When a threat story leads with a number, it’s tempting to treat the number as the point.
In early February 2026, researchers at Silent Push reported more than 10,000 active infections linked to SystemBC, a long-running piece of proxy malware that’s frequently used to establish early access in ransomware campaigns. Mainstream coverage has focused on the scale, the global spread, and the uncomfortable detail that some compromised systems appear linked to government infrastructure.
All of that matters. But it’s not the signal.
The signal is the pattern this kind of malware represents and what it quietly tells us about how modern ransomware operations actually succeed. Not with the dramatic moment of encryption, but with the far less visible work that happens before that, when attackers set up access that looks like “just traffic” until it’s too late.
What You Already Know: A Large, Persistent Proxy Botnet Still Active in the Wild
The core facts are straightforward.
Silent Push mapped a globally distributed botnet associated with SystemBC malware by using a custom tracking fingerprint. Their findings pointed to a large pool of infected IP addresses and a botnet that’s still active in the wild. Reporting also highlights that the botnet includes compromised systems tied to critical environments, including government-linked infrastructure.
From a technical perspective, SystemBC isn’t described as a smash-and-grab tool. It’s a piece of proxy infrastructure. Once deployed, it can turn an infected host into a SOCKS5 proxy, routing traffic through compromised systems so the attacker’s activity is harder to trace and easier to sustain.
Silent Push also described a notable evolution: a previously undocumented Linux-targeting variant written in Perl, with limited visibility across antivirus engines at the time of analysis. That matters because it signals continued development and a willingness to widen the target set beyond the usual Windows-heavy assumptions many teams still carry into day-to-day monitoring.
The headline takeaway from security media is fair: a durable, widely used threat has been measured at scale again, and it’s still doing work for attackers.
Now comes the part most coverage doesn’t linger on.
What No One Is Talking About: SystemBC as an Infrastructure Problem, Not a Malware Event
System BC is often discussed as "something you find" and then "clean up." That framing is convenient, but it’s also misleading.
This isn’t primarily a data theft tool. It isn’t designed to create an immediate, obvious crisis. In many cases, it’s an infrastructure malware layer that makes other stages of an intrusion easier and safer for the attacker. It’s the scaffolding.
That’s why it shows up so reliably in early-stage intrusion chains tied to ransomware. It helps attackers hold access, move quietly, and route follow-on activity through systems that look legitimate enough to blend into background noise. It can support proxy-based access, enable a form of persistence, and reduce the operational risk for adversaries while they work out what they’ve landed on.
The uncomfortable implication is that a SystemBC detection often isn’t “a malware event.” It’s a sign that somebody has been building a runway.
That’s also why its longevity matters. SystemBC was first documented in 2019, and it keeps reappearing. Not because defenders don’t know it exists, but because the thing it does sits in the seam between categories. It’s not purely endpoint. It’s not purely network. It’s not loudly malicious in a way that forces immediate attention.
It’s a low-noise malware problem, and those are the ones that tend to linger.
Why Proxy Malware Keeps Slipping Through Enterprise Defences
Most enterprise security programs don’t struggle with recognising “bad files” in isolation. They struggle with interpreting behaviour that looks like business as usual until it doesn’t.
Proxy malware thrives in that gap.
First, there’s an implicit trust in outbound activity. Many environments still treat egress as less suspicious than ingress. If a system is making outbound connections, it’s often assumed it’s updating, syncing, calling a service, or doing something routine. That assumption creates room for backconnect architecture patterns, where an infected host initiates outbound communication to attacker-controlled infrastructure, then relays traffic back through itself.
Second, SOCKS5 traffic itself isn’t inherently malicious. It’s a legitimate protocol used in plenty of real-world scenarios. The problem is when it shows up where it shouldn’t, on systems that have no business acting as a proxy, or when it becomes long-lived and oddly consistent.
Third, there’s the reality of monitoring priorities. Many SOCs are tuned for high-confidence signals: known malicious domains, obvious beaconing, clear malware telemetry, or loud lateral movement. Proxy malware can sit beneath those thresholds, especially if it’s being used as a relay rather than a direct delivery mechanism.
Fourth, hosting and infrastructure assumptions can get in the way. When compromised systems sit inside environments that are “supposed to be stable”, like servers, workloads, or third-party hosted infrastructure, defenders can be slower to suspect proxy abuse. The more “normal” the asset looks, the more time an attacker can buy.
Put those together, and you get a predictable outcome: weak outbound traffic monitoring, inconsistent egress filtering, and a set of detection blind spots that proxy-focused threats exploit with ease.
This is where the SystemBC story stops being about one malware family and starts being about enterprise design decisions.
The Real Signal: Ransomware Is Still Won or Lost Before Encryption Ever Starts
Ransomware headlines tend to frame the crisis as the moment encryption begins. That’s the visible part. It’s also usually the late part.
SystemBC sits earlier, in the phase that many organisations still treat as ambiguous. The phase where a single compromised host might be dismissed as a one-off, a nuisance, or a routine malware cleanup ticket.
But modern ransomware operations are rarely built on single moments. They’re built on sequences.
If you zoom out, SystemBC fits neatly into a wider intrusion lifecycle pattern:
An attacker establishes initial access. They strengthen access. They make access harder to attribute. They test movement. They look for credentials. They map what matters. Only then do they decide whether to deploy a payload that forces a crisis.
That’s why proxy malware is a strong early compromise indicator. It suggests the attacker isn’t just passing through. They’re preparing.
This is also where the “10,000 systems” headline becomes less important than the operational message underneath it: access tooling at scale is still living comfortably inside real environments, because many teams are optimising for the wrong stage of the ransomware kill chain.
If you only get serious when encryption starts, you’re playing the last round of a game the attacker has already been winning for days or weeks.
What This Means for Security Leaders Right Now
Here’s the concise interpretation that matters for enterprise decision-makers:
For enterprises, a SystemBC detection should be treated as a sign of follow-on risk, not as the end of a contained incident.
That’s a posture shift. It changes how you triage, what you investigate, and how you allocate scarce response time.
It means elevating SystemBC from “malware cleanup” to a high-severity security event that triggers a deeper set of questions:
What outbound connections has this system maintained, and for how long? What traffic patterns suggest proxying rather than normal service behaviour? What other endpoints or identities does this host have access to? What credentials have been used from it? What lateral movement opportunities exist from its position in the environment?
It also means resisting a common trap: focusing only on eradication without understanding utility. If you remove the artefact but miss the reason it was deployed, you can end up cleaning the symptom while the intrusion continues elsewhere.
This isn’t about turning every alert into a crisis. It’s about incident prioritisation that matches attacker intent. Proxy malware exists to preserve access. That’s rarely a low-stakes situation.
For security leaders, the pragmatic goal is to tighten the early-warning layer:
Improve SOC visibility into suspicious outbound behaviour. Enforce exit controls that make unauthorised proxying harder. Treat unexpected proxy activity as a prompt for investigation, not a footnote. Make sure your containment strategy assumes the attacker is already trying to make their access resilient.
That’s not just a technical adjustment. It’s a leadership decision about what your organization considers “early enough” to act on.
Final Thoughts: Early Access Is the Ransomware Battlefield
The SystemBC botnet story isn’t most valuable because it’s large. It’s valuable because it points to a familiar weakness, one that ransomware groups have been exploiting for years.
Proxy malware reminds us that the most important part of a ransomware campaign often happens before anyone feels panicked. It happens while defenders are still deciding whether something is “serious enough”. It happens in outbound connections that don’t look dramatic. It happens in the quiet persistence mechanisms that turn a single compromise into an operational foothold.
If there’s a forward-looking lesson here, it’s this: organisations that keep optimising for the moment of encryption will keep losing time in the moments that actually decide the outcome.
If you’re trying to stay ahead of that curve, EM360Tech’s breaking analysis is built to help security leaders spot the signals that matter early enough to do something useful with them.
Comments ( 0 )