Cybersecurity firm BitSight has uncovered a massive botnet operation called Socks5Systemz that is currently powering an illegal proxy service known as PROXY.AM through tens of thousands of compromised devices.
The botnet, which has been active since 2013, transforms infected computers into proxy exit nodes that can be rented by cybercriminals seeking to mask their malicious activities. PROXY.AM advertises these compromised systems as "elite, private, and anonymous proxy servers" with subscription packages ranging from $126 to $700 per month.
At its peak in January 2024, the botnet controlled approximately 250,000 machines. However, current estimates indicate the network has shrunk to between 85,000 and 100,000 devices. PROXY.AM's website claims access to 80,888 proxy nodes spread across 31 countries.
The reduction in size occurred after the threat actors lost control of the original Socks5Systemz infrastructure in December 2023, forcing them to rebuild what researchers now call "Socks5Systemz V2" from scratch. The malware continues to spread through various loader programs including PrivateLoader, SmokeLoader, and Amadey.
The highest concentrations of infected systems are found in India, Indonesia, Ukraine, Algeria, Vietnam, Russia, Turkey, Brazil, Mexico, and Pakistan, among others. The botnet has maintained operations since 2016, providing anonymity services to potential cybercriminals.
This discovery comes shortly after researchers identified another malware strain called Ngioweb being used similarly to create residential proxy servers for a service named NSOCKS.
The emergence of these proxy botnets highlights the growing underground market for anonymity services that enable various forms of cybercrime by making it harder to trace malicious activities back to their source.