Skip to content
Malware family Windows

SYSTEMBC

SystemBC, also known as Coroxy and DroxiDat, is a Windows malware family active since at least 2018 that is primarily used as a SOCKS5 proxy and backdoor to provide covert remote access and traffic tunneling on compromised hosts.

Profile source: Mallory opens in a new tab

SYSTEMBC

Family profile

SystemBC, also known as Coroxy and DroxiDat, is a Windows malware family active since at least 2018 that is primarily used as a SOCKS5 proxy and backdoor to provide covert remote access and traffic tunneling on compromised hosts. It is widely used in cybercrime operations, especially as an enabling component for ransomware intrusions, where it helps operators maintain a hidden foothold, relay command-and-control traffic through victim systems, deliver additional payloads, and support post-compromise operations. SystemBC has been associated with numerous criminal ecosystems and ransomware-linked actors, including Conti, Ryuk, DarkSide, Black Basta, Play, Rhysida, Hive, Vice Society, 8BASE, Egregor, Avaddon, Cuba, Maze, and FIN12-linked activity.

SystemBC is commonly deployed after initial access rather than as the first-stage payload. Delivery has been observed through loaders and other malware families, spearphishing campaigns, and earlier exploit-kit activity including RIG and Fallout. It is frequently paired with tooling such as Cobalt Strike and is often installed during broader intrusions that involve reconnaissance, credential abuse, lateral movement, and ransomware staging.

On execution, SystemBC typically gathers basic system and user information, establishes persistence, and prevents duplicate execution through a mutex. Observed persistence mechanisms include scheduled tasks and registry-based autorun methods, and some variants copy themselves into user-accessible or temporary locations before continuing execution. The malware repeatedly attempts to contact command-and-control infrastructure, sends host metadata, and then waits for operator commands or follow-on malware deployment.

A defining feature of SystemBC is its proxying capability. Most documented variants create a SOCKS5 channel that allows attackers to route malicious traffic through infected machines, conceal downstream infrastructure, and blend communications into normal-looking network activity. SystemBC has also been described as supporting encrypted command-and-control, with some newer variants shifting from simpler TCP-based communications toward Tor-like networking to improve stealth and resilience. In addition to proxying, reported capabilities include remote command execution, downloading and launching additional payloads, in-memory execution of binaries and scripts, and support for data exfiltration as part of ransomware or hands-on-keyboard operations.

SystemBC remains in demand in underground markets because it provides reliable covert access and network relay functionality that can be reused across many intrusion types. Its long-term prevalence, modular use in post-compromise workflows, and repeated appearance alongside major ransomware operations make it a significant malware enabler in the contemporary cybercrime ecosystem.

Capabilities

  • Defense Evasion
  • Exfiltration
  • Persistence
  • Post Exploitation
  • Reconnaissance
  • Spoofing

Reported operators

Threat actors

27 named in public reporting
Storm-1811

Instead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.

Blitz Brigantine

Instead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.

STAC5777

Instead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.

WIZARD SPIDER

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

RomCom

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

WizardSpider

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

GoldDupont

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

Maze Team

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

RiddleSpider

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.

DragonForce

they executed a PowerShell command to download additional payloads from a remote location using a Cobalt Strike Beacon, maintaining persistence throughout this process using SystemBC.

TA577

TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.

8Base

SystemBC is primarily used as a SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data... 8base uses SystemBC to encrypt command and control traffic...

UNC4393

SYSTEMBC is a tunneler written in C that retrieves proxy-related commands from a command-and-control (C2 or C&C) server using a custom binary protocol over TCP. A C2 server directs SYSTEMBC to act as a proxy between the C2 server and a remote system.

TheGentlemen

Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.

Vanilla Tempest

Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally.

PISTACHE TEMPEST

Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.

Mora_001

The campaign, internally dubbed "FortiSync Quasar," revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC.

Scattered Spider

Attackers leverage credential theft, lateral movement tools (Cobalt Strike, SystemBC), and social engineering (notably by UNC3944/Scattered Spider) to escalate privileges and deploy Linux-based ESXi encryptors.

BlackBasta

"Additional Resources ... SystemBC"; "Exfiltration Over C2 Channel (performed by SystemBC and Rclone)"

Fox Kitten

...two more backdoors, MeshCentral Agent and SystemBC...

Storm-0506

"...installed persistence mechanisms using custom tools and a SystemBC implant."

Greedy Sponge

Arctic Wolf has spotted a financially motivated group named Greedy Sponge target organizations in Mexico with malspam that delivers versions of AllaKore RAT and SystemBC.

Ryuk actors

"Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic..."

TAC5279

"First seen in 2019, SystemBC is a proxy and remote administrative tool... favored by actors behind high-profile ransomware campaigns."

UNC2198

SYSTEMBC is a proxy malware that beacons to its C2 and opens new proxy connections between the C2 and remote hosts as indicated by the C2.

REF9019

SystemBC is a socks5 backdoor with the ability to communicate over TOR.

Hive0163

X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware, with several dynamic subclusters sharing crypters, malware frameworks, and ransomware variants.

Exploited software

Vulnerabilities linked to SYSTEMBC

6 CVEs

MITRE ATT&CK

SYSTEMBC in ATT&CK

59 distinct techniques

Techniques

59 techniques
T1071 Application Layer Protocol T1021 Remote Services T1567 Exfiltration Over Web Service T1057 Process Discovery T1547.001 Registry Run Keys / Startup Folder T1082 System Information Discovery T1090 Proxy T1027 Obfuscated Files or Information T1059.001 PowerShell T1070.004 File Deletion T1564.003 Hidden Window T1053 Scheduled Task/Job T1036 Masquerading T1566 Phishing T1620 Reflective Code Loading T1059 Command and Scripting Interpreter T1190 Exploit Public-Facing Application T1105 Ingress Tool Transfer T1078.002 Domain Accounts T1021.002 SMB/Windows Admin Shares T1608.001 Upload Malware T1562 Impair Defenses T1090.003 Multi-hop Proxy T1021.004 SSH T1059.003 Windows Command Shell T1570 Lateral Tool Transfer T1053.005 Scheduled Task T1059.005 Visual Basic T1133 External Remote Services T1078 Valid Accounts T1090.002 External Proxy T1553.002 Code Signing T1027.002 Software Packing T1047 Windows Management Instrumentation T1074 Data Staged T1583 Acquire Infrastructure T1588.001 Malware T1041 Exfiltration Over C2 Channel T1132.002 Non-Standard Encoding T1583.004 Server T1572 Protocol Tunneling T1036.005 Match Legitimate Resource Name or Location T1055 Process Injection T1486 Data Encrypted for Impact T1071.004 DNS T1071.001 Web Protocols T1588.002 Tool T1571 Non-Standard Port T1090.001 Internal Proxy T1573.001 Symmetric Cryptography T1573 Encrypted Channel T1583.001 Domains T1112 Modify Registry T1189 Drive-by Compromise T1218 System Binary Proxy Execution T1566.003 Spearphishing via Service T1204.002 Malicious File T1219 Remote Access Tools T1204 User Execution

Reporting

Research mentioning SYSTEMBC

Jul 10
Palo Alto Networks Unit 42

No Manners Here: The Ruthless Rise of The Gentlemen Ransomware

Command and Control: Monitor for anomalous outbound traffic over non-standard ports or traffic matching known SystemBC communication signatures.

Jul 7
Cyber Security News

Gentlemen Ransomware Expands Global Attack Campaigns

Additional persistence observed: AnyDesk remote access software, Cloudflare Zero Trust tunnels, SystemBC SOCKS5 proxy.

Jun 30
Cyber Security News

Hackers Use SystemBC Malware to Hide C2 Traffic and Maintain Persistent Access

Known as SystemBC, this malware helps threat actors maintain a hidden foothold inside targeted systems while routing harmful traffic through unsuspecting hosts. SystemBC, also tracked under the alias Coroxy, is a Windows malware that works as a SOCKS5 proxy, a backdoor, and a remote access tool all in one.

Jun 22
Xakep

Правоохранители очистили 15 000 сайтов, зараженных SocGholish - Хакер

Также в прошлые годы операция затрагивала инфраструктуру SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, SystemBC...

Jun 18
Hackread

Operation Endgame Disrupts SocGholish Malware Infrastructure

In May 2024, the operation resulted in seizing around 100 servers belonging to dropper networks, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee

Jun 18
Bleeping Computer

Gentlemen ransomware uses multiple EDR killers to disable defenses

The Gentlemen RaaS previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims.

Jun 18
Bleeping Computer

Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp

Previously, Operation Endgame has also targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and various other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.

Jun 16
Cyber Security News

Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase

File Hash (SHA-256) aa6e5529831b62cb27211b4918dd6da15ac7e69dbcc8621671dccf6df151c5a2 SystemBC (Interlock staging server)

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.