Researchers have identified a new variant of the SystemBC botnet malware, a threat that has been in circulation since 2019 and has been found on machines around the world, including some tied to ransomware intrusions.  

The SystemBC botnet malware has become a critical component in the modern threat landscape, often preceding a full-scale ransomware deployment. Law enforcement agencies have been tracking the botnet for many years and in 2024 Europol disrupted part of the SystemBC infrastructure. But that clearly didn’t have the intended effect, as new research from Silent Push shows the botnet is still active and globally distributed. 

The new variant the researchers identified is written in Perl and designed to target Linux machines. 

“​​Examining the files that dropped the Perl script revealed two additional ELF binaries: SafeObject and StringHash. The SafeObject file is a UPX-packed variant of StringHash. Once unpacked, it recursively hunts for writable directories before dropping and executing 264 embedded SystemBC payloads, including both ELF and Perl variants,” the Silent Push analysis says.

“Behavior aside, the dropper is unusually noisy and littered with Russian-language strings—an unscientific but familiar clue about the threat actor’s origins.”

Dual Functionality: Proxy and Backdoor

SystemBC's design allows it to serve two primary functions:

  1. SOCKS5 Proxy Network: The malware converts compromised systems into a resilient SOCKS5 proxy, routing malicious traffic through infected internal networks.
  2. Persistent Backdoor: It acts as a backdoor to maintain external access to the infected network, often tunneling attacker-controlled C2 infrastructure.

Certain variants, including the Windows version, have been observed dropping additional malware alongside ransomware payloads, expanding the potential effects of a compromise and reinforcing the need for early detection.

A History of High-Profile Threat

SystemBC is well-known and the malware was among the families targeted during Europol’s 2024 Operation Endgame, a major coordinated effort aimed at disrupting large-scale dropper malware ecosystems. This attention follows years of public reporting that consistently links SystemBC activity to intrusions that culminate in major ransomware deployment.

Silent Push began tracking SystemBC in 2025, quickly identifying its recurring role in pre-ransomware intrusion campaigns. The researchers developed a SystemBC tracking fingerprint, leading to two major findings:

  • Massive Global Scale: The researchers identified more than 10,000 unique infected IP addresses worldwide, with high concentrations in the U.S., followed by Germany, France, Singapore, and India. The dataset also captured infections within sensitive government infrastructure, including compromised high-density IP addresses hosting official websites in Burkina Faso and Vietnam.
  • Undocumented Perl Variant: The Silent Push analysis uncovered a previously undocumented SystemBC variant written in Perl. This discovery is an indicator of continued development activity and an ongoing evolution of the malware family.

The infrastructure tied to SystemBC activity in our dataset dates back to 2019, highlighting the longevity of this threat.The Ongoing Threat

While Operation Endgame sought to disrupt this criminal infrastructure, updates from the developer, known as “psevdo,” continue to appear on a Russian-language forum. And much of the activity that Silent Push monitored recently has targeted hosting providers.

“Many infected IP addresses have been reported in VirusTotal comments for engaging in WordPress exploitation activity. Taken together, these observations indicate that threat actors are using SystemBC-associated proxies to target WordPress websites,” Silent Push said. 

  • Recent Posts

  • Recent Comments

    No comments to show.