{
	"id": "7bd5876b-c40a-4598-863d-808a7d9fe6d2",
	"created_at": "2026-04-06T00:14:14.481501Z",
	"updated_at": "2026-04-10T13:11:26.453441Z",
	"deleted_at": null,
	"sha1_hash": "f343946611baa1462f839876f41b9099af30b11a",
	"title": "Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1013739,
	"plain_text": "Unveiling Socks5Systemz: The Rise of a New Proxy Service via\r\nPrivateLoader and Amadey\r\nBy Bitsight TRACE\r\nPublished: 2023-11-02 · Archived: 2026-04-05 21:47:06 UTC\r\nBitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently\r\nemployed by threat actors to distribute malware and build their botnets. We've named this proxy bot\r\nmalware Socks5Systemz, which is also the name associated with the unique login panel consistently\r\npresent in all active proxy bot C2 servers.\r\nWhile this proxy malware is not new (references on Twitter trace back to 2016), its usage must have\r\nremained under the radar, at least until now.\r\nUpon researching and mapping the infrastructure behind this botnet, several servers associated with this\r\nmalware operation were discovered, along with a Telegram user who has built a complete proxy service by\r\nleveraging this proxy botnet.\r\nThe proxy service allows clients to choose a subscription ranging from $1 USD to $4000 USD, payable in\r\nfull using cryptocurrency.\r\nBased on network telemetry analysis, it is estimated that this botnet has approximately 10.000 infected\r\nsystems with victims spread across the globe.\r\nNo infected systems communicating with the backconnect servers were observed in Russia. This,\r\ncombined with various other clues uncovered during the research (such as HTML comments, server error\r\nmessages, etc.) allows us to assess with medium confidence that operators of the service are based in that\r\ngeography.\r\nProxy services offer users the ability to rent a set of IP addresses for internet use, granting a level of online\r\nanonymity. Essentially, they make your internet traffic appear as if it's coming from a regular IP address while\r\nkeeping the real origin hidden.\r\nRecently, our Threat Research team discovered a new malware sample, distributed by the PrivateLoader and\r\nAmadey loaders. These two loaders are often used by threat actors to spread malware and build their armies of\r\ninfected computers, also known as botnets.\r\nThis sample, upon reverse engineering, was found to install a proxy bot on infected systems, turning them into\r\nproxies capable of forwarding traffic for someone else. We've named this proxy bot Socks5Systemz , a name we\r\nfound to be present on a login panel in all proxy bot C2 servers.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 1 of 17\n\nFigure 1: Login page\r\nIn this blog post, we'll delve into how this proxy bot functions, explore its infrastructure, identify the victims, and\r\nuncover the proxy service built on top of this botnet. Let's get into the details.\r\nAll samples delivered by PrivateLoader and Amadey dropped and executed a file named previewer.exe that we\r\nwill refer to as just the loader from now on. This file is responsible for setting up the persistence and injecting the\r\nproxy bot in memory.\r\nFigure 2: Process tree\r\nThis loader accepts three command line options:\r\nOption Description\r\n/chk Creates empty file named \"test\" in the current directory and exit\r\n-i Install loader\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 2 of 17\n\nOption Description\r\n-s Start loader\r\nThe install option\r\nThe install option is responsible for setting up the persistence on the system and to do so it will try to copy the\r\nloader to C:\\ProgramData\\ContentDWSvc\\ContentDWSvc.exe and create a Windows service to run the copied\r\nloader with both the name and display name set to ContentDWSvc .\r\nFigure 3: Service installation\r\nIf file copy or service creation fails, the loader will try to kill all Google update processes and replace the\r\nGoogleUpdate.exe original executable by itself.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 3 of 17\n\nFigure 4: Replacing Google Update executable\r\nThe start option\r\nThis option will simply create a new thread to launch the loader main function and wait until it finishes.\r\nFigure 5: Starting the loader main function\r\nThe loader main function will load the resource with ID 400 to memory and decrypt it. The decrypted data will be\r\na valid DLL file containing the proxy bot that will be injected in memory.\r\nFigure 6: Decryption and injection of payload\r\nThe proxy bot payload is a 32 bit DLL file with a size of ~300 KB. The entry point of the proxy bot saves the\r\nname of the current filename to a global variable, sets a global flag with the architecture of the system, and it\r\ncreates a new thread to start the bot main function.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 4 of 17\n\nFigure 7: Proxy bot entry point\r\nNext, the bot generates a 32-bit client ID based on the creation date of the Windows directory on the infected\r\nsystem.\r\nOn its initial run, the bot collects and stores the current system time (infection time) in a file named\r\nC:\\ProgramData\\ts.dat . Additionally, it fetches a PDF file from\r\nhxxp://datasheet[.]fun/manual/avon_4_2022.pdf?\u003cclient_id\u003e , saving it in the C:\\ProgramData folder.\r\nImage 8: Downloading PDF file from datasheet[.]fun\r\nDespite the fact that the downloaded PDF doesn't contain any particularly interesting data and the domain is under\r\nthe control of the threat actor, this step appears to be geared towards gathering extra telemetry and potentially\r\naiding in the validation of infected systems.\r\nImage 9: PDF file content\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 5 of 17\n\nFinally, the bot tries to get the address of a C2 server that's online. To do so, the bot computes a domain name\r\nusing a domain generation algorithm and uses a hardcoded list of DNS servers to resolve it.\r\nFigure 10: Hardcoded list of DNS resolvers\r\nSince all DNS servers in the list are controlled by this threat actor, any domain that we try to resolve using them\r\nwill point to a valid command and control server.\r\nFigure 11: Resolving a domain\r\nIf the bot is unable to get a valid command and control server address using that method, it will send a HTTP GET\r\nrequest to bddns[.]cc to the following endpoint /sign/\u003crc4 data hex encoded\u003e . The hex encoded data is the\r\nresult of encrypting a string with the format \u003cdga_domain\u003e:\u003cclient_id_hex\u003e using RC4 with the key\r\nheyfg645fdhwi . The response is also hex encoded and encrypted using the same RC4 key and contains the IP\r\naddress of a valid command and control server.\r\nFigure 12: Requesting C2 address from bddns[.]cc\r\nAfter getting the IP address of an active command and control server, the bot is ready to start the C2\r\ncommunications by doing a HTTP GET request to the following endpoint /single.php?c=\u003crc4 data hex\r\nencoded\u003e.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 6 of 17\n\nFigure 13: Bot request\r\nThe data that goes in the c= parameter is the hex encoded result of encrypting the beacon string using the same\r\nRC4 key heyfg645fdhwi. The plain text beacon string has the following format:\r\nclient_id=%.8x\u0026connected=%d\u0026server_port=%d\u0026debug=%d\u0026os=%d.%d.%04d\u0026dgt=%d\u0026dti=%d\r\nBeacon Field Description\r\nclient_id The client/bot ID hex\r\nconnected Status of backconnect connection (1 for connected and 0 for disconnected)\r\nserver_port Port assigned to the bot by the backconnect server\r\ndebug Hardcoded value 17\r\nos Windows major, minor and build versions\r\ndgt Architecture (1 for 64 bit and 0 for 32 bit)\r\ndti System time aka infection time\r\nThe responses from the command and control servers are also hex encoded and encrypted using the same RC4 key\r\nand they will contain commands for the bot.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 7 of 17\n\nFigure 14: Bot request and C2 response with idle command\r\nCurrently the bot supports the following commands:\r\nBot Command Description\r\nidle Do nothing\r\nconnect Connect to a backconnect server\r\ndisconnect Disconnect from the backconnect server\r\nupdips Update IP addresses allowed to send traffic\r\nupduris This command seems to not be fully implemented\r\nThe most important command is the connect command that tells the bot to establish a session with a backconnect\r\nserver over port 1074/TCP. This command registers the bot with the backconnect infrastructure and makes it part\r\nof the pool of available proxies that can be used to send traffic on behalf of clients.\r\nFigure 15: Bot receiving a connect command\r\nConnect command fields:\r\nConnect\r\nField\r\nDescription\r\nip backconnect IP address\r\nauth_swith\r\nauthentication flag. If set to 0, the proxy will be available for the client IPs that come within\r\nthe auth_ip field. If set to 1, the proxy clients will need to use the login and pass that comes\r\nwithin the auth_login and auth_pass fields.\r\nauth_ip list of authorized IP addresses\r\nauth_login login username for proxy\r\nauth_pass login password for proxy\r\nblock list of ports that sending traffic is not allowed\r\nAfter parsing all the connect command fields, the bot establishes a session with the backconnect server over port\r\n1074/TCP using a custom binary protocol. Once the session is established, the bot can be used as a proxy.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 8 of 17\n\nFigure 16: Backconnect communications with proxy traffic to google[.]com\r\nWhen the bot establishes a session with a backconnect server through port 1074/TCP, it's assigned a unique TCP\r\nport (referred to as the server port) on the server side. This designated port is opened to receive traffic from\r\nclients. To use the proxy, clients need to know the backconnect server's IP address, the TCP port assigned to the\r\ninfected system, and either have their public IP whitelisted or possess the appropriate login credentials. Without\r\nthis information, the server will not accept the traffic.\r\nFigure 17: Overview on how the clients can use the proxies\r\nAt least 53 servers related to this botnet were identified, all located in Europe and distributed across France,\r\nBulgaria, Netherlands, and Sweden.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 9 of 17\n\nFigure 18: Infrastructure geographic distribution\r\nThe infrastructure is made up of servers with several purposes, which include:\r\nProxy bot C2 servers\r\nBackconnect servers\r\nCustom DNS servers (hardcoded in the proxy bot samples)\r\nThe server used by the bots to get the online C2 server address\r\nA proxy checker application\r\nDetailed infrastructure:\r\nIP CC ASN Domain Description\r\n109.230.199.181 SE 42708, PORTLANE - Proxy bot C2 - Frontend\r\n185.141.63.172 BG 44901, BELCLOUD - Proxy bot C2 - Frontend\r\n193.242.211.141 NL 58329, RACKPLACE - Proxy bot C2 - Frontend\r\n212.8.242.211 NL 49981, WORLDSTREAM - Proxy bot C2 - Backend\r\n109.236.85.145 NL 49981, WORLDSTREAM -\r\nProxy bot C2 - Backend not\r\nbeing used\r\n190.2.135.77 NL\r\n49981, WORLDSTREAM,\r\nNL\r\n- Proxy bot C2 - Not deployed\r\n151.80.38.159 FR 16276, OVH - DNS server for DGA domains\r\n217.23.6.51 NL 49981, WORLDSTREAM - DNS server for DGA domains\r\n217.23.9.168 NL 49981, WORLDSTREAM - DNS server for DGA domains\r\n37.187.122.227 FR 16276, OVH - DNS server for DGA domains\r\n51.159.66.125 FR 12876, Online SAS - DNS server for DGA domains\r\n109.236.88.134 NL 49981, WORLDSTREAM bddns[.]cc Used to retrieve proxy bot c2\r\n- - - datasheet[.]fun Telemetry server\r\n109.236.81.104 NL 49981, WORLDSTREAM - Backconnect\r\n176.31.254.229 FR 16276, OVH - Backconnect\r\n185.141.63.2 BG 44901, BELCLOUD - Backconnect\r\n185.141.63.4 BG 44901, BELCLOUD - Backconnect\r\n185.141.63.84 BG 44901, BELCLOUD - Backconnect\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 10 of 17\n\nIP CC ASN Domain Description\r\n185.141.63.85 BG 44901, BELCLOUD - Backconnect\r\n188.165.192.126 FR 16276, OVH - Backconnect\r\n188.165.192.18 FR 16276, OVH - Backconnect\r\n188.165.195.130 FR 16276, OVH - Backconnect\r\n195.154.174.130 FR 12876, Online SAS - Backconnect\r\n195.154.176.206 FR 12876, Online SAS - Backconnect\r\n195.154.176.209 FR 12876, Online SAS - Backconnect\r\n195.154.178.238 FR 12876, Online SAS - Backconnect\r\n195.154.188.211 FR 12876, Online SAS - Backconnect\r\n195.154.235.51 FR 12876, Online SAS - Backconnect\r\n195.154.241.165 FR 12876, Online SAS - Backconnect\r\n195.154.242.37 FR 12876, Online SAS - Backconnect\r\n195.154.243.38 FR 12876, Online SAS - Backconnect\r\n195.154.251.21 FR 12876, Online SAS - Backconnect\r\n195.154.251.99 FR 12876, Online SAS - Backconnect\r\n195.154.252.221 FR 12876, Online SAS - Backconnect\r\n195.154.253.49 FR 12876, Online SAS - Backconnect\r\n37.187.142.187 FR 16276, OVH - Backconnect\r\n37.187.143.172 FR 16276, OVH - Backconnect\r\n37.187.148.204 FR 16276, OVH - Backconnect\r\n62.210.204.131 FR 12876, Online SAS - Backconnect\r\n88.80.145.110 BG 44901, BELCLOUD - Backconnect\r\n88.80.145.142 BG 44901, BELCLOUD - Backconnect\r\n88.80.147.200 BG 44901, BELCLOUD - Backconnect\r\n88.80.147.205 BG 44901, BELCLOUD - Backconnect\r\n88.80.147.36 BG 44901, BELCLOUD - Backconnect\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 11 of 17\n\nIP CC ASN Domain Description\r\n88.80.148.219 BG 44901, BELCLOUD - Backconnect\r\n88.80.148.33 BG 44901, BELCLOUD - Backconnect\r\n88.80.148.8 BG 44901, BELCLOUD - Backconnect\r\n91.121.171.208 FR 16276, OVH - Backconnect\r\n91.92.111.131 BG 44901, BELCLOUD - Backconnect\r\n91.92.111.132 BG 44901, BELCLOUD - Backconnect\r\n91.92.111.133 BG 44901, BELCLOUD - Backconnect\r\n91.121.30.185 FR 16276, OVH - Backconnect\r\n94.23.58.173 FR 16276, OVH - Backconnect\r\n217.23.5.14 NL 49981, WORLDSTREAM - Proxy checker app\r\nDuring the investigation into the usage of the botnet infrastructure, an image separately surfaced on a Telegram\r\nchannel. In this image, a user named boost shared a screenshot of an account checker tool utilizing the IP\r\naddresses of the backconnect servers as proxies. These IP addresses match the list derived through the\r\naforementioned malware research, as shown in the previous section.\r\nFigure 19: Backconnect proxies being used to check credentials\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 12 of 17\n\nFigure 20: Telegram user @boostanywork aka “boost”\r\nIt was discovered that boost is involved in selling compromised accounts and access to the proxies. Using a bot\r\nnamed BoostyProxy , the threat actor built a complete proxy service that allows users to subscribe to the service,\r\nmanage the existing subscriptions, and access the current list of available proxies.\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 13 of 17\n\nFigure 21: Telegram bot @BoostyProxy_BOT\r\nFigure 22: Telegram bot chat\r\nThe service has two subscription options: standard and VIP. The difference between the two is that the standard\r\nonly allows a client to use one type of proxy and does not support multithreading while the VIP subscription\r\nallows a client to send all types of proxy traffic (socks4, socks5, and http) and use multiple threads. Here’s the\r\ncurrent price table for the two subscription options:\r\nStandard proxy\r\nThreads/Period 1 day 7 days 1 month 3 months\r\nSingle thread $1 USD $5.1 USD $10.3 USD $28 USD\r\nVIP service\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 14 of 17\n\nThreads/Period 1 day 5 day 10 day 1 month 3 months\r\n100 threads $22 USD $60 USD $100 USD $175 USD $450 USD\r\n300 threads $28 USD $68 USD $112 USD $200 USD $500 USD\r\n500 threads $35 USD $90 USD $150 USD $300 USD $740 USD\r\n1000 threads $42 USD $120 USD $200 USD $400 USD $1000 USD\r\n5000 threads $140 USD $420 USD $700 USD $1500 USD $4000 USD\r\nAll payments must be done with crypto currency using the Cryptomus Crypto Payment Gateway\r\n(cryptomus[.]com).\r\nWhile subscribing to the service, the client must provide the IP address from where it will access the proxies.\r\nOnce the subscription process is complete, the client IP address gets whitelisted across the botnet, and clients can\r\ndownload the list of available proxies which contains the IP addresses of the backconnect servers and the TCP\r\nports assigned to the infected systems.\r\nVictims\r\nSince PrivateLoader and Amadey loaders have been one of the main distribution channels for this proxy bot, we\r\nexpected to see a pretty dispersed geographic distribution for the victims of this botnet, which was exactly what\r\nwe observed on our network telemetry. Since the beginning of October, we observed approximately 10.000\r\nsystems communicating over port 1074/TCP with the backconnect servers.\r\nThe top 10 most affected countries are, in order, India, Brasil, Colombia, South Africa, Bangladesh, Argentina,\r\nAngola, United States, Suriname, and Nigeria.\r\nFigure 23: Geographic distribution of victims\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 15 of 17\n\nDue to the nature of this network telemetry, these numbers must be interpreted as an approximation of what can be\r\nthe real botnet size and geographic distribution of the victims.\r\n(For network indicators, please refer to the table shared in the “Infrastructure” section.)\r\nSocks5Systemz proxy bot payload\r\nfee88318e738b160cae22f6c0f16c634fd16dbf11b9fb93df5d380b6427ac18f\r\nProxy bot loader payload\r\ndc262539467bf34e5059686955d6567efadd8e21c76be51eba94737d8c326720\r\nPacked files distributed by Amadey and PrivateLoader\r\n78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe\r\n5b45926c91fe46b12dadd3dae6afa2cf76f91a8fed7c3aefdad7f8c1faa03919\r\n189af501e84dddc5af3f7a66dcdc5095d22570abad100575ade261698d199bf3\r\n2987dc6ea8908c9e80ee5cd15ae4b91d15c48d1d31f7dbc79e01864475f33247\r\n3222778fd2f0717284dedbbda7298abf17105881147832e7a1cdbddc24747b0a\r\nd99188eb6d65ecfeb7586bfb3566766fd1c68f659fbc57c7ce2bf1580452fd69\r\neaaf1823c34ea385dc3fa483a071b9a5f6122c8ab347b83da00a887ade466a0b\r\nd2eafbfcd0dc07d49081b9b8324b549b08eb7aefd87ca6175046a9dd11b1d350\r\n5b3b41fcfe12f7bf5f933d8dbd5d881a3c5391ffb0a71fc313ac456afe8d7510\r\n2acfc97589dfb9f01a4ad9919b6bd73b38f391343b2e952e7dec8bfb8318bf51\r\n09f3fa5267026b2a7a698517d21dec97594cf2623388b13f0091e09ecba85ee9\r\n34a818f4223d32179c774e5cc707410d448d4e72fff148c293f453179642c8e6\r\n5c52f631330f6099fdf038af2e7fc2bc7956e561fe9db5fbde0e8c1fb1951323\r\n99c4c0abd02e05ce83b85184d4f49853674b63d1e402e5068992aabdd35109f8\r\n116db67b886d33dc3ce3892471ea70b652539fe3436aefbc6d4771cd72748bf1\r\n1ba2ae706f2e9b938f96b1d9baa63e302eb0b93c370d6a9b8c555065f90123dd\r\n903ee5d2fb1341754c10acba60faf45fdde7dec94b5c82e3d990a9e7a5a7cd7f\r\n8093be2f5aabcfdb73bf1e6a73161e37d2f702868f974387a032d4e0489516ee\r\n75a741eb4e59010b49520e85c949c610ddec55cd89ea954178a12e6b45551483\r\nee5ce35a68761315dc14c27af6cb25128952bbde67a699b5c69cb21081a3bd75\r\n9b914a04a6b4acb86915551f54a471fd3fc5edda4f8b948416db38808fa291bf\r\n8be1d9004e4ffad4035fa973d6d6508835762adf097a7f4362039b11b5d41122\r\n25e34355c90e9b96478a3a316c4b3280f3254e3677bc9c10e8146efbaaf29c39\r\n449d46143fac008f3c90ea25156bf2e1f3492c7e55e11a45670b98c076924f34\r\n48429a97039eef7473041955fdd403f4d6ae72332cc7f9ede56986167920cd65\r\n973b44c741b1e12417e6a99a806b519b1fb2a1095d2931c154d10a92fabcb01b\r\n65faccff1bd94971f57d4ab74662a11e0de5e9b84c64db56c2290b419c2ad59b\r\n759e28b5e743ef6368816dafb62507ba7133cdbb38853e21ff98964aa3c0d454\r\n1357aed783ad4b524540bcf99d980eaeac3aa21357b696b32c412ee44b925eab\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 16 of 17\n\nebca811f9da30028f61da7eb4e4d842eec9558a0c0b9e6c172c70095cbc8f4b9\r\n37f72d7cc30ac6952775a5972e510e0f2e0163b11ac7dea1e4dc0449dd8e633a\r\n3476601196502ae5aacb48ab2a6b0b1089100c0761f563c2cdb86861bc18798d\r\n6cccc777cf4eeebb2a17f4d13732f5dfeb0f6dbf50e6b96c743f101c481a44b6\r\n8dabf008e15a4822e0a34b1a998ce3522194128dffbab0401320c6fd21fa97df\r\nc02e920086d41efee570ff2aa367640d63394f1ef86bffb1ced03aafa9bebf4b\r\n8458c1237cd94a1446468c7d615df01af8ef3ffc14c1033efeb61118bf4bd3b4\r\n3b5d15ed72a7aaf60ee447fade02e82e333e09c84ccd7ceca3b3594702da0c52\r\n70b3d99e5a06e20095f2919783b8afd9077e5a9a6aed92236605d69bcf424316\r\n2f255e9658e381d9c02499c30dcb07af2c7f5691fd6e5afd8ef35f3d284429f7\r\ncb346f5850a116273a9a6fc0430d99e2b2d3a1f92a1742242499d67728efba1d\r\n779bc4fda3638f8adfba674f096475dc4e663fb45c962b5120b9c285dac87fe2\r\n71f6c61bc2314ab899d3e79ffe0cf9434106ae29f760a5e076dbf826a7dfda7e\r\n4847e2d370b72b717e85f289bf9daf22a39906fa99cedc8cda584a775ba571fb\r\n0cebb8519e93f4177b4ab6d82f59643de9940ac6acdd284c3c1f23019f203120\r\nae1b4b92fd179336c88340771c8c16492b6b3f80030735d770dafeef2558861a\r\n43ec23f5477e218b33003603458503d469804ab5a05ee97541402a2b7255627a\r\n23416440ae258c4a472c5c3c07bf7659190168277f8483dcd84d24fbcb83bbd4\r\n78ab98c5b5ead97ff7d245b9603bb5edc4d59d379e492049a3a958a8e48cb945\r\n1fa58cb939e9b5d0f7f0d5c78b437f62f182b5d3658e59729fda2f28eb8746da\r\n29122127b97c0810a564fe16d87faaa9c931e0e48ecd63271af86385a652baca\r\nae9aad29ad8bf58206a14b791b0ab0c842d745495762bf3fe092ce3be1f7fb0e\r\ndc0cb777651c14ef9e44cad759ce2a9688872e56d241352e23a3ab3443b03f07\r\n15f4e20fb7971cbd61a7ba4f6ca0582286ff7ca332c17b7c5eef0c023f40bab0\r\n1f8ceb6cd9e01bfe384378c5ea66de52674e188103f5e438a6029680c0b3180f\r\n2e00197cd4b002cf65fc588be7c31b0b6c46f320885eddd6b7d71c8d2f98b36b\r\n3f321b0d86d3af5f72c328b445c07c9c423b47ee3faa89bd413fdd5486019a0f\r\n2d41e76e3200255d7a11e43c6b826bef6a91cabf451c66b3b36d6826cd56fb46\r\neb5dfd6a133128a5d2c7183940639ead5e3aa33aa5ba581ce8d91ee113e4931f\r\n8466c3b28b913e7e965b083b8a3174fbe12b76ed5e9f7d4d929a51cb660e326b\r\nb1ed4acd9128d49b5a619e8607cac13b33a8743e717a937c9ee9e6d963375867\r\naf766ba5f46115470242fa6033f4f4ba85c82b6d5a001ebfee8482e51d793e1d\r\nSource: https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nhttps://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey"
	],
	"report_names": [
		"unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey"
	],
	"threat_actors": [],
	"ts_created_at": 1775434454,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f343946611baa1462f839876f41b9099af30b11a.pdf",
		"text": "https://archive.orkl.eu/f343946611baa1462f839876f41b9099af30b11a.txt",
		"img": "https://archive.orkl.eu/f343946611baa1462f839876f41b9099af30b11a.jpg"
	}
}