SystemBC Malware Turns VPS Servers Into High-Bandwidth Proxies For Criminals

Image by Kevin Horvat, from Unsplash

SystemBC Malware Turns VPS Servers Into High-Bandwidth Proxies For Criminals

Reading time: 2 min

Last Updated: Sep 19, 2025

Researchers revealed that  the SystemBC botnet converts VPS servers into proxy servers for criminal operations that include REM Proxy and ransomware attacks across the globe.

In a rush? Here are the quick facts:

  • SystemBC botnet compromises about 1,500 systems daily, mainly VPS servers.
  • REM Proxy sells tiered proxies, including Mikrotik routers, to criminal actors.
  • Nearly 80% of infected systems come from five large VPS providers.

Cybersecurity firm Lumen Technologies has discovered new details about the “SystemBC” botnet. This vast network of over 80 command-and-control servers (C2s), was found to have compromised around 1,500 systems on a daily basis. The researchers say that nearly 80% of these victims are virtual private servers (VPS) from major providers.

“By manipulating VPS systems instead of devices in residential IP space as is typical in malware-based proxy networks, SystemBC can offer proxies with massive amounts of volume for longer periods of time,” the researchers said.

The researchers explain that these infected VPS systems function as proxy servers, generating massive amounts of malicious traffic that criminal organizations use to conduct their operations.

The botnet also supports REM Proxy, a large network marketing 20,000 Mikrotik routers and other open proxies.

Lumen explains that REM Proxy operates as a proxy service which supports ransomware groups, such as Morpheus and TransferLoader, offering different proxy services that include fast and stealthy options, as well as affordable IP addresses for password cracking.

“SystemBC has exhibited sustained activity and operational resilience across multiple years,” Lumen said, noting that the malware originally documented in 2019 remains a key tool for criminal groups. Each infected server averages 20 unpatched vulnerabilities, with some showing over 160.

The malware functions as a proxy tool which enables attackers to redirect traffic through infected computers. Operators focus on volume rather than stealth; in one test, a single IP generated more than 16 gigabytes of data in 24 hours.

Lumen has blocked all traffic to and from SystemBC and REM Proxy infrastructure across its global network. The researchers also released indicators of compromise (IoCs) to help others protect themselves.

“We will continue to monitor new infrastructure, targeting activity, and expanding TTPs; and collaborate with the security research community to share findings,” the report concluded.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback