Cybersecurity researchers at Bitsight have uncovered a sophisticated botnet operation known as Socks5Systemz, which manages the widely-used PROXY.AM service. The investigation reveals an extensive network comprising between 85,000 and 100,000 compromised devices, marking one of the largest proxy-oriented botnets discovered in recent years.
The Evolution and Infrastructure of Socks5Systemz
First emerging on underground forums in 2013, Socks5Systemz has established itself as a significant threat in the cybersecurity landscape. The botnet’s infrastructure is closely linked to several prominent malware loaders, including PrivateLoader, SmokeLoader, and Amadey. Since 2016, the associated PROXY.AM service has been providing cybercriminals with anonymization capabilities for their malicious activities.
Geographic Distribution and Scale of Operations
The botnet’s reach peaked in early 2024, with approximately 250,000 infected machines – a figure that substantially exceeds the typical size of proxy-oriented botnets, which usually maintain between 15,000 and 50,000 bots. The highest concentration of compromised devices has been identified in India, Indonesia, Ukraine, Algeria, Vietnam, and Russia, primarily targeting developing nations with potentially lower cybersecurity standards.
Operational Model and Monetization Strategy
Socks5Systemz operates by transforming infected computers into proxy servers, which are then monetized through the PROXY.AM service. The operation offers clients access to more than 80,000 proxies across 31 countries, with service packages ranging from $126 for basic “Unlimited” access to $700 monthly for “VIP” privileges. This sophisticated business model demonstrates the increasing professionalization of cybercrime operations.
Recent Infrastructure Overhaul and Technical Developments
A significant disruption in December 2023 forced the botnet’s operators to rebuild their infrastructure, leading to the deployment of Socks5Systemz V2. The operators successfully leveraged advanced malware loaders to update existing infections with new malicious code, demonstrating their technical capabilities and resilience.
The persistence and scale of the Socks5Systemz operation highlight the growing sophistication of proxy-based malware threats in today’s cybersecurity landscape. This case underscores the critical importance of implementing robust network monitoring solutions and maintaining strong security practices to detect and prevent such threats. Organizations and individuals must remain vigilant and regularly update their security measures to protect against evolving botnet operations.
