systembc
6 min read
FreeSystemBC Infrastructure Investigation: Automated Insights in Response to Black Lotus Labs' Report
We independently validated and extended Lumen's SystemBC findings with Chawkr's clustering pipeline. The result: role-based infrastructure profiles, stability metrics, and anomaly scores.
By Chawkr Reports
19/09/2025
SystemBC Infrastructure Investigation: Automated Insights in Response to Black Lotus Labs' Report
Executive Summary
Following Black Lotus Labs' SystemBC - Bringing the Noise report, we re-analyzed the same IoCs published on GitHub with Chawkr's automated clustering pipeline to validate and extend the findings. Our approach transforms flat IoC lists into role-based infrastructure clusters, enriched with stability metrics, vulnerability profiles, and anomaly scores.
The analysis confirms Black Lotus Labs' observation of a large, noisy proxy botnet, while adding clarity on infrastructure tiers, provider fingerprints, anomaly signals, and MITRE ATT&CK mapping.
Bottom line: SystemBC's infrastructure reflects systematic, professionally deployed operations, blending legacy Apache-based C2 nodes, noisy Nginx proxy fleets, hardened SSH-only access points, and stealth minimal-service assets.
Key Findings
-
Scale & Composition
- 118 assets across 13 clusters (validation report baseline).
- 63 Tier Alpha nodes (Apache 2.4.62 + SSH) = 53% of infra, serving as primary C2/proxy tier.
- IoCs also tie to REM Proxy infrastructure (cross-service blending).
-
Cluster Roles (validated across multiple views)
- Apache + SSH dual-service hubs (Clusters 1, 6, 9): C2 + payload hosting.
- Nginx loader/proxy fleets (Clusters 3, 7): disposable proxies; KEV vulnerable.
- SSH-only hardened nodes (Cluster 5): operator jump hosts.
- Minimal/hardened infrastructure (Cluster 8): stealth/fallback.
- Secondary web-only Apache (2.4.65) (Clusters 4, 11): updated, lower CVE exposure.
-
Vulnerability Posture
- Apache 2.4.62 fleets: up to ~1,200 CVEs across the full host stack (Apache + OpenSSH + Debian packages, per Shodan CPE enumeration); Apache-core exemplars include CVE-2024-47252, CVE-2025-23048 (mTLS bypass, CVSS 9.1), CVE-2025-49812 (HTTP desync via TLS upgrade).
- Nginx clusters: exposed to CVE-2023-44487 (HTTP/2 Rapid Reset, KEV).
- SSH-only nodes: hardened posture, 0 CVEs detected.
- Minimal clusters: no service exposure.
-
Provider Fingerprints
- Limited Network LTD dominates Cluster 9 (63.33% assets).
- Secondary: MNTTR and Internet Security - US OH.
- Hosting provider concentration contributes attribution.
-
Anomaly & Stability
- Most clusters coherent ("Good/Very Good"), instability in Cluster -1, 9, 11.
- Six critical anomaly assets (e.g., 85.206.167.148, 185.25.48.96) show entropy >1.5, which indicates evasion tradecraft.
- High-priority anomalies overlap with REM Proxy IoCs.
Background
SystemBC is a commoditized proxy/loader malware family documented since 2019, initially seen with RIG and Fallout exploit kits and used to provide SOCKS5 proxying and to download/execute additional payloads. The kit includes Windows & Linux implants, a C2 server, and a PHP admin panel, and is sold/used across criminal ecosystems. Refs: Proofpoint; Malpedia; Kroll.
In September 2025, Black Lotus Labs released "SystemBC - Bringing the Noise". It describes a large SystemBC botnet oriented around high-volume proxy services: 80+ C2s and roughly 1,500 active victim proxies on a typical day. ~80% of these proxies are compromised VPS/cloud servers. That gives the botnet massive bandwidth at the cost of stealth. SystemBC infrastructure was observed feeding multiple commercial proxy services (e.g., REM Proxy) and a web-scraping service. Black Lotus Labs published a GitHub IoC list (dated September 19, 2025) that we used as ground truth for our automated validation. Refs: Black Lotus Labs blog; Black Lotus Labs IoC repo.
Infrastructure Tiers
| Tier | Cluster(s) | Core Tech | Exposure / Vulns | Role |
|---|---|---|---|---|
| Alpha | 1, 6, 9 | Apache 2.4.62 + SSH | 231–630 high-risk vulns | Primary C2 / proxies |
| Beta | 4, 11 | Apache 2.4.65 | 0 CVEs detected | Secondary web-facing services |
| Gamma | 5 | OpenSSH 9.2p1 only | Hardened posture | SSH access / jump hosts |
| Delta | 0, 2, 3, 7 | Nginx web servers | CVE-2023-44487 (KEV) | Loader / proxy fleets |
| Epsilon | 8 | Minimal services | No vulns | Stealth / fallback core |
Cluster Highlights
Cluster 9: Primary Operational C2/Proxy
- 30 assets; 63% hosted by Limited Network LTD.
- Apache 2.4.62 + OpenSSH 9.2p1, ports 80/22/4150/4369.
- ~1,200 CVEs incl. KEVs.
- Core control plane → highest disruption priority.
Cluster 5: SSH Access Infrastructure
- 13 assets, SSH-only with hardened configs.
- AES128-CTR cipher; consistent hassh fingerprint.
- Likely operator jump hosts.
- No CVEs, but anomaly IPs (e.g., 104.250.164.245).
Cluster 8: Specialized / Hardened Core
- 7 assets, no exposed services.
- 0 vulnerabilities; common archetype (5.9M matches).
- Defense-evasion via blending with benign infra.
Cluster Profiles
Cluster Infrastructure Profile: Cluster 4 (Apache Web Services)
| Characteristic | Top 5 Findings |
|---|---|
| Top Differentiators | Apache 2.4.65 standardization; updated stack |
| Observed Ports | 80/tcp (HTTP) |
| Common Products | Apache 2.4.65, Debian Linux |
| Vulnerabilities | Zero CVEs detected in metadata |
| Organizations/Hosts | Multi-provider, no dominant concentration |
| Analyst Label(s) | Web-focused secondary services |
| Cluster Size | ~11 assets |
| Queries (Detection) | http.component:"Apache" AND product.version:"2.4.65" |
| Anomaly Signals | None – stable |
Why it matters: This is updated Apache infrastructure, likely supporting secondary web services with less immediate exposure than primary C2 nodes.
Cluster Infrastructure Profile: Cluster 5 (SSH Access Infrastructure)
| Characteristic | Top 5 Findings |
|---|---|
| Top Differentiators | SSH-only exposure; minimal/no web services |
| Observed Ports | 22/tcp (SSH) |
| Common Products | OpenSSH 9.2p1, Debian Linux |
| Vulnerabilities | No CVEs detected (hardened posture) |
| Encryption & Certs | AES128-CTR cipher; curve25519-sha256 KEX; common hassh fingerprint across assets |
| Organizations/Hosts | MNTTR; Internet Security – US OH |
| Analyst Label(s) | Hardened SSH access/jumphost infrastructure |
| Cluster Size | 13 assets |
| Queries (Detection) | port:22 AND product:"OpenSSH" AND version:"9.2p1 Debian 2+deb12u7" AND has_vuln:false |
| Anomaly Signals | Contains critical anomalies: 104.250.164.245, 176.46.138.234 |
Why it matters: Likely operator jump nodes. High value for monitoring SSH telemetry and key reuse, as well as lateral movement detection.
Cluster Infrastructure Profile: Cluster 9 (Primary Apache C2 / Proxy)
| Characteristic | Top 5 Findings |
|---|---|
| Top Differentiators | Limited Network LTD (63.33% local freq); Apache 2.4.62; OpenSSH 9.2p1; AES128-CTR; multi-port exposure (80/22/4150/4369) |
| Observed Ports | 80/tcp (HTTP – 30), 22/tcp (SSH – 30), 4150/tcp (11), 4369/tcp (10) |
| Common Products | Apache 2.4.62, OpenSSH 9.2p1, Debian Linux |
| Vulnerabilities | ~1,200 CVEs total across host stack (Apache 2.4.62 + OpenSSH 9.2p1 + Debian packages, per Shodan CPE enumeration; ≈630 high-risk); Apache-core exemplars include CVE-2024-47252, CVE-2025-23048, CVE-2025-49812 |
| Encryption & Certs | SSH AES128-CTR, curve25519-sha256 KEX, chacha20-poly1305 |
| Organizations/Hosts | Limited Network LTD (63.33%), Internet Security – US OH |
| ISPs | Limited Network LTD concentration; diverse secondary providers |
| Analyst Label(s) | Primary operational C2/proxy infrastructure |
| Cluster Size | 30 assets |
| Queries (Detection) | org:"Limited Network LTD" AND http.component:"Apache" AND product.version:"2.4.62" AND port:(80 OR 22 OR 4150 OR 4369) AND product:"OpenSSH" AND version:"9.2p1" |
| Anomaly Signals | None — stable operational cluster |
Why it matters: Core C2/proxy tier with heavy Apache vulnerability exposure and custom ports (4150/4369). Strong candidates for blocking, takedown, and deep inspection for web shells.
Anomaly Analysis
- Six critical anomalies: e.g., 85.206.167.148 (entropy 1.61, anomaly score 23.36, 100th percentile).
- Behavior: cluster-hopping, unstable labels, evasion-aware design.
- Overlap with REM Proxy IoCs (e.g., 89.39.149.227, 185.25.48.96) strengthens attribution link.
- Require specialized detection beyond static clustering.
Conclusion
Our automated clustering confirms and extends Black Lotus Labs' assessment:
- Validated: noisy SystemBC proxy botnet, dominated by Apache C2 → Nginx proxy chains.
- Extended:
- Added SSH-only access tier and minimal hardened tier.
- Quantified stability vs anomaly scores.
- Identified hosting provider concentration (Limited Network LTD, MNTTR).
- Highlighted multi-role anomalies overlapping REM Proxy infra.
Defender Priorities
- Block & monitor Tier Alpha (Clusters 1, 6, 9): vulnerable Apache/SSH hubs.
- Patch/scan for CVE-2023-44487 on Nginx loader fleets.
- Track SSH key/cipher use in hardened jump hosts.
- Investigate anomalies with entropy >1.5 (high-evasion tradecraft).
- Fingerprint hosting provider clusters (esp. Limited Network LTD).
This method converts noise into structured maps. It gives defenders and CTI teams an actionable view of SystemBC's operational model.
Sources
-
Black Lotus Labs: SystemBC - Bringing the Noise (2025-09-18) https://blog.lumen.com/systembc-bringing-the-noise/
-
Black Lotus Labs: SystemBC IoCs (GitHub, dated September 19, 2025) https://github.com/blacklotuslabs/IOCs/blob/main/SystemBC_IOCs.txt
-
Proofpoint: SystemBC: SOCKS5 Malware and Exploit Kits (2019) https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
-
Malpedia: SystemBC (win.systembc) https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
-
Kroll: Inside the SystemBC Malware Server (2024-01) https://www.kroll.com/en/publications/cyber/inside-the-systembc-malware-server
