SYSTEMBC
SystemBC is a commodity Windows backdoor, proxy, and remote administration tool/RAT first observed in 2019 and sold on underground marketplaces. It is widely used as a post-compromise access and tunneling utility in human-operated ransomware intrusions and ransomware-as-a-service operations. Reported core functionality includes SOCKS5 proxying on compromised hosts, loader functionality for downloading and executing additional scripts or executables, and module loading or shellcode execution to extend capabilities in memory. It is used to establish persistent covert access, conceal command-and-control traffic, support rapid lateral movement, automate payload delivery, and in some cases facilitate data exfiltration.
SystemBC has been described as using multiple proxy layers including SOCKS5 and Tor for C2 communications, with Tor used to encrypt and conceal traffic. In analyzed samples, it maintains an outbound connection to its C2 server, can assign per-implant SOCKS ports, and can proxy attacker tooling through victim infrastructure. Reported execution capabilities include running EXE files, DLLs, shellcode, VBS scripts, Windows commands, batch scripts, and PowerShell scripts; some payloads are executed from %TEMP% via scheduled tasks, while PE payloads and shellcode may be executed directly in memory. Persistence mechanisms reported in the content include scheduled tasks and registry Run-key style persistence examples. Sophos reporting also noted samples that copy themselves under ProgramData and create scheduled tasks, and that some variants avoid creating a service when Emsisoft a2guard.exe is present.
SystemBC is repeatedly associated with ransomware activity including Ryuk, Egregor, Black Basta, Play, Vice Society, RHYSIDA, Royal, and operations tracked as FIN12 / DEV-0237 / UNC1878-related activity. It has been observed used alongside Cobalt Strike, Sliver, PsExec, PowerShell Empire, Qakbot, Buer Loader, BazarLoader, Zloader, Qbot, Rclone, AnyDesk, BloodHound, and other post-exploitation tooling. Reported use cases include proxying remote connections inside victim environments, covert tunneling, payload staging and delivery, persistence after initial compromise, and support for ransomware deployment across enterprise networks. Targeting mentioned in the content includes healthcare, education, manufacturing, legal, government, technology, industrial organizations, IT, and other enterprise environments.
High-confidence indicators mentioned in the content include SystemBC C2 infrastructure such as 91.107.247.163 and 45.86.230.112 associated with The Gentlemen activity; 149.28.197.120 and 149.28.213.157 over TCP port 4177 in ANSSI reporting; 91.107.247.163 and 45.86.230.112 as SystemBC C2 servers; 45.32.210.151 linked by ESET to QuadSwitcher activity; and 5.255.99.59, 5.161.136.176, 198.252.98.184, and 194.34.246.90 listed in the Vice Society advisory. Sophos also reported hard-coded domains advertrex20[.]xyz and gentexman37[.]xyz and Tor-related communications involving dannenberg[.]torauth[.]de and tor[.]noreply[.]org. ANSSI reported a sample host.dll located in C:\Users\Public\Music\ with SHA1 8a0743f17110dc945007f08f3e63da166a3937dc.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
multiple ransomware groups, including initial access brokers with ties to Play ransomware operators, are also exploiting three vulnerabilities - CVE-2024-57727 - in remote monitoring and management tool SimpleHelp to conduct remote code execution at many U.S.-based entities
Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Attackers leverage credential theft, lateral movement tools (Cobalt Strike, SystemBC), and social engineering (notably by UNC3944/Scattered Spider) to escalate privileges and deploy Linux-based ESXi encryptors.
We observed the execution of the ProxyLogon exploit. Previous research has observed this threat group leveraging ProxyLogon and ProxyShell vulnerabilities to gain initial access.
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
DEV-0237 now uses the SystemBC RAT and the penetration testing framework Sliver in their attacks, replacing Cobalt Strike.
Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally.
Les attaquants ont utilisé leur accès de bureau à distance afin d’exécuter deux portes dérobées : SystemBC et Cobalt Strike.
Storm-1811 was also observed deploying SystemBC, a post-compromise commodity remote access trojan (RAT) and proxy tool typically used to establish command-and-control communication, establish persistence in a compromised environment, and deploy follow-on malware, notably ransomware.
The campaign, internally dubbed "FortiSync Quasar," revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC.
Attackers leverage credential theft, lateral movement tools (Cobalt Strike, SystemBC), and social engineering (notably by UNC3944/Scattered Spider) to escalate privileges and deploy Linux-based ESXi encryptors.
The attacks are characterized by the use of the SystemBC backdoor for persistence...
"Additional Resources ... SystemBC"; "Exfiltration Over C2 Channel (performed by SystemBC and Rclone)"
"...installed persistence mechanisms using custom tools and a SystemBC implant."
Arctic Wolf has spotted a financially motivated group named Greedy Sponge target organizations in Mexico with malspam that delivers versions of AllaKore RAT and SystemBC.
"Next, the SystemBC malicious proxy was deployed on the domain controller. SystemBC is a SOCKS5 proxy used to conceal malware traffic..."
"First seen in 2019, SystemBC is a proxy and remote administrative tool... favored by actors behind high-profile ransomware campaigns."
SYSTEMBC is a proxy malware that beacons to its C2 and opens new proxy connections between the C2 and remote hosts as indicated by the C2.
SystemBC is a socks5 backdoor with the ability to communicate over TOR.
X-Force links the group to malware developers/operators such as Broomstick, Supper, PortStarter, SystemBC, and Rhysida ransomware, with several dynamic subclusters sharing crypters, malware frameworks, and ransomware variants.
8Base used SystemBC, a proxy/RAT tool, to mask command-and-control traffic.
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
4 techniquesT1583 Acquire Infrastructure QuadSwitcher acquired infrastructure to host their tooling.
Utilisation de VPS hébergés chez VULTR comme serveurs C2 SystemBC, et utilisation du port 4177.
T1588.001 Obtain Capabilities: Malware The Play gang uses SystemBC, a commodity malware for sale.
T1608.001 Stage Capabilities: Upload Malware The Play gang uploaded its own tooling to a dedicated server to be used during intrusions.
Initial Access
3 techniquesIn some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
The program is commonly used for persistent access to a victim network or left behind as a secondary ingress point in case the primary is discovered and remediated.
In the Ryuk attacks we saw with SystemBC, initial compromise came from phishing messages that delivered the Buer Loader malware; other attacks in the same campaign used Bazar or Zloader. The Egregor attacks we saw used another loader dropped by malicious emails—Qbot.
Execution
6 techniquesVice Society actors have been observed using ... 'living off the land' techniques targeting the legitimate Windows Management Instrumentation (WMI) service [T1047].
Once the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
SystemBC can parse and execute EXE or DLL data blobs passed over the Tor connection, shell code, VBS scripts, Windows commands and batch scripts, and PowerShell scripts.
For Powershell commands, it creates a scheduled task for the script and adds the following command line to make it hidden: '-WindowStyle Hidden -ep bypass -file "'
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution. | During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Contagious Interview has utilized VBS scripts to open cmd.exe and run commands to include the go_batch.bat batch file. During FunnyDream, the threat actors used cmd.exe to execute the wmiexec.vbs script. SystemBC has used cmd.exe to execute VBS scripts, BAT scripts and CMD scripts.
Persistence
4 techniquesOnce the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
The program is commonly used for persistent access to a victim network or left behind as a secondary ingress point in case the primary is discovered and remediated.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
Privilege Escalation
3 techniquesOnce the file has been downloaded, the implant saves the file to the %TEMP% directory with a filename consisting of random lowercase characters and the file extension. The implant will set up a scheduled task to run the downloaded file.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.
Stealth
4 techniquesThe collected data is rc4 encrypted with a hard-coded key before it is sent it to CnC, using a socket connection handled by the malware’s mini-tor library and socket APIs.
Since at least February 2020, FIN12 has leveraged a series of in-memory droppers including, MALTSHAKE, ICECANDLE, WHITEDAGGER, WEIRDLOOP, and templates associated with Cobalt Strike's Artifact Kit to deploy various malware payloads.
In some cases, the SystemBC RAT was deployed to servers after the attackers have gained administrative credentials and moved deep into the targeted network.
The implant will download this file directly into memory. It then sets the area of memory via the VirtualProtect Windows API call to executable by passing in 0x40, and then executes it via the CreateThread call... Unlike the loader, the implant does not write the downloaded shellcode file to disk before execution.
Defense Impairment
1 techniqueFIN12 has frequently leveraged code-signed payloads in their operations.
Discovery
1 techniqueWhen the bot is executed from scheduled task, it collects the following information and store it in a buffer and sends it to CnC through the Tor connection: The active Windows user name The Windows build number for the infected system A WOW process check (whether the OS on the infected system is 32-bit or 64-bit) The volume serial number.
Lateral Movement
1 techniqueIts affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
Collection
1 techniqueThe attacker began extracting data using SystemBC and Rclone, stealing approximately 1 TB of information within 24 hours.
Command and Control
7 techniquesPlay ransomware actors use command-and-control applications such as Cobalt Strike and SystemBC
FIN12 commonly uses SYSTEMBC malware to proxy remote connections to hosts within victim environments.
The FRP client can be configured to connect to the server through a proxy. The server component of SystemBC has used SOCKS5 for C2 communication. Keydnap uses a copy of tor2web proxy for HTTPS communications.
Its affiliates are increasingly leveraging SystemBC malware, a proxy and backdoor tool often used in human-operated ransomware attacks, to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments.
In order to run a file on a victim machine, a direct URL needs to be submitted to the file in the “LOAD URL” textbox within the “LOADER” page. This will trigger the implant to execute a GET request for file download. The implant can download via both HTTP and HTTPS.
T1132.002 Data Encoding: Non-Standard Encoding SystemBC employs a custom network protocol.
SystemBC est un code malveillant disponible à l’achat sur des forums cybercriminels, il permet d’établir un tunnel SOCKS5 entre la machine compromise et le serveur de l’attaquant.
Exfiltration
1 techniqueThe attacker began extracting data using SystemBC and Rclone, stealing approximately 1 TB of information within 24 hours.
IOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
129 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SystemBC is described as a proxy and backdoor tool used to establish covert tunnelling, evade detection, and support rapid lateral movement in enterprise environments.
SystemBC is referenced in the IoCs as command-and-control infrastructure associated with the activity.
Proxy malware used to create SOCKS5 tunnels, maintain covert access, and support payload delivery and post-exploitation activity during intrusions tied to The Gentlemen.
SOCKS5-based proxy malware and botnet used to covertly deliver ransomware payloads at scale in The Gentlemen operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.