Global SystemBC Botnet Found Active Across 10,000 Infected Systems

The SystemBC botnet, first seen in 2019, has resurfaced as a formidable proxy network, now linked to over 10,000 compromised IPs across five continents. By turning victims into SOCKS5 relays, threat actors can hide malicious traffic and maintain footholds inside target environments, often before ransomware strikes. Silent Push’s new fingerprinting method reveals that the botnet’s activity consistently precedes high‑impact intrusions, underscoring its role as an early‑stage weapon in sophisticated cyber‑crime campaigns. Its ability to route traffic through compromised cloud assets also threatens supply‑chain integrity, as downstream services may unknowingly trust malicious endpoints.

Detection remains difficult because most infections reside on data‑centre servers rather than home PCs, allowing them to linger for weeks. A previously undocumented Perl variant targeting Linux escaped all 62 major antivirus engines at the time of discovery, highlighting the botnet’s adaptability. The infrastructure relies heavily on bullet‑proof hosting providers such as BTHoster and AS213790, which tolerate abuse and complicate takedown efforts. Consequently, compromised systems—including government websites in Burkina Faso and Vietnam—can be leveraged for prolonged malicious proxying. On average, infected hosts remain under control for 38 days, with some persisting beyond 100 days, amplifying exposure risk.

Enterprises and public‑sector organizations should treat SystemBC indicators as a warning sign of imminent ransomware activity. Integrating the fingerprint into SIEMs, monitoring for unusual SOCKS5 traffic, and enforcing strict outbound connection controls can disrupt the botnet’s command‑and‑control chain. Moreover, regular patching of Linux services and scrutinizing third‑party hosting contracts reduce the attack surface that the Perl variant exploits. Proactive threat‑intel sharing and coordinated takedowns with hosting providers are essential to shrink the botnet’s lifespan and protect critical infrastructure. Regulators may view prolonged compromise of government domains as a breach of critical‑infrastructure standards, prompting stricter compliance audits.