SystemBC Malware Helps Hackers Hide C2 Traffic and Keep Access Inside Networks

SystemBC malware is still helping attackers hide command-and-control traffic, tunnel through infected machines, and maintain persistent access inside compromised networks.

The malware, also tracked as Coroxy, turns infected systems into proxy nodes. Attackers can then route traffic through those machines, run commands, deliver payloads, and support ransomware operations without exposing their main infrastructure as easily.

A new Picus analysis describes SystemBC as a Windows malware family that works as a SOCKS5 proxy, backdoor, bot, and remote access tool. The report says newer versions have also shifted some command-and-control traffic toward Tor.

What is SystemBC malware?

SystemBC is a commodity malware family that gives attackers covert network access after an initial compromise. It rarely acts as the first infection stage. Instead, attackers often deploy it after another loader or intrusion method gives them access.

Its main job is simple but dangerous. It creates a tunnel through the infected host, letting attackers relay traffic, communicate with other malware, and stay connected while blending into normal network activity.

Malpedia describes SystemBC as a multiplatform proxy malware active since August 2019. It uses SOCKS5 tunnels and a custom RC4-encrypted protocol, and it can download or execute additional malware.

SystemBC feature	What it does	Why it matters
SOCKS5 proxy	Routes attacker traffic through infected machines	Hides the real command-and-control infrastructure
Backdoor	Maintains remote access after compromise	Lets attackers return after the first intrusion
Loader	Runs EXE files, DLLs, scripts, and shellcode	Supports follow-on tools and ransomware deployment
Persistence	Uses scheduled tasks and registry Run keys	Survives reboots and user logons
Tor support	Moves some traffic through Tor in newer builds	Makes network detection harder

SystemBC started as a proxy tool in exploit kit campaigns

SystemBC first appeared publicly in 2019. Proofpoint documented it as a previously unknown proxy malware distributed through Fallout and RIG exploit kit campaigns.

Those early campaigns used SystemBC to mask network traffic for other malware. Proofpoint also linked the malware to underground marketplace activity, which helped explain why it appeared across separate campaigns.

Since then, SystemBC has become a standard tool in criminal intrusion chains. It gives attackers a flexible tunnel, and its small footprint makes it easy to add to ransomware operations, credential theft, and post-exploitation activity.

Why ransomware operators use SystemBC

Ransomware crews need reliable access before encryption. They also need a way to move tools, communicate with infected systems, and avoid exposing their main infrastructure during the days or weeks before a final attack.

Sophos reported that SystemBC evolved into a Tor proxy and remote control tool used by operators behind high-profile ransomware campaigns. That shift made the malware more useful for human-operated intrusions.

Picus links SystemBC activity to ransomware families including Ryuk, Egregor, Conti, BlackBasta, Play, and Rhysida. The same SystemBC malware report says the tool can execute commands, scripts, binaries, and in-memory payloads from attacker-controlled infrastructure.

• Attackers can use SystemBC to hide C2 traffic.
• It can relay traffic from other malware through the infected host.
• It supports payload execution from the attacker’s server.
• It can persist through reboots using Windows mechanisms.
• It can help attackers prepare the environment before ransomware deployment.

How SystemBC hides command-and-control traffic

SystemBC uses the victim machine as a traffic relay. Instead of every malicious tool talking directly to attacker infrastructure, traffic can pass through an infected host, making investigation and blocking harder.

The malware’s C2 design has changed over time. Older versions used raw TCP and SOCKS5 behavior, while newer builds can route traffic through Tor using a client that resembles the mini-tor library.

According to SophosLabs research, SystemBC developed from a SOCKS5 proxy into a more complete remote access tool with Tor-based communications and payload-delivery capability.

Communication method	Use in SystemBC	Detection challenge
SOCKS5	Relays malicious traffic through infected hosts	Can resemble proxy or administrative traffic
RC4-encrypted protocol	Protects malware check-in data and commands	Limits simple packet inspection
Tor	Hides C2 destinations in some newer builds	Blends with encrypted anonymity-network traffic
Alternate DNS	Supports domain resolution in some variants	Can bypass normal DNS visibility

SystemBC can run several payload types

SystemBC does more than proxy traffic. It can act as a remote execution engine, allowing attackers to push and run additional tools from the C2 server.

The malware can handle EXE files, DLL modules, shellcode, VBS files, BAT files, CMD files, and PowerShell scripts. Some payloads can run directly in memory, which reduces evidence left on disk.

Splunk Security Content describes SystemBC as a stealthy malware strain known for proxy and backdoor capabilities, often used by cybercriminals to facilitate ransomware attacks.

Persistence keeps the backdoor alive

After execution, SystemBC checks whether it already runs from its persistence path. If not, it can copy itself into a randomly named folder and file under ProgramData.

It then creates persistence through Windows scheduled tasks and registry Run keys. This lets the malware relaunch after a reboot or user logon, which helps attackers keep access even if the first process exits.

The same SystemBC malware profile says the malware can write payloads to disk or map them into memory. That flexibility makes file-based detection alone less reliable.

Persistence artifact	Observed behavior	Defender action
ProgramData copy	Random folder and executable names	Hunt for unusual executable creation in ProgramData
Registry Run key	Common value name includes socks5	Alert on suspicious CurrentVersion Run entries
Scheduled task	Random .job task under Windows Tasks	Review unknown scheduled tasks and task actions
Temporary payloads	Random files in TEMP paths	Monitor script and executable launches from temp folders

Recent research shows SystemBC remains active

SystemBC has not disappeared. In February 2026, Silent Push said its analysts identified more than 10,000 unique infected IP addresses tied to the SystemBC botnet family.

That report said infections were globally distributed, with high concentrations in the United States, Germany, France, Singapore, and India. It also found infections linked to sensitive infrastructure and activity that appeared connected to WordPress exploitation.

Separately, Black Lotus Labs reported in 2025 that a SystemBC-linked botnet had more than 80 command-and-control servers and a daily average of about 1,500 victims. The Black Lotus Labs research said nearly 80% of those victims were compromised VPS systems.

SystemBC also appears in newer ransomware cases

SystemBC keeps appearing in human-operated ransomware investigations. In April 2026, Check Point Research reported that an affiliate of The Gentlemen ransomware-as-a-service operation deployed SystemBC during an incident response case.

The report said SystemBC created SOCKS5 tunnels inside the victim environment and used a custom RC4-encrypted protocol. It also said the malware could download and execute additional payloads either on disk or directly in memory.

These cases show why defenders should treat SystemBC as more than a simple proxy. It can indicate that attackers have moved beyond initial access and now want durable control before data theft or ransomware deployment.

• SystemBC often appears after initial access has already occurred.
• It can support hands-on-keyboard activity by ransomware affiliates.
• It can hide traffic for other malware families.
• It can help attackers stage tools before encryption.
• It can keep access available even when other malware gets removed.

Key indicators defenders should watch

Security teams should focus on behavior, not only static signatures. SystemBC changes file names and paths across variants, but its operational patterns remain more consistent.

Look for unexpected SOCKS5 traffic, Tor connections from endpoints that do not normally use Tor, random scheduled tasks, suspicious Run key entries, and executable launches from ProgramData or TEMP folders.

The Splunk SystemBC story recommends detecting the malware through behaviors associated with proxying, backdoor activity, and ransomware enablement rather than relying only on known hashes.

Type	Indicator	Description
IP address	193.23.244.244	Tor directory-authority gateway embedded in some SystemBC binaries
IP address	86.59.21.38	Tor directory-authority gateway embedded in some SystemBC binaries
IP address	199.58.81.140	Tor directory-authority gateway embedded in some SystemBC binaries
IP address	204.13.164.118	Tor directory-authority gateway embedded in some SystemBC binaries
Registry key	HKCU\Software\Microsoft\Windows\CurrentVersion\Run	Persistence location, often with a value named socks5
File path	%ProgramData%\[random]\[random].exe	Common self-copy persistence path
File path	C:\Windows\Tasks\[random].job	Scheduled task persistence artifact
DNS domain	ns1.vic.au.dns.opennic[.]glue	Alternate DNS server used by some variants
DNS domain	ns2.vic.au.dns.opennic[.]glue	Alternate DNS server used by some variants

How organizations can reduce SystemBC risk

Organizations should reduce the chance that loaders can drop SystemBC in the first place. That means hardening endpoints, blocking risky scripts, restricting administrative privileges, and limiting outbound traffic from workstations and servers.

Network defenders should also monitor internal systems that start acting like proxies. A workstation or domain controller that suddenly relays unusual outbound traffic deserves immediate investigation.

Black Lotus Labs said the SystemBC botnet fed traffic into criminal proxy services and other parts of the cybercrime ecosystem. That makes rapid containment important even before ransomware appears.

• Block unnecessary outbound SOCKS5 and Tor traffic.
• Alert on new scheduled tasks with random names.
• Monitor Run key changes for suspicious PowerShell commands.
• Investigate executables launched from ProgramData and TEMP folders.
• Use EDR rules for in-memory payload execution and script abuse.
• Segment domain controllers and backup servers from normal workstations.
• Review proxy logs for unusual internal hosts acting as relays.

What SystemBC activity means during incident response

Finding SystemBC should raise the incident priority. It often means attackers already have access and may be preparing for credential theft, lateral movement, data exfiltration, or ransomware deployment.

Incident responders should isolate affected hosts, collect memory where possible, preserve persistence artifacts, and review outbound connections. They should also check for other tools dropped around the same time, including credential dumpers, remote access tools, and ransomware staging files.

The Check Point case study shows SystemBC’s continued use in ransomware affiliate workflows. That makes full network scoping essential, not just malware removal from one endpoint.

Response step	Reason
Isolate the host	Stops the proxy from relaying attacker traffic
Collect memory	May capture in-memory payloads or C2 details
Review persistence	Identifies scheduled tasks and Run key entries
Check lateral movement	Determines whether attackers reached servers or domain controllers
Reset exposed credentials	Reduces the chance of attacker re-entry
Hunt for ransomware staging	Finds preparation activity before encryption begins

The bottom line

SystemBC remains dangerous because it does not need to be flashy. It gives attackers a quiet tunnel, remote execution, and persistence, which are exactly the capabilities ransomware operators need before a major incident.

The malware’s long history also makes it easy to underestimate. SystemBC has existed for years, but recent reporting shows it still supports active criminal infrastructure, compromised hosts, and ransomware affiliate activity.

Defenders should treat SystemBC detections as signs of a broader intrusion. Removing the file is not enough. Teams need to hunt for C2 traffic, stolen credentials, remote access tools, lateral movement, and any ransomware preparation that may have followed.

FAQ