Fast Facts

• SystemBC malware runs a network of 1,500 infected virtual private servers (VPS) daily.
• REM Proxy, the service built on this botnet, boasts over 80 command-and-control servers.
• Up to 80% of victims are commercial VPS systems, many with dozens of security flaws.
• Victims’ servers are converted into anonymous proxy relays for cybercriminals.
• SystemBC is linked to ransomware, credential theft, and major proxy-for-hire services.

The Quiet Hijacking of the Cloud

Imagine a digital assembly line, humming quietly in the background of the internet, where powerful servers meant for business and data crunching are silently repurposed by criminals. This is the reality behind SystemBC, a piece of malware that’s become the backbone of the REM Proxy network - a shadowy marketplace where access to thousands of hijacked computers is bought and sold like cheap real estate.

According to new research from Lumen Technologies’ Black Lotus Labs, SystemBC’s reach is vast: each day, around 1,500 VPS machines, mostly from major cloud providers, are commandeered and transformed into relay stations for illicit internet traffic. These aren’t dusty home laptops, but high-powered, always-on servers - making them goldmines for anyone looking to push spam, brute-force attacks, or even hide the origins of ransomware campaigns.

Proxy Networks: From Niche to Industrial-Scale Crime

SystemBC isn’t new to the cybercrime scene. First spotted in 2019, it was initially a tool for ransomware gangs to hide their tracks. But like any successful criminal enterprise, it’s evolved - now supporting both Windows and Linux targets, and even infecting routers and cloud-based infrastructure. The result: a proxy-for-hire ecosystem where anyone with cryptocurrency and a motive can rent access to anonymized internet traffic routes, courtesy of unwitting victims.

REM Proxy, which leverages SystemBC, markets access to not only its infected VPS pool but also tens of thousands of vulnerable home routers and open proxies. This service has become a staple for actors behind notorious malware like TransferLoader and the Morpheus ransomware group, as well as for web scrapers and other criminal services across Russia and Vietnam. The business model is simple: build scale and resilience, and offer persistent, high-volume proxies for everything from credential stuffing attacks to spam campaigns.

Why Are So Many Servers Falling Victim?

The answer is a toxic mix of poor security hygiene and automation. Lumen’s analysis found that the average infected VPS had at least 20 known, unpatched vulnerabilities - some with over 160. Once compromised, these servers remain under criminal control for more than a month on average, forming a durable backbone for malicious activity. The infection process is brazenly simple: attackers scan for weak spots, deploy a shell script, and drop SystemBC, which then connects to one of over 80 command-and-control servers, ready to serve as a proxy relay.

Unlike many botnets that target home devices for their residential IPs, SystemBC’s focus on commercial VPS infrastructure gives it scale and reliability - qualities prized by professional cybercriminals. This shift signals a maturing market, where proxy networks are no longer fringe tools but essential infrastructure for the global cybercrime economy.

Reflections from the Shadows

SystemBC’s story is a warning: as businesses migrate to the cloud and leave vulnerable servers exposed, they risk becoming unwitting accomplices in a cybercrime supply chain. The malware’s industrialization of proxy networks marks a new chapter in the arms race between defenders and attackers, where the cloud itself is weaponized at scale. Until patching and security become as routine as locking the front door, the assembly line of compromised servers will keep churning - fueling an underground economy that thrives on our collective neglect.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Virtual Private Server (VPS): A Virtual Private Server (VPS) is a rented online server with dedicated resources, often used for hosting websites or apps, requiring regular security updates.
• Proxy Network: A proxy network routes internet traffic through intermediaries, hiding users’ real locations and identities - useful for privacy, but sometimes misused.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Vulnerability (CVE): A Vulnerability (CVE) is a publicly listed security flaw in software or hardware that attackers can exploit if left unpatched.