Jun 3, 2026
C2 Hosts: 1
SystemBC
Also known as: Coroxy, DroxiDat
SystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.
Linked Threat Actors
Vanilla Tempest
C2 Infrastructure
Hosting/VPS 100%
Last 7 days
Jun 1, 2026
C2 Hosts: 4
| Date | C2 Hosts |
|---|---|
| Jun 3, 2026 | 1 |
| Jun 1, 2026 | 4 |
Further Reading
arcticwolf.com opens in a new tab
arcticwolf.com
asec.ahnlab.com opens in a new tab
asec.ahnlab.com
blog.lumen.com opens in a new tab
blog.lumen.com
blog.reversinglabs.com opens in a new tab
blog.reversinglabs.com
blog.talosintelligence.com opens in a new tab
blog.talosintelligence.com
blogs.vmware.com opens in a new tab
blogs.vmware.com
cloud.google.com opens in a new tab
cloud.google.com
community.riskiq.com opens in a new tab
community.riskiq.com
cyber.wtf opens in a new tab
cyber.wtf
docs.velociraptor.app opens in a new tab
docs.velociraptor.app
github.com opens in a new tab
github.com
isc.sans.edu opens in a new tab
isc.sans.edu
labs.f-secure.com opens in a new tab
labs.f-secure.com
mandiant.widen.net opens in a new tab
mandiant.widen.net
medium.com opens in a new tab
medium.com
medium.com opens in a new tab
medium.com
news.sophos.com opens in a new tab
news.sophos.com
news.sophos.com opens in a new tab
news.sophos.com
news.sophos.com opens in a new tab
news.sophos.com
securelist.com opens in a new tab
securelist.com
securityintelligence.com opens in a new tab
securityintelligence.com
services.google.com opens in a new tab
services.google.com
symantec-enterprise-blogs.security.com opens in a new tab
symantec-enterprise-blogs.security.com
thedfirreport.com opens in a new tab
thedfirreport.com
thedfirreport.com opens in a new tab
thedfirreport.com
web.archive.org opens in a new tab
web.archive.org
bitsight.com opens in a new tab
bitsight.com
bitsight.com opens in a new tab
bitsight.com
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cisa.gov opens in a new tab
cisa.gov
crowdstrike.com opens in a new tab
crowdstrike.com
elastic.co opens in a new tab
elastic.co
esentire.com opens in a new tab
esentire.com
europol.europa.eu opens in a new tab
europol.europa.eu
fireeye.com opens in a new tab
fireeye.com
first.org opens in a new tab
first.org
intel471.com opens in a new tab
intel471.com
intrinsec.com opens in a new tab
intrinsec.com
kroll.com opens in a new tab
kroll.com
kroll.com opens in a new tab
kroll.com
logpoint.com opens in a new tab
logpoint.com
mandiant.com opens in a new tab
mandiant.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
microsoft.com opens in a new tab
microsoft.com
proofpoint.com opens in a new tab
proofpoint.com
rapid7.com opens in a new tab
rapid7.com
rapid7.com opens in a new tab
rapid7.com
reliaquest.com opens in a new tab
reliaquest.com
youtube.com opens in a new tab
youtube.com