SystemBC Malware Surges Globally, Threatening Critical Infrastructure

In the shadowy world of cybercrime, a persistent malware campaign called SystemBC has quietly expanded its reach, compromising over 10,000 IP addresses worldwide, including systems tied to sensitive government infrastructure. Recent research by cybersecurity firm Silent Push sheds new light on the malware’s global footprint and highlights its ongoing role as an early-stage tool in cyber intrusion campaigns that often culminate in ransomware attacks.

First documented in 2019, SystemBC—also known as Coroxy or DroxiDat—is a versatile proxy malware capable of turning infected systems into SOCKS5 relays. This allows attackers to route malicious traffic through compromised machines, hiding their own networks while maintaining long-term access to internal systems. In many cases, these infections also act as a springboard for additional malware, broadening the scope of compromise.

Silent Push began systematic tracking of SystemBC activity in 2025 after repeatedly observing the malware preceding ransomware incidents. By developing a SystemBC-specific fingerprint, researchers were able to detect infections and their supporting infrastructure at scale. Their analysis revealed over 10,000 unique infected IP addresses, with activity dating back to 2019, underscoring the malware’s persistence and evolution.

Global Spread and Persistent Threat

The infections were globally distributed, with the highest concentration in the United States, followed by Germany, France, Singapore, and India. A key factor behind the malware’s resilience is that many affected systems reside in data center environments, rather than home networks, allowing infections to persist for weeks or even months.

One particularly notable discovery was a previously undocumented SystemBC variant written in Perl, designed to target Linux systems. At the time of analysis, it went undetected by 62 antivirus engines, highlighting the challenges of identifying and mitigating emerging malware variants.

The research also revealed that SystemBC’s command-and-control (C2) infrastructure heavily relies on abuse-tolerant, bulletproof hosting providers such as BTHoster and AS213790 (BTCloud). Within a single hosting cluster, analysts identified over 10,340 victim IPs, with infections lasting an average of 38 days and some persisting for more than 100 days. Alarmingly, compromised IPs included official government websites in Burkina Faso and Vietnam, which were not only victims but also used to amplify the proxy network, increasing the potential damage.

To defend against such threats, Silent Push recommends proactive monitoring. Since SystemBC often appears early in intrusion chains, it serves as a warning sign for more severe attacks, particularly ransomware deployment.

What Undercode Say:

SystemBC exemplifies the growing sophistication of cybercriminal infrastructure and the dangers of malware as a multi-purpose tool. Unlike ransomware, which immediately disrupts operations, SystemBC functions as a stealthy enabler, giving attackers time and flexibility to expand access across networks. Its global footprint, reliance on bulletproof hosting, and ability to evade detection make it a persistent threat to both corporate and governmental networks.

The discovery of a Perl-based Linux variant is particularly concerning. While Windows environments are typically the primary target, this shows cybercriminals are increasingly diversifying attack vectors, exploiting overlooked server environments. Antivirus evasion by this variant underscores the limitations of signature-based defenses, signaling a shift towards more sophisticated, behavior-based detection methods.

The infection patterns—especially the concentration in data centers and official government networks—suggest that threat actors are strategically positioning their malware for maximum operational impact. Using government infrastructure as proxy nodes magnifies risk, potentially enabling attackers to bypass geofencing controls, access sensitive data, and complicate attribution efforts.

Silent Push’s call for early-stage monitoring is crucial. Organizations cannot wait until ransomware hits; understanding and mitigating tools like SystemBC is now a foundational cybersecurity requirement. Threat actors exploit these footholds to stage attacks months in advance, making proactive intelligence gathering, network segmentation, and anomaly detection essential defensive strategies.

The continued evolution of SystemBC highlights a broader trend in malware development: modular, evasive, and globally distributed tools designed to provide attackers flexibility, resilience, and stealth. For governments and enterprises alike, this represents a wake-up call to strengthen network hygiene, adopt advanced monitoring, and treat malware not just as an endpoint threat but as a strategic weapon in multi-stage cyber campaigns.

Fact Checker Results:

✅ SystemBC has been active since 2019 and is linked to over 10,000 IPs globally.
✅ Data center environments host many of the infected systems, increasing infection persistence.
✅ A new Perl-based Linux variant went undetected by 62 antivirus engines at the time of analysis.

Prediction:

📌 SystemBC will continue evolving, likely targeting cloud and Linux infrastructures more aggressively.
📌 Governments and enterprises could see longer-lasting intrusions as attackers exploit bulletproof hosting services.
📌 Early detection frameworks will become standard, emphasizing behavioral monitoring over traditional antivirus solutions.

If you want, I can also create a visual map of the global SystemBC infections showing hotspots and infection durations to make the article even more engaging. Do you want me to do that?