← All malware

SystemBC

Also known as: Coroxy, DroxiDat

SystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.

Linked Threat Actors

Vanilla Tempest

Last 7 days

Mar 5, 2026

C2 Hosts: 2

Daily C2 host counts for the last 7 days
Date	C2 Hosts
Mar 5, 2026	2

Further Reading

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

Microsoft coined the term “human-operated ransomware” to clearly define a class of attack driven by expert human intelligence at every step of the attack chain and culminate in intentional business...

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

Microsoft coined the term “human-operated ransomware” to clearly define a class of attack driven by expert human intelligence at every step of the attack chain and culminate in intentional business...

Ongoing Social Engineering Campaign Refreshes Payloads | Rapid7 Blog

Rapid7 identified multiple intrusion attempts by threat actors utilizing TTPs that are consistent with an ongoing social engineering campaign being tracked.

Black Basta Ransomware Campaign Drops Zbot, DarkGate, & Custom Malware | Rapid7 Blog

In early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign by Black Basta ransomware operators.

Goot to LootâHow a Gootloader Infection Led to Credential Access

Our expert Threat Hunting team shares its assessment of a Gootloader incident and details the specific tactics, techniques, and procedures (TTPs) of the attackers.