{
	"id": "42d7cfbd-afc5-4a12-aeda-4364ea8ee93f",
	"created_at": "2026-04-06T00:15:13.634167Z",
	"updated_at": "2026-04-10T13:11:52.556582Z",
	"deleted_at": null,
	"sha1_hash": "95aefd98140aa7b54c5d9bcf88cb454d576e1419",
	"title": "PROXY.AM Powered by Socks5Systemz Botnet | Bitsight",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1494339,
	"plain_text": "PROXY.AM Powered by Socks5Systemz Botnet | Bitsight\r\nArchived: 2026-04-05 15:58:15 UTC\r\nA year ago, Bitsight TRACE published a blog post on Socks55Systemz,a proxy malware with minimal mentions\r\nin the threat intelligence community at the time. In that post, we correlated a Telegram user to the botnet operation\r\nand estimated its size at around 10,000 compromised systems. After a year-long investigation, we are shedding\r\nnew light on these conclusions.\r\nKey Takeaways\r\nOrigins of Socks5Systemz\r\nA botnet of 250,000 bots\r\nThe Proxy Service\r\nService Updates\r\nConclusions\r\nIndicators of Compromise\r\nSocks5Systemz, identified last year during large-scale distribution campaigns involving Privateloader,\r\nSmokeloader, and Amadey, has actually been active since 2013.\r\nThis malware was sold as a standalone product or integrated into other malware as a SOCKS5 proxy\r\nmodule. Such malware included, at least, Andromeda, Smokeloader and Trickbot.\r\nIn recent months, Bitsight TRACE investigated a Socks5Systemz botnet with 250,000 compromised\r\nsystems at its peak, geographically dispersed across almost every country in the world.\r\nThe proxy service PROXY.AM, active since 2016, exploits the botnet to provide its users with proxy exit\r\nnodes and enable them to pursue broader criminal objectives.\r\nImage 1: The login page of the Socks5systemz C2 panel.\r\nSocks5Systemz is a proxy malware designed to turn compromised systems into proxy exit nodes. Its name comes\r\nfrom the text that the threat actor uses in the backend panel.\r\nBitsight has described the inner workings of the malware in the previous post, Although it changed a bit in the last\r\n12 months, this time we will not delve into the details of Socks5systemz, such as its malware analysis and\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 1 of 14\n\ncommand and control protocols. Instead, we will outline the updates made to the malware later in this post.\r\nAlthough Bitsight observed multiple distribution campaigns of the malware over the last year, it remained under\r\nthe radar until September 2023—not just for us, but for the entire threat intelligence community, since there were\r\nalmost zero references to it. After digging up, we discovered posts in multiple underground Russian forums\r\nlinking to the malware dating back to 2013.\r\nThe image below shows a post, that was cross posted in multiple forums, where the actor BaTHNK is selling a\r\n“SOCKS5 backconnect system”:\r\nImage 2: Archived post from 2013 on forum XSS, where actor BaTHNK sells a SOCKS5\r\nbackconnect system\r\nIn the same thread, the actor posted some screenshots of the C2 panel with the same branding and template that\r\nwe saw in current Socks5Systemz panels:\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 2 of 14\n\nImage 3: A comment to a forum post in 2013, where actor BaTHNK posts screenshots of\r\nSocks5Systemz backend panel\r\nThe question is:\r\nWhy has a malware family that has been around for over a decade only recently been widely distributed?\r\nThe answer may be in one comment on that same thread, where actor Ar3s provided positive feedback on the\r\nmalware and BaTHNK ability to customize the malware to suit customer needs:\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 3 of 14\n\nImage 4: A comment in the same thread, auto translated to english, where actor Ar3s provides\r\npositive feedback about the malware.\r\nAr3s, was one of the most prolific actors in the Russian crimeware scene until 2017, when he was arrested in\r\nBelarus in the outcome of Operation Avalanche. He was charged as the primary operator of the biggest\r\nAndromeda botnet, used to distribute more than 80 different malware families between 2011 and 2017.\r\nAfter that positive review, BaTHNK adapted the malware to be used as a SOCKS5 proxy module of Andromeda,\r\nand a few weeks later, also added support for Smokeloader.\r\nImage 5: Actor BaTHNK announces socks5systemz as a proxy module for Andromeda and\r\nSmokeloader malware (auto-translated from Russian)\r\nDuring our research, we also found a proxy module for Trickbot (2017) with lots of code similarity and the same\r\nfunctionality as Socks5Systemz. At the time, Vitali Kremez (rest in peace), conducted an analysis of it.\r\nThe use of Socks5Systemz as a proxy module within other malware may explain the lack of references to it prior\r\nto November 2023; it likely operated under the radar, being detected as part of other malware, and didn’t catch the\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 4 of 14\n\nattention of the threat intelligence community.\r\nIn September 2023, we started to see widely distributed campaigns of Socks5Systemz using Privateloader,\r\nAmadey, and Smokeloader. This was the standalone version of Socks5Systemz as the final payload. We don’t\r\nknow why the modus operandi changed, but it may be linked to shifts in the crimeware ecosystem that prompted\r\nthreat actors to adopt this approach.\r\nWith the support of the Registrar of Last Resort (RoLR), Bitsight was able to collect infection telemetry from the\r\nbotnet due to how bots communicate with the command and control (C2) servers.\r\nImage 6: Infected systems telemetry collected from late november 2023 to january 2024 for\r\nSocks5Systemz.\r\nThe botnet, which we’ve called Socks5Systemz V1, is widely spread around the world with bots in almost all\r\ncountries on the planet. In late January 2024, the daily average of bots was around 250,000.\r\nImage 7: Socks5Systemz V1 botnet geographic dispersion.\r\nThe table below lists the top countries affected by Socks5Systemz infections:\r\nCountry Infections\r\nIndia 40153\r\nIndonesia 17027\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 5 of 14\n\nUkraine 11178\r\nAlgeria 8255\r\nViet Nam 8047\r\nRussian Federation 7826\r\nTurkey 7288\r\nBrazil 7224\r\nMexico 6987\r\nPakistan 6802\r\nThailand 6452\r\nPhilippines 5664\r\nColombia 5165\r\nEgypt 5164\r\nUnited States 4784\r\nArgentina 4756\r\nBangladesh 4432\r\nMorocco 3758\r\nNigeria 3625\r\nOthers 73573\r\nWith 250k bots as a daily average, this is a huge botnet in today’s landscape. For comparison, in its glory days,\r\nAndromeda had a 2M daily average—albeit with a vastly different business model. Similar proxy malware has\r\ndaily averages between 15k and 50k bots.\r\nSince January 2024, our telemetry counters have decreased over time. We’re currently seeing around ~120k bots\r\nfor the Socks5Systemz v1 botnet.\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 6 of 14\n\nImage 8: Socks5Systemz botnet telemetry between Nov 2023 and Nov 2024.\r\nThe decrease in telemetry can be attributed to two factors:\r\nIn December 2023, the threat actor lost control of Socks5Systemz V1 and had to rebuild the botnet from\r\nscratch with a completely different C2 infrastructure—which we call the Socks5Systemz V2 botnet.\r\nBecause Socks5Systemz is dropped by loaders (such as Privateloader, Smokeloader or Amadey) that\r\npersist on the system, new distribution campaigns were used to replace old infections with new payloads.\r\nBitsight TRACE estimates that the current botnet maintains a daily average size of 85,000 to 100,000 bots.\r\nIn our previous post about Socks5Systemz, we linked the malware to a proxy service called BoostyProxy, which is\r\nbeing sold on Telegram by the actor 'boost'. While this association remains valid, further investigation reveals that\r\nboost is likely just a reseller in a larger operation.\r\nLooking at infrastructure indicators of Socks5Systemz V1 and using the fallback domain bddns[.]cc (active\r\nuntil November 2023) as a pivot point, we see that its WHOIS information from 2018-03-06 reveals the original\r\nregistrant, as well as the technical, administrative, and billing contacts as:\r\nName: Alexey Pavlov\r\nAddress: ul. Karla Marksa 77 - 41 - Novosibirsk, 314932 - Russia\r\nPhone: +79264921021\r\nEmail: unvizik@gmail.com\r\nThe same name, phone number and address were used in 2016-01-09 to register the domain proxy[.]am , with\r\nthe following WHOIS details:\r\nDomain name: proxy.am\r\nRegistrar: globalar (GlobalAR LLC)\r\nStatus: active\r\nRegistrant:\r\n Alexey Pavlov\r\n ul. Karla Marksa 77 - 41\r\n Novosibirsk, 314932\r\n RU\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 7 of 14\n\nAdministrative contact:\r\nAlexey Pavlov\r\n ul. Karla Marksa 77 - 41\r\n Novosibirsk, 314932\r\n RU\r\n hostmaster@globalar.net\r\n +79264921021\r\nTechnical contact:\r\n Alexey Pavlov\r\n ul. Karla Marksa 77 - 41\r\n Novosibirsk, 314932\r\n RU\r\n hostmaster@globalar.net\r\n +79264921021\r\nDNS servers:\r\n ns1.reg.ru\r\n ns2.reg.ru\r\nRegistered: 2016-01-09\r\nLast modified: 2016-01-09\r\nExpires: 2017-01-09\r\nUpon examining the C2 infrastructure and investigating one of the backconnect servers associated with\r\nSocks5Systemz, operating with the IP address 109.236.51[.]104 , between February 2022 and November 2023,\r\npassive DNS records reveal the following:\r\nFigure 9: PDNS records for 109.236.51[.]104\r\nThis is an indicator that the IP of a C2 server for Socks5Systemz was reused from a server that hosted\r\ndesign.proxy[.]am, hpf.proxy[.]am and api.proxy[.]am on or about 2018-02-12 and 2021-08-30.\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 8 of 14\n\nFigure 10: Relationship graph between bddns[.]cc, proxy[.]am and 109.235.81[.]104\r\nPROXY.AM markets itself as a service that “provides elite, private and anonymous proxies”, with plans ranging\r\nfrom $90 to $700 USD.\r\nThe main URL for access to the proxy service was https://proxy[.]am , until November 2023. Since then, the\r\nthreat actors have registered proxyam[.]one . The former redirects to this new domain.\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 9 of 14\n\nFigure 11: Screenshot of Proxy.AM homepage in November 2023\r\nThe website advertised a total of around 300,000 proxies in November 2023. Since then, PROXY.AM redesigned\r\ntheir website and their proxy packages:\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 10 of 14\n\nFigure 12: New PROXY.AM website in November 2024\r\nFigure 13: PROXY.AM advertised use cases. Mind the “Brute Accounts”.\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 11 of 14\n\nThe service provides contact via telegram and email.\r\nFigure 14: Support addresses for Proxy.AM\r\nBetween December 2023 and October 2024, some changes in the malware and C2 infrastructure were\r\nimplemented. Bitsight TRACE observed:\r\nNew infrastructure:\r\n26 servers in total (14 backconnect servers, 6 C2 servers, 5 nameservers, 1 fallback)\r\nMore geographic dispersion across Europe\r\nNew host providers\r\nNew fallback domain(s)\r\nMalware updates:\r\nUpdated C2 protocol\r\nNew RC4 keys, new URL paths, new beacon data format\r\nBackconnect protocol is now done over port 2023/TCP\r\nObfuscation! It’s not easy to extract the malware configuration statically\r\nBesides these changes, the core functionality remains unchanged, as detailed in our previous analysis.\r\nProxy malware and proxy services aren’t new, but they’re becoming more relevant because of the increased offer\r\nannounced in underground forums and the silent impact they have in our networks. We’ve covered this kind of\r\nmalware in the past and Lumen’s Black Lotus Labs has recently published a similar review of Ngioweb and\r\nNSOCKS. Proxy malware and services enable other types of criminal activity adding uncontrolled layers of\r\nanonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems.\r\nIn this post, we uncovered a possible explanation to how Socks5Systemz has remained under the radar for the last\r\n10 years by being deployed as a SOCKS5 proxy module for other malware and being detected as other malware\r\nand not for what it is in reality. We also uncovered the proxy service that exploits the largest Socks5Systemz\r\nbotnet we know of at the moment.\r\nBitsight TRACE thanks The Registrar of Last Resort (RoLR) and Lumen’s Black Lotus Labs for ongoing support\r\nin this investigation.\r\nBelow are indicators of compromise to help you detect Socks5Systemz in your network or leverage them for\r\nfurther research. Happy Hunting.\r\nThis section contains IOCs for Socks5Systemz V2\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 12 of 14\n\nThreat Actor Controlled DNS Servers\r\n141.98.234.31\r\n81.31.197.38\r\n45.155.250.90\r\n152.89.198.214\r\n91.211.247.248\r\nCommand and Control\r\n185.208.158.248\r\n185.237.207.107\r\n185.208.158.202\r\n79.132.128.13\r\n176.10.111.126\r\n194.62.105.143\r\nBackconnect Servers\r\n195.154.176.209\r\n89.105.201.183\r\n46.8.225.74\r\n88.80.150.13\r\n195.154.174.225\r\n62.210.201.223\r\n185.141.63.209\r\n195.154.173.35\r\n195.154.174.12\r\n62.210.204.81\r\n62.210.204.131\r\n185.141.63.216\r\n195.154.185.134\r\n88.80.148.252\r\nSamples\r\n5260154782dd66c6a7b0e14c077c4b44ed1f483c6708495d0344edf8a14e2b27\r\n36cffd7d54385e0473cb7f7bf2d33910027428837725c4d3649ff1af2d88cb2b\r\naa93289a23603efc27f70a7eb38f8e81fa7c30f4a5dff71f70c6f2ee583df619\r\ne185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00\r\nf6bbff3463d01da463091dc3347f5f42b32378353d2f7ddfab6285ecf0450c14\r\na2a41ff58541f577ea1580932cc89642e987239a2fa1ccdb33a3029a520ecd0b\r\nfa3fe68c4a784c01e170098296b3212696b611e0239b69a40f4438532ca33e88\r\n54feb0e02729304c1c054e34c3bcb4e76be31b31ec2276187ccc4479378ce130\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 13 of 14\n\n0fc2f189aa3ebc1ff836079e49dac9758ab5e807d7ab4b42ff37c2376bcc2705\r\nbf34984756336bc78428f3f856be287ef364afa3330cac5facf019c39be73657\r\nb1e5b0e42e039b9711c435d691f1372ec663b2cb5a5d6a733d859d75a9f2d662\r\nf4456c54b840b5650d131ee27ffc9f23b7b3d8344cd88bd2dd2dbad05741e401\r\nc742642edeae783ffdc9efd52f514a5eef830ec115f8e723ee7cfd82ca7c0ba6\r\ndd075ec25d314f2d97d89065239ccb1d6c680d3f08ea94bf59f522545a1546c9\r\n75e722495c157a05b557580863f90b856d6ec229c7cb4974a008c823377369f5\r\nSource: https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet\r\nPage 14 of 14\n\nhttps://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet   \nFigure 12: New PROXY.AM website in November 2024\nFigure 13: PROXY.AM advertised use cases. Mind the “Brute Accounts”.\n Page 11 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet"
	],
	"report_names": [
		"proxyam-powered-socks5systemz-botnet"
	],
	"threat_actors": [
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434513,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/95aefd98140aa7b54c5d9bcf88cb454d576e1419.pdf",
		"text": "https://archive.orkl.eu/95aefd98140aa7b54c5d9bcf88cb454d576e1419.txt",
		"img": "https://archive.orkl.eu/95aefd98140aa7b54c5d9bcf88cb454d576e1419.jpg"
	}
}