Instead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.
SYSTEMBC
SystemBC, also known as Coroxy and DroxiDat, is a Windows malware family active since at least 2018 that is primarily used as a SOCKS5 proxy and backdoor to provide covert remote access and traffic tunneling on compromised hosts.
Profile source: Mallory opens in a new tabSYSTEMBC
Family profile
SystemBC, also known as Coroxy and DroxiDat, is a Windows malware family active since at least 2018 that is primarily used as a SOCKS5 proxy and backdoor to provide covert remote access and traffic tunneling on compromised hosts. It is widely used in cybercrime operations, especially as an enabling component for ransomware intrusions, where it helps operators maintain a hidden foothold, relay command-and-control traffic through victim systems, deliver additional payloads, and support post-compromise operations. SystemBC has been associated with numerous criminal ecosystems and ransomware-linked actors, including Conti, Ryuk, DarkSide, Black Basta, Play, Rhysida, Hive, Vice Society, 8BASE, Egregor, Avaddon, Cuba, Maze, and FIN12-linked activity.
SystemBC is commonly deployed after initial access rather than as the first-stage payload. Delivery has been observed through loaders and other malware families, spearphishing campaigns, and earlier exploit-kit activity including RIG and Fallout. It is frequently paired with tooling such as Cobalt Strike and is often installed during broader intrusions that involve reconnaissance, credential abuse, lateral movement, and ransomware staging.
On execution, SystemBC typically gathers basic system and user information, establishes persistence, and prevents duplicate execution through a mutex. Observed persistence mechanisms include scheduled tasks and registry-based autorun methods, and some variants copy themselves into user-accessible or temporary locations before continuing execution. The malware repeatedly attempts to contact command-and-control infrastructure, sends host metadata, and then waits for operator commands or follow-on malware deployment.
A defining feature of SystemBC is its proxying capability. Most documented variants create a SOCKS5 channel that allows attackers to route malicious traffic through infected machines, conceal downstream infrastructure, and blend communications into normal-looking network activity. SystemBC has also been described as supporting encrypted command-and-control, with some newer variants shifting from simpler TCP-based communications toward Tor-like networking to improve stealth and resilience. In addition to proxying, reported capabilities include remote command execution, downloading and launching additional payloads, in-memory execution of binaries and scripts, and support for data exfiltration as part of ransomware or hands-on-keyboard operations.
SystemBC remains in demand in underground markets because it provides reliable covert access and network relay functionality that can be reused across many intrusion types. Its long-term prevalence, modular use in post-compromise workflows, and repeated appearance alongside major ransomware operations make it a significant malware enabler in the contemporary cybercrime ecosystem.
Capabilities
- Defense Evasion
- Exfiltration
- Persistence
- Post Exploitation
- Reconnaissance
- Spoofing
Reported operators
Threat actors
27 named in public reportingInstead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.
Instead of direct 443 backconnects and SystemBC proxies (with TitanPlus registry entries), it uses DNS-based C2 via public resolvers.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT... In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker.
they executed a PowerShell command to download additional payloads from a remote location using a Cobalt Strike Beacon, maintaining persistence throughout this process using SystemBC.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
SystemBC is primarily used as a SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data... 8base uses SystemBC to encrypt command and control traffic...
SYSTEMBC is a tunneler written in C that retrieves proxy-related commands from a command-and-control (C2 or C&C) server using a custom binary protocol over TCP. A C2 server directs SYSTEMBC to act as a proxy between the C2 server and a remote system.
Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally.
Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.
The campaign, internally dubbed "FortiSync Quasar," revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC.
Attackers leverage credential theft, lateral movement tools (Cobalt Strike, SystemBC), and social engineering (notably by UNC3944/Scattered Spider) to escalate privileges and deploy Linux-based ESXi encryptors.
"Additional Resources ... SystemBC"; "Exfiltration Over C2 Channel (performed by SystemBC and Rclone)"
...two more backdoors, MeshCentral Agent and SystemBC...
"...installed persistence mechanisms using custom tools and a SystemBC implant."
Arctic Wolf has spotted a financially motivated group named Greedy Sponge target organizations in Mexico with malspam that delivers versions of AllaKore RAT and SystemBC.
"Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic..."
"First seen in 2019, SystemBC is a proxy and remote administrative tool... favored by actors behind high-profile ransomware campaigns."
SYSTEMBC is a proxy malware that beacons to its C2 and opens new proxy connections between the C2 and remote hosts as indicated by the C2.
SystemBC is a socks5 backdoor with the ability to communicate over TOR.
X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware, with several dynamic subclusters sharing crypters, malware frameworks, and ransomware variants.
Exploited software
Vulnerabilities linked to SYSTEMBC
6 CVEsMITRE ATT&CK
SYSTEMBC in ATT&CK
59 distinct techniquesTechniques
59 techniquesReporting
Research mentioning SYSTEMBC
No Manners Here: The Ruthless Rise of The Gentlemen Ransomware
Command and Control: Monitor for anomalous outbound traffic over non-standard ports or traffic matching known SystemBC communication signatures.
Gentlemen Ransomware Expands Global Attack Campaigns
Additional persistence observed: AnyDesk remote access software, Cloudflare Zero Trust tunnels, SystemBC SOCKS5 proxy.
Hackers Use SystemBC Malware to Hide C2 Traffic and Maintain Persistent Access
Known as SystemBC, this malware helps threat actors maintain a hidden foothold inside targeted systems while routing harmful traffic through unsuspecting hosts. SystemBC, also tracked under the alias Coroxy, is a Windows malware that works as a SOCKS5 proxy, a backdoor, and a remote access tool all in one.
Правоохранители очистили 15 000 сайтов, зараженных SocGholish - Хакер
Также в прошлые годы операция затрагивала инфраструктуру SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, SystemBC...
Operation Endgame Disrupts SocGholish Malware Infrastructure
In May 2024, the operation resulted in seizing around 100 servers belonging to dropper networks, including IcedID, SystemBC, Smokeloader, Trickbot, Pikabot, and Bumblebee
Gentlemen ransomware uses multiple EDR killers to disable defenses
The Gentlemen RaaS previously compromised the Romanian energy provider Oltenia and has been linked to a SystemBC proxy malware botnet with over 1,570 hosts, believed to be corporate victims.
Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
Previously, Operation Endgame has also targeted ransomware infrastructure, Smokeloader botnet customers and servers, the AVCheck site, and various other major malware operations, including DanaBot, IcedID, Pikabot, Trickbot, Smokeloader, Bumblebee, and SystemBC.
Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase
File Hash (SHA-256) aa6e5529831b62cb27211b4918dd6da15ac7e69dbcc8621671dccf6df151c5a2 SystemBC (Interlock staging server)