MalwareRansomware

Socks5Systemz

Socks5Systemz is a proxy bot malware that turns infected devices into traffic-forwarding proxies for malicious traffic. It has been sold on underground forums since 2013 and was widely commercialized through the PROXY[.]AM service, which later rebranded as ProxyBox after infrastructure disruption and sinkholing in early 2024. The malware has historically been distributed as a SOCKS5 proxy module embedded in other malware families including Andromeda, SmokeLoader, and Trickbot, and more recently as a standalone payload delivered by loaders such as PrivateLoader and Amadey. Observed infection chains also used cracked software lures and NSIS-based installers from pay-per-install and pirated software ecosystems.

The malware’s purpose is to provide residential proxy access for criminal use cases including carding, credential stuffing, identity theft, and other abuse. In one documented multi-stage infection chain, Socks5Systemz was deployed alongside PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, StealC, a miner, and STOP/DJVU ransomware. In that case it executed as DTPanelQT.exe and TacDecoLIB.exe, contacted 185.196.8[.]22 over port 80, and connected to 176.9.47[.]240 over port 2023, sending repeated IP-and-port lists consistent with proxy bot behavior.

Technical reporting describes a multi-stage loader chain culminating in a Socks5Systemz DLL of roughly 600 KB that uses junk code and control-flow obfuscation. The malware can be installed as a Windows service or regular executable; when invoked with an install flag it attempts persistence via service creation and falls back to a registry Run key if service creation fails. It cycles through command-and-control servers, trying each address multiple times and alternating between HTTPS and HTTP until successful. C2 communication uses URLs of the form http(s)://ip/ai/?key=<encrypted parameters>, with both requests and responses RC4-encrypted using a 16-byte key that may vary by sample. It uses the user-agent string "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" and supports commands including Connect, Disconnect, Idle, Updips, and Updurls. Earlier reporting also states that Socks5Systemz connects to its C2 using a DGA.

The botnet has operated at significant scale. Reporting cited approximately 250,000 infected devices globally per day for the first iteration by late January 2024, while the rebranded ProxyBox service was observed maintaining roughly 32,000 to 35,000 daily active IPs. Significant concentrations of active IPs were observed in Russia, Brazil, and India.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1189Drive-by CompromiseEvidence1

To build this massive network of residential IPs, ProxyBox acquires initial access by tricking users into downloading infected files from cracked software sites.

Execution

1 technique

T1204.002Malicious FileEvidence1

In an attempt to regain their once previous numbers the ProxyBox operators are observed utilizing pay per install (PPI) sites which distribute the malware through cracked software sites... These sites utilize NSIS installers which will dynamically install a series of applications.

Persistence

2 techniques

T1543.003Windows ServiceEvidence1

If the install flag is specified, persistence will first be attempted by registering a service; if this fails due to insufficient permissions or for any other reason, a run key will be created.

T1547.001Registry Run Keys / Startup FolderEvidence1

If the install flag is specified, persistence will first be attempted by registering a service; if this fails due to insufficient permissions or for any other reason, a run key will be created.

Privilege Escalation

2 techniques

T1543.003Windows ServiceEvidence1

If the install flag is specified, persistence will first be attempted by registering a service; if this fails due to insufficient permissions or for any other reason, a run key will be created.

T1547.001Registry Run Keys / Startup FolderEvidence1

If the install flag is specified, persistence will first be attempted by registering a service; if this fails due to insufficient permissions or for any other reason, a run key will be created.

Stealth

7 techniques

T1027Obfuscated Files or InformationEvidence1

The final payload of Socks5Systemz... heavily relies on junk code and control-flow obfuscation, making static analysis challenging.

T1140Deobfuscate/Decode Files or InformationEvidence1

Chunks of the encrypted payload are embedded within the .text section... Once the loader stub decrypts the second stage module... To decrypt the resource, it extracts a 32-byte key from the end of the resource... Both requests and responses are RC4 encrypted using the same RC4 encryption key.

T1218System Binary Proxy ExecutionEvidence1

The first operation the loader will perform in the main function is to register a service control handle... The advantage of this design decision is that it allows the module to function both as a service and as a regular PE/EXE.

T1497.003Time Based ChecksEvidence1

Before unpacking, the loader will sleep in a loop to delay execution, both before and in the middle of the memory loading process.

T1564Hide ArtifactsEvidence1

It also uses timestamp stomping, showing that it was compiled in 2011, which is false.

T1620Reflective Code LoadingEvidence1

Otherwise, if no flags are specified, the packed DLL will be memory-loaded into the current process without any further operations... The memory loader will fix relocations and zero the PE headers before transferring control to the DLL entry point.

T1622Debugger EvasionEvidence1

A second advantage is that it complicates debugging... the first loader dynamically overwrites itself with the second stage during each run. Resulting in a loss of control and or a frustrating experience.

Discovery

2 techniques

T1497.003Time Based ChecksEvidence1

Before unpacking, the loader will sleep in a loop to delay execution, both before and in the middle of the memory loading process.

T1622Debugger EvasionEvidence1

Command and Control

7 techniques

T1071Application Layer ProtocolEvidence1

Process 4440 is also seen communicating with its C2 server, 185[.]216.70.235 and 195.20.16[.]45 via port 80 (T1071 – Application Layer Protocol).

T1071.001Web ProtocolsEvidence1

For the first iteration of the list it attempts to use HTTPS before falling back to HTTP... The C2 url is in the format http(s)://ip/ai/?key=<encrypted parameters>.

T1090ProxyEvidence2

the panel can then task it... open a VNC or reverse-proxy session... We've also documented Amadey pushing proxy malware like Socks5Systemz

T1090.002External ProxyEvidence1

"Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices"

T1090.003Multi-hop ProxyEvidence1

"Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices"

T1105Ingress Tool TransferEvidence2

the panel can then task it: download and run a follow-up payload... StealC... can also download and execute additional payloads, making it a stealer with a built-in loader.

T1571Non-Standard PortEvidence1

Process 6280 was seen repeatedly connecting to 45.15[.]156.187 over port 23929 (T1571 – Non-Standard Port).

INDICATORS OF COMPROMISE

IOCs tracked for this family

32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

26 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

6 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

bitsightNews

Jun 24, 2026

Bitsight Aids Disruption Efforts on Amadey & StealC Malware | Bitsight

Proxy malware cited as a follow-on payload delivered by Amadey.

synthient blogNews

Mar 30, 2026

ProxyBox: Socks5Systemz Lives On | Synthient

A malware family used to build and operate a large residential proxy botnet. It is distributed via cracked software and loaders, installs persistence via service or registry run key, unpacks a DLL payload in memory, and communicates with C2 servers over HTTP/HTTPS using RC4-encrypted parameters to receive commands such as connect, disconnect, idle, updips, and updurls.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Botnet used to provide an illegal proxy service by leveraging large numbers of compromised devices.

anyrun blogNews

Jan 30, 2024

CrackedCantil: Malware Work Together

A proxy bot malware that converts infected systems into SOCKS/proxy nodes for forwarding malicious traffic. The content states it is commonly delivered through PrivateLoader and Amadey.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching32

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.