government site and a domain linked to the Government of Burkina Faso. The operators rely on “bulletproof” hosting providers to keep the C2 infrastructure alive, with examples including BTHoster and AS213790 (BTCloud).
Furthermore, many infected IP addresses have been reported in VirusTotal comments for engaging in WordPress exploitation activity, suggesting the botnet is being rented out or used to attack vulnerable websites. According to Silent Push, a previously undocumented SystemBC Perl variant was observed, indicating ongoing evolution of the toolkit by the group behind SystemBC.