InfoSecBulletin Cybersecurity for mankind
Researchers have discovered a large botnet made up of compromised devices that has infiltrated networks worldwide, including sensitive government systems. A report from Silent Push has identified over 10,000 unique IP addresses infected with SystemBC, a proxy malware used by cybercriminals to conceal their actions and deploy ransomware.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
The discovery reveals a persistent and evolving threat. SystemBC, also called “Coroxy” or “DroxiDat,” is not just a virus; it’s a toolkit for cybercriminals that turns infected systems into SOCKS5 proxies to hide harmful activity.
Using a custom-built tracker, Silent Push analysts peeled back the layers of this botnet to reveal its true scale. “Our analysis shows SystemBC infections are globally distributed at scale, with the highest concentration of infected IP addresses observed in the United States, followed by Germany, France, Singapore, and India,” the report states.
The main issue is the device compromise, but the bigger concern is the risk of further attacks. SystemBC has a history of leading to major damage by being a gateway for ransomware.“While we don’t have immediate visibility on any follow-on malware payloads deployed via this current SystemBC botnet, historically, many threat actors have used SystemBC to deploy ransomware on compromised networks”.
The concerning finding is that these infections are affecting not only home routers but also government institutions.
During their investigation into Passive DNS (PADNS) data, researchers stumbled upon a critical anomaly: “infections tied to multiple government domains”.
Vietnam: One infected host at IP address 103.28.36[.]105 was found hosting phutho.duchop[.]gov[.]vn, a Vietnamese provincial government website.
Burkina Faso: Another infected IP, 196.13.207[.]92, was linked to domains associated with the Government of Burkina Faso in West Africa.
Threat actors may be using government systems as access points or have infiltrated these sensitive networks.
Silent Push found a new SystemBC variant written in Perl. This shows the group is improving their tools to avoid detection and control infected systems.
To keep this massive network alive, the operators rely on “bulletproof” hosting providers—services that ignore abuse complaints and protect criminal infrastructure. The investigation observed SystemBC command-and-control (C2) servers leveraging “abuse-tolerant bulletproof hosting, including BTHoster (bthoster[.]com) and AS213790 (BTCloud)”.
The report highlights a concerning trend: “Many infected IP addresses are listed in VirusTotal comments for exploiting WordPress.” This implies the botnet is being rented out or used to attack vulnerable sites.
