Threat actors operating the SystemBC botnet are systematically compromising vulnerable virtual private servers (VPS) and converting them into high-throughput proxy relays. According to research by Lumen Technologies, the network sustains roughly 1,500 active bots per day, providing resilient channels to anonymize malicious activity and conceal upstream command-and-control (C2) infrastructure.
Scale and Design: A Proxy Botnet Built for Throughput, Not Stealth
Active since at least 2019, SystemBC has been used by multiple criminal groups, including ransomware operators, to deliver payloads and route traffic. The botnet’s defining feature is its orientation toward high-volume network traffic rather than evasion. Bot IPs are neither obfuscated nor rotated, and control is brokered through 80+ C2 servers that match paying clients with infected proxy nodes and feed adjacent proxy services.
The Proxy Economy Around SystemBC
SystemBC acts as base infrastructure for commercialized proxy ecosystems. Researchers note that the REM Proxy service derives ~80% of its inventory from SystemBC bots, dynamically pricing quality and availability. Other consumers include a large Russian-language web-scraping platform and Vietnam’s VN5Socks/Shopsocks5, blurring attribution and boosting monetization for botnet operators.
Global Footprint and Persistence on Commercial VPS
Compromised hosts are globally distributed and commonly exhibit at least one critical vulnerability or multiple hardening gaps. Approximately 80% of SystemBC’s infrastructure consists of VPS housed at major providers—a factor that drives long-lived infections. Nearly 40% of nodes remain compromised for more than a month, reflecting stable power, bandwidth, and IP reputation compared to residential SOHO proxies.
The bandwidth profile is notable: investigators observed individual nodes pushing over 16 GB of proxy traffic in 24 hours, an order of magnitude higher than typical proxy-botnet baselines. The choice of VPS—rather than residential endpoints—enables high availability and sustained throughput prized by cybercriminal marketplaces.
Tactics: WordPress Brute-Force and Access Resale
Current activity includes wide-scale WordPress credential brute-force. Stolen admin and user accounts are likely resold to initial access brokers, who then seed websites with malware droppers, phishing kits, or SEO spam. By originating from reputable commercial VPS IP space, SystemBC proxies lend attacks a veneer of legitimacy that helps bypass basic IP reputation defenses.
Indicators and Traffic Patterns to Monitor
Global telemetry highlights 104.250.164[.]214 as a pivotal node for victim discovery and SystemBC loader distribution. Analysts observed this host serving all 180 malware samples tied to the current campaign, making it a high-confidence indicator for detection and blocking.
Network defenders should watch for atypical outbound proxy behaviors, including sustained egress volumes, long-lived TCP sessions, unusual destination ports, and TLS connections to unclassified infrastructure. Combining NDR/EDR with NetFlow/PCAP analytics materially improves detection fidelity for proxy-botnet patterns.
Defensive Guidance for VPS and WordPress Security
Vulnerability management: Patch operating systems and server software promptly, enforce baseline hardening, remediate known critical flaws, and close unused ports. Many SystemBC infections exploit well-documented weaknesses and misconfigurations.
Access controls: Restrict SSH/RDP with allowlists, require MFA, and favor keys over passwords. Add geo and behavioral policies to limit lateral movement and automated abuse.
WordPress hardening: Deploy a WAF, rate-limit login attempts, enable MFA for administrators, enforce strong passwords, and update core/plugins frequently. Continuously monitor authentication logs for brute-force and anomalous sign-ins.
Proxy traffic detection: Use NDR/EDR plus NetFlow/PCAP to flag unusual egress volume, nonstandard ports, and proxy-like patterns. Maintain denylists for known C2s and IoCs, including 104.250.164[.]214.
Incident response: Upon compromise, isolate affected hosts, rotate credentials and keys, inspect for persistence (cron, services, startup scripts), perform forensics, and reimage or thoroughly clean before returning to production.
SystemBC underscores a profitable shift: at-scale exploitation of exposed VPS yields high uptime, bandwidth, and dwell time—ideal traits for a commercialized proxy botnet. Reducing risk requires disciplined patching, hardened access, layered detection, and proactive monitoring for proxy patterns and known indicators. Organizations running VPS and WordPress should prioritize these controls to avoid becoming unwilling infrastructure for criminal operations.
