SystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 Command-and-Control Servers
A new report highlights the scale and operational details of REM Proxy, a criminal proxy-as-a-service operation powered by the widely distributed SystemBC malware. Recent analysis by Black Lotus Labs at Lumen Technologies reveals how the botnet leverages infected virtual private servers (VPS) and MikroTik routers to fuel its global proxy infrastructure, raising widespread security concerns for enterprise and home networks.
Technical Architecture and Operation
REM Proxy is maintained by systematically compromising new VPS instances at a rate of roughly 1,500 systems per day, utilizing the SystemBC malware as its primary mechanism of infection. Once SystemBC is installed, infected endpoints are enrolled in the botnet and registered with up to 80 active command-and-control (C2) servers. These nodes are then made available as rentable infrastructure, allowing clients to anonymize and obfuscate web traffic through these unsuspecting hosts.
Botnet Scale and Monetization
The operators market not only the regular pool of compromised machines but also advertise access to over 20,000 MikroTik routers and a regularly updated inventory of open proxies scraped from the internet. It is estimated that approximately 80% of the captive botnet resources are allocated to paying customers. The sheer volume and churn rate of the botnet’s compromised systems highlight the major ongoing risk for organizations using unmanaged or poorly configured virtualized environments.
Threat Impact and Mitigation Challenges
The use of SystemBC—known for providing proxying and SOCKS5 tunneling capabilities—makes attribution difficult and detection by traditional network security systems challenging. As REM Proxy expands, it facilitates not only the anonymization of cybercriminal activity but also secondary exploitation of infected infrastructure for ransomware, phishing, and credential-stuffing campaigns. Security professionals are urged to monitor for anomalous proxy traffic and regularly review access logs for indications of SystemBC compromise.
Fortra Releases Critical Patch for GoAnywhere MFT Deserialization Zero-Day (CVE-2025-10035)
On September 19, 2025, Fortra announced a critical patch for its GoAnywhere Managed File Transfer (MFT) platform, addressing a maximum-severity deserialization vulnerability identified as CVE-2025-10035. The flaw, which allows unauthenticated remote command execution through the License Servlet component, was assigned a CVSS score of 10.0 and has triggered widespread concern across industries using GoAnywhere for secure file exchanges.
Vulnerability Details
The vulnerability resides in how the License Servlet handles serialized objects. It permits attackers to craft a malicious payload that, when processed by a vulnerable MFT instance, results in arbitrary code execution. The flaw does not require valid user credentials if the attacker is able to forge a session, magnifying potential exposure for internet-facing MFT deployments.
Exploitation and Impact
Exploitation of CVE-2025-10035 can lead to total compromise of affected servers, unauthorized file transfers, lateral movement within enterprise networks, and dissemination of malware. Organizations dependent on GoAnywhere MFT are at risk of both data exfiltration and follow-on ransomware activity if the update is not promptly applied.
Recommended Remediation Actions
Administrators are strongly recommended to install the latest vendor-supplied patch without delay. In addition, system owners should review audit logs for suspicious activity, restrict internet-facing access, and isolate sensitive MFT appliances from broader network segments. Ongoing monitoring for post-patch exploitation attempts is advised due to the high-value nature of file transfer infrastructure.
FBI and Industry Researchers Warn of Salesforce Supply Chain Attacks by UNC6040 and UNC6395
The FBI and cybersecurity researchers are warning organizations about two active cybercriminal campaigns, attributed to groups UNC6040 and UNC6395, which use novel techniques to breach Salesforce instances and exfiltrate sensitive business data. This spree of attacks has prompted urgent advisories for cloud platform users and downstream partners.
Attack Vectors and Techniques
The attackers utilize various methods for initial access, including credential phishing, exploitation of API keys, and abuse of OAuth tokens. Once inside a compromised Salesforce tenant, the adversaries employ custom scripts and third-party integrations to methodically siphon databases, customer records, and proprietary intellectual property from both core and integrated SaaS environments.
Wider Supply Chain Implications
The campaign has had cascading effects on downstream vendors, service providers, and enterprise customers, as attackers pivot from one compromised Salesforce instance to connected targets. Recent reports suggest that industry heavyweights, including Cloudflare and Proofpoint, as well as customers of cybersecurity firms Palo Alto Networks and Zscaler, experienced secondary security incidents linked to the same campaign. This demonstrates the risk of supplier compromise in today’s interconnected SaaS ecosystems.
Mitigation and Response Strategies
Security experts urge Salesforce administrators to mandate multi-factor authentication, restrict and audit API integrations, rotate OAuth tokens regularly, and require detailed monitoring of privileged activities. Incident response teams should assume lateral movement is possible and conduct thorough reviews of access logs, focusing on abnormal data export and API usage patterns across their SaaS landscape.
Active Exploitation of Zero-Day Vulnerability in Google Chrome
On September 19, 2025, Google disclosed the existence of an actively exploited zero-day vulnerability affecting current versions of the Chrome browser. The security flaw, which has triggered emergency patch releases, is being leveraged in ongoing attacks to achieve remote code execution on end-user devices.
Nature of the Vulnerability and Exploit Chains
The flaw, located in a core browser component, is subject to an exploit chain that allows remote attackers to escape browser sandbox protections after luring users to malicious websites. Once exploited, attackers can bypass standard content security restrictions and execute arbitrary code at the OS level, resulting in potential full takeover of the device.
Patch Availability and Urgent Action Steps
Chrome users on all supported operating systems, including Windows, macOS, and Linux, are being directed to immediately update their browsers to the latest fixed version. The rapid release underscores the severity and in-the-wild exploitation of this zero-day. Organizations are advised to ensure fleet-wide compliance with Chrome patches to minimize the attack surface for credential theft, spyware, and malware deployment campaigns.
Security Implications for Enterprise Environments
As Chrome remains a critical application for enterprise and remote workforces, exploitation of this vulnerability presents a direct avenue for initial compromise, lateral movement, and data breach incidents across business networks. Security teams are encouraged to monitor for abnormal browser behavior, restrict automatic downloads and browser extension installations, and apply principle-of-least-privilege controls on affected endpoints.
U.S. Defense Department Enhances Cybersecurity Requirements for Contractors
On September 10, 2025, the U.S. Department of Defense (DoD) issued a final rule enhancing the Defense Federal Acquisition Regulation Supplement (DFARS), significantly increasing cybersecurity requirements for government contractors and supply chain partners. The changes are designed to counter the rising threat of sophisticated nation-state and criminal cyber actors targeting U.S. defense interests.
Key Requirements and Controls Added
The new rule requires all DoD contractors to implement advanced security measures, including continuous monitoring, incident reporting within strict timeframes, and network segmentation for Controlled Unclassified Information (CUI). Additionally, firms must provide updated attestations of compliance with NIST SP 800-171 or comparable frameworks before contract award or renewal.
Reporting and Enforcement Provisions
Contractors are now obligated to disclose security incidents and attempted breaches immediately to the DoD, with mandatory forensic evidence submission for validation of compliance measures. Enforcement will be increased through random audits, technical testing, and possible suspension of non-compliant contractors from current and future projects.
Strategic Implications for the Defense Industrial Base
The expanded requirements are intended to harden the entire defense supply chain, mitigate supply-side risks, and align federal cyber defense protocols with evolving threat models. Defense contractors must invest in advanced detection technologies, staff training, and configuration management to meet these new expectations or risk exclusion from lucrative government opportunities.