A long-running malware operation known as SystemBC has been linked to more than 10,000 infected IP addresses worldwide, including systems associated with sensitive government infrastructure.

According to new research by Silent Push, the findings reinforce concerns about the malware's continued use as an early-stage tool in intrusion campaigns that frequently precede ransomware deployment.

First publicly documented in 2019, SystemBC, also known as Coroxy or DroxiDat, is a multi-platform proxy malware that turns compromised systems into SOCKS5 relays. These relays allow threat actors to route malicious traffic through victim machines, masking their own infrastructure while maintaining persistent access to internal networks.

In some cases, SystemBC infections have also been observed deploying additional malware, expanding the scope of compromise.

Silent Push analysts said they began systematically tracking SystemBC activity in 2025 after repeatedly observing its presence ahead of ransomware incidents.

To improve visibility, the team developed a SystemBC-specific tracking fingerprint, enabling the identification of infections and supporting infrastructure at scale. Using this approach, researchers uncovered over 10,000 unique infected IP addresses tied to activity stretching back to 2019.

Read more on botnet infrastructure: Chinese Botnet Bypasses MFA in Microsoft 365 Attacks

Global Spread and Persistent Threat

The infections were globally distributed, with the highest concentration in the US. Germany, France, Singapore and India followed.

Many of the affected systems were hosted within data centre environments rather than residential networks, a factor that helps explain why infections often persist for weeks or months.