SystemBC Malware Helps Hackers Hide C2 Traffic and Keep Access Inside Networks
10 min. read 
Published on
SystemBC malware is still helping attackers hide command-and-control traffic, tunnel through infected machines, and maintain persistent access inside compromised networks.
The malware, also tracked as Coroxy, turns infected systems into proxy nodes. Attackers can then route traffic through those machines, run commands, deliver payloads, and support ransomware operations without exposing their main infrastructure as easily.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
A new Picus analysis describes SystemBC as a Windows malware family that works as a SOCKS5 proxy, backdoor, bot, and remote access tool. The report says newer versions have also shifted some command-and-control traffic toward Tor.
What is SystemBC malware?
SystemBC is a commodity malware family that gives attackers covert network access after an initial compromise. It rarely acts as the first infection stage. Instead, attackers often deploy it after another loader or intrusion method gives them access.
Its main job is simple but dangerous. It creates a tunnel through the infected host, letting attackers relay traffic, communicate with other malware, and stay connected while blending into normal network activity.
Malpedia describes SystemBC as a multiplatform proxy malware active since August 2019. It uses SOCKS5 tunnels and a custom RC4-encrypted protocol, and it can download or execute additional malware.
| SystemBC feature | What it does | Why it matters |
|---|---|---|
| SOCKS5 proxy | Routes attacker traffic through infected machines | Hides the real command-and-control infrastructure |
| Backdoor | Maintains remote access after compromise | Lets attackers return after the first intrusion |
| Loader | Runs EXE files, DLLs, scripts, and shellcode | Supports follow-on tools and ransomware deployment |
| Persistence | Uses scheduled tasks and registry Run keys | Survives reboots and user logons |
| Tor support | Moves some traffic through Tor in newer builds | Makes network detection harder |
SystemBC started as a proxy tool in exploit kit campaigns
SystemBC first appeared publicly in 2019. Proofpoint documented it as a previously unknown proxy malware distributed through Fallout and RIG exploit kit campaigns.
Those early campaigns used SystemBC to mask network traffic for other malware. Proofpoint also linked the malware to underground marketplace activity, which helped explain why it appeared across separate campaigns.
Since then, SystemBC has become a standard tool in criminal intrusion chains. It gives attackers a flexible tunnel, and its small footprint makes it easy to add to ransomware operations, credential theft, and post-exploitation activity.
Why ransomware operators use SystemBC
Ransomware crews need reliable access before encryption. They also need a way to move tools, communicate with infected systems, and avoid exposing their main infrastructure during the days or weeks before a final attack.
Sophos reported that SystemBC evolved into a Tor proxy and remote control tool used by operators behind high-profile ransomware campaigns. That shift made the malware more useful for human-operated intrusions.
Picus links SystemBC activity to ransomware families including Ryuk, Egregor, Conti, BlackBasta, Play, and Rhysida. The same SystemBC malware report says the tool can execute commands, scripts, binaries, and in-memory payloads from attacker-controlled infrastructure.
- Attackers can use SystemBC to hide C2 traffic.
- It can relay traffic from other malware through the infected host.
- It supports payload execution from the attackerโs server.
- It can persist through reboots using Windows mechanisms.
- It can help attackers prepare the environment before ransomware deployment.
How SystemBC hides command-and-control traffic
SystemBC uses the victim machine as a traffic relay. Instead of every malicious tool talking directly to attacker infrastructure, traffic can pass through an infected host, making investigation and blocking harder.
The malwareโs C2 design has changed over time. Older versions used raw TCP and SOCKS5 behavior, while newer builds can route traffic through Tor using a client that resembles the mini-tor library.
According to SophosLabs research, SystemBC developed from a SOCKS5 proxy into a more complete remote access tool with Tor-based communications and payload-delivery capability.
| Communication method | Use in SystemBC | Detection challenge |
|---|---|---|
| SOCKS5 | Relays malicious traffic through infected hosts | Can resemble proxy or administrative traffic |
| RC4-encrypted protocol | Protects malware check-in data and commands | Limits simple packet inspection |
| Tor | Hides C2 destinations in some newer builds | Blends with encrypted anonymity-network traffic |
| Alternate DNS | Supports domain resolution in some variants | Can bypass normal DNS visibility |
SystemBC can run several payload types
SystemBC does more than proxy traffic. It can act as a remote execution engine, allowing attackers to push and run additional tools from the C2 server.
The malware can handle EXE files, DLL modules, shellcode, VBS files, BAT files, CMD files, and PowerShell scripts. Some payloads can run directly in memory, which reduces evidence left on disk.
Splunk Security Content describes SystemBC as a stealthy malware strain known for proxy and backdoor capabilities, often used by cybercriminals to facilitate ransomware attacks.
Persistence keeps the backdoor alive
After execution, SystemBC checks whether it already runs from its persistence path. If not, it can copy itself into a randomly named folder and file under ProgramData.
It then creates persistence through Windows scheduled tasks and registry Run keys. This lets the malware relaunch after a reboot or user logon, which helps attackers keep access even if the first process exits.
The same SystemBC malware profile says the malware can write payloads to disk or map them into memory. That flexibility makes file-based detection alone less reliable.
| Persistence artifact | Observed behavior | Defender action |
|---|---|---|
| ProgramData copy | Random folder and executable names | Hunt for unusual executable creation in ProgramData |
| Registry Run key | Common value name includes socks5 | Alert on suspicious CurrentVersion Run entries |
| Scheduled task | Random .job task under Windows Tasks | Review unknown scheduled tasks and task actions |
| Temporary payloads | Random files in TEMP paths | Monitor script and executable launches from temp folders |
Recent research shows SystemBC remains active
SystemBC has not disappeared. In February 2026, Silent Push said its analysts identified more than 10,000 unique infected IP addresses tied to the SystemBC botnet family.
That report said infections were globally distributed, with high concentrations in the United States, Germany, France, Singapore, and India. It also found infections linked to sensitive infrastructure and activity that appeared connected to WordPress exploitation.
Separately, Black Lotus Labs reported in 2025 that a SystemBC-linked botnet had more than 80 command-and-control servers and a daily average of about 1,500 victims. The Black Lotus Labs research said nearly 80% of those victims were compromised VPS systems.
SystemBC also appears in newer ransomware cases
SystemBC keeps appearing in human-operated ransomware investigations. In April 2026, Check Point Research reported that an affiliate of The Gentlemen ransomware-as-a-service operation deployed SystemBC during an incident response case.
The report said SystemBC created SOCKS5 tunnels inside the victim environment and used a custom RC4-encrypted protocol. It also said the malware could download and execute additional payloads either on disk or directly in memory.
These cases show why defenders should treat SystemBC as more than a simple proxy. It can indicate that attackers have moved beyond initial access and now want durable control before data theft or ransomware deployment.
- SystemBC often appears after initial access has already occurred.
- It can support hands-on-keyboard activity by ransomware affiliates.
- It can hide traffic for other malware families.
- It can help attackers stage tools before encryption.
- It can keep access available even when other malware gets removed.
Key indicators defenders should watch
Security teams should focus on behavior, not only static signatures. SystemBC changes file names and paths across variants, but its operational patterns remain more consistent.
Look for unexpected SOCKS5 traffic, Tor connections from endpoints that do not normally use Tor, random scheduled tasks, suspicious Run key entries, and executable launches from ProgramData or TEMP folders.
The Splunk SystemBC story recommends detecting the malware through behaviors associated with proxying, backdoor activity, and ransomware enablement rather than relying only on known hashes.
| Type | Indicator | Description |
|---|---|---|
| IP address | 193.23.244.244 | Tor directory-authority gateway embedded in some SystemBC binaries |
| IP address | 86.59.21.38 | Tor directory-authority gateway embedded in some SystemBC binaries |
| IP address | 199.58.81.140 | Tor directory-authority gateway embedded in some SystemBC binaries |
| IP address | 204.13.164.118 | Tor directory-authority gateway embedded in some SystemBC binaries |
| Registry key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Persistence location, often with a value named socks5 |
| File path | %ProgramData%\[random]\[random].exe | Common self-copy persistence path |
| File path | C:\Windows\Tasks\[random].job | Scheduled task persistence artifact |
| DNS domain | ns1.vic.au.dns.opennic[.]glue | Alternate DNS server used by some variants |
| DNS domain | ns2.vic.au.dns.opennic[.]glue | Alternate DNS server used by some variants |
How organizations can reduce SystemBC risk
Organizations should reduce the chance that loaders can drop SystemBC in the first place. That means hardening endpoints, blocking risky scripts, restricting administrative privileges, and limiting outbound traffic from workstations and servers.
Network defenders should also monitor internal systems that start acting like proxies. A workstation or domain controller that suddenly relays unusual outbound traffic deserves immediate investigation.
Black Lotus Labs said the SystemBC botnet fed traffic into criminal proxy services and other parts of the cybercrime ecosystem. That makes rapid containment important even before ransomware appears.
- Block unnecessary outbound SOCKS5 and Tor traffic.
- Alert on new scheduled tasks with random names.
- Monitor Run key changes for suspicious PowerShell commands.
- Investigate executables launched from ProgramData and TEMP folders.
- Use EDR rules for in-memory payload execution and script abuse.
- Segment domain controllers and backup servers from normal workstations.
- Review proxy logs for unusual internal hosts acting as relays.
What SystemBC activity means during incident response
Finding SystemBC should raise the incident priority. It often means attackers already have access and may be preparing for credential theft, lateral movement, data exfiltration, or ransomware deployment.
Incident responders should isolate affected hosts, collect memory where possible, preserve persistence artifacts, and review outbound connections. They should also check for other tools dropped around the same time, including credential dumpers, remote access tools, and ransomware staging files.
The Check Point case study shows SystemBCโs continued use in ransomware affiliate workflows. That makes full network scoping essential, not just malware removal from one endpoint.
| Response step | Reason |
|---|---|
| Isolate the host | Stops the proxy from relaying attacker traffic |
| Collect memory | May capture in-memory payloads or C2 details |
| Review persistence | Identifies scheduled tasks and Run key entries |
| Check lateral movement | Determines whether attackers reached servers or domain controllers |
| Reset exposed credentials | Reduces the chance of attacker re-entry |
| Hunt for ransomware staging | Finds preparation activity before encryption begins |
The bottom line
SystemBC remains dangerous because it does not need to be flashy. It gives attackers a quiet tunnel, remote execution, and persistence, which are exactly the capabilities ransomware operators need before a major incident.
The malwareโs long history also makes it easy to underestimate. SystemBC has existed for years, but recent reporting shows it still supports active criminal infrastructure, compromised hosts, and ransomware affiliate activity.
Defenders should treat SystemBC detections as signs of a broader intrusion. Removing the file is not enough. Teams need to hunt for C2 traffic, stolen credentials, remote access tools, lateral movement, and any ransomware preparation that may have followed.
FAQ
SystemBC, also known as Coroxy, is a proxy malware and backdoor that turns infected systems into SOCKS5 tunnels. Attackers use it to hide command-and-control traffic, run payloads, and maintain access inside networks.
Ransomware groups use SystemBC because it provides covert traffic tunneling, persistence, remote execution, and payload delivery. These capabilities help attackers stay connected while preparing for credential theft, lateral movement, data theft, or encryption.
SystemBC can copy itself into a randomly named ProgramData folder, create scheduled tasks, and add registry Run key entries. These mechanisms let it relaunch after reboots or user logons.
Common signs include unexpected SOCKS5 or Tor traffic, random scheduled tasks, suspicious CurrentVersion Run key entries, executables launched from ProgramData or TEMP folders, and unusual internal systems acting as network proxies.
Teams should isolate affected hosts, collect memory, preserve persistence artifacts, review outbound connections, reset exposed credentials, and hunt for lateral movement, credential theft, remote access tools, and ransomware staging activity.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages