SYSTEMBC
SystemBC is a C-based tunneler/proxy malware primarily used to provide SOCKS5 proxying between compromised hosts and attacker-controlled infrastructure. It communicates with command-and-control servers over TCP using a custom binary protocol; reporting in the provided content also notes use as a SOCKS5 TOR proxy, RC4-encrypted C2 traffic in some cases, and use to retrieve proxy-related commands and, in some variants, additional payloads over HTTP. Across the cited reporting, SystemBC is used to execute commands, maintain persistence, deploy follow-on payloads, conceal command-and-control traffic, and support data exfiltration. It has also been observed on ESXi hosts, including a binary named socks.out believed to be SystemBC proxy malware.
SystemBC appears repeatedly as an enabling malware within ransomware and intrusion ecosystems rather than as a standalone end-stage payload. The content links it to multiple threat actors and operations, including TA577 phishing campaigns since 2020; 8Base intrusions using Phobos ransomware; DragonForce intrusions where persistence was maintained with SystemBC alongside Cobalt Strike; DarkSide ransomware operations; Black Basta activity, where RunTimeListen.exe executed the SystemBC/Coroxy backdoor; UNC4393/BASTA operations; The Gentlemen ransomware operation, which used SystemBC for C2 through a SOCKS5 proxy with RC4 encryption and Cobalt Strike as backup C2; Conti/TrickBot-associated ecosystems; Danabot-delivered payload chains; and a SystemBC botnet linked in reporting to The Gentlemen with more than 1,570 hosts believed to be corporate victims.
Observed delivery and infection contexts in the content include phishing campaigns, loader ecosystems, and post-compromise deployment. Proofpoint reporting cited here says TA577 delivered SystemBC along with Qbot, IcedID, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns. Danabot has distributed SystemBC as a follow-on payload. In one Kaspersky-described intrusion in Colombia, attackers first deployed RustyStealer, then used stolen credentials, WinRM, and PowerShell remote control to move laterally and execute two PowerShell scripts confirmed as part of the SystemBC threat; those scripts established covert channels to 94.158.244[.]69:443, and a related variant communicated with 5.255.117[.]134:80 and included functions indicating file exfiltration behavior.
The malware is strongly associated in the content with ransomware enablement and lateral operations across Windows and virtualized environments. It has been used by different ransomware operators as a SOCKS5 proxy for communications, data exfiltration, and downloading malicious modules. Reporting cited here associates SystemBC with ransomware groups including Cuba, BlackBasta, Play, BlackSuit, Rhysida, and 8Base, and with commodity malware ecosystems including SmokeLoader, Gootloader, and ModernLoader. Operation Endgame repeatedly targeted SystemBC infrastructure alongside other loaders and botnets, including seizures in May 2024.
High-confidence indicators explicitly mentioned in the content include SHA-256 aa6e5529831b62cb27211b4918dd6da15ac7e69dbcc8621671dccf6df151c5a2 identified as SystemBC on an Interlock staging server; PowerShell-script MD5 hashes 5384d704fadf229d08eab696404cbba6 and 39df773139f505657d11749804953be5 associated with SystemBC activity; related SHA-256 values 8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c, 51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03, and b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a; C2 endpoints 94.158.244[.]69:443 and 5.255.117[.]134:80; and the filename socks.out for an ESXi-host sample believed to be SystemBC.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
In one intrusion, we observed the Black Basta operator exploiting the PrintNightmare vulnerability and dropping spider.dll as the payload.
The primary initial-access vector is exploitation of CVE-2024–55591, an authentication bypass in Fortinet FortiOS and FortiProxy with a CVSS score of 9.8. The vulnerability was disclosed in January 2025; proof-of-concept code circulated quickly, and mass exploitation of unpatched edge devices followed.
multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, are also exploiting three vulnerabilities - CVE-2024-57727 - in remote monitoring and management tool SimpleHelp to conduct remote code execution at many U.S.-based entities
Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Attackers leverage credential theft, lateral movement tools (Cobalt Strike, SystemBC), and social engineering (notably by UNC3944/Scattered Spider) to escalate privileges and deploy Linux-based ESXi encryptors.
We observed the execution of the ProxyLogon exploit. Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
they executed a PowerShell command to download additional payloads from a remote location using a Cobalt Strike Beacon, maintaining persistence throughout this process using SystemBC.
TA577, are a Russia-based threat group that have been reported to deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike in ongoing phishing campaigns since 2020.
SystemBC is primarily used as a SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data... 8base uses SystemBC to encrypt command and control traffic...
SYSTEMBC is a tunneler written in C that retrieves proxy-related commands from a command-and-control (C2 or C&C) server using a custom binary protocol over TCP. A C2 server directs SYSTEMBC to act as a proxy between the C2 server and a remote system.
Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
The DragonForce ransomware group initially infiltrated the victim system network via a remote desktop server and attempted persistent logins using valid domain accounts (Domain Accounts, T1078.002).
The program is commonly used for persistent access to a victim network or left behind as a secondary ingress point in case the primary is discovered and remediated.
Execution
5 techniques
Execution
Once the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
DarkSide follows generally the same tactics, techniques, and procedures of many other targeted ransomware campaigns — a mix of native Windows features, commodity malware... and off-the-shelf system and exploit tools...
After successfully logging in, they executed a PowerShell command (PowerShell, T1059.001) to download additional payloads from a remote location using a Cobalt Strike Beacon, maintaining persistence throughout this process using SystemBC.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution. | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Contagious Interview has utilized VBS scripts to open cmd.exe and run commands to include the go_batch.bat batch file. During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script. SystemBC has used cmd.exe to execute VBS scripts, BAT scripts and CMD scripts.
Persistence
4 techniques
Persistence
Once the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
Privilege Escalation
3 techniques
Privilege Escalation
Once the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
Stealth
4 techniques
Stealth
The collected data is rc4 encrypted with a hard-coded key before it is sent it to CnC, using a socket connection handled by the malware’s mini-tor library and socket APIs.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
Discovery
1 technique
Discovery
When the bot is executed from scheduled task, it collects the following information and store it in a buffer and sends it to CnC through the Tor connection: The active Windows user name The Windows build number for the infected system A WOW process check (whether the OS on the infected system is 32-bit or 64-bit) The volume serial number.
Lateral Movement
4 techniques
Lateral Movement
The threat actor has been observed dropping a self-extracting archive containing all the files needed to run the Netsupport Manager application... In other cases, we have observed the usage of Splashtop, GoToAssist, Atera Agent...
Using PSExec, Remote Desktop connections, and (in the case of Linux servers) SSH to move laterally within the network...
Command and Control
4 techniques
Command and Control
SystemBC has been used by other ransomware groups as a way to encrypt and conceal the destination of the attackers’ Command and Control traffic. 8base uses SystemBC to encrypt command and control traffic...
SystemBC is primarily used as a SOCKS5 proxy allowing for interaction between victim machines and attacker infrastructure to execute commands, deploy additional payloads or exfiltrate data.
IOCs tracked for this family
54 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
149 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Backdoor/proxy malware whose infrastructure was targeted in prior Operation Endgame actions.
Named as one of the dropper networks disrupted during Operation Endgame.
Named malware operation explicitly mentioned as a prior Operation Endgame target.
A proxy malware botnet linked in the article to the Gentlemen ransomware operation, used to support bot-powered attacks across a large number of compromised hosts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.