SystemBC is a C-language proxy backdoor first observed in June 2019, originally sold as an underground networking tool. It has since evolved into a critical enabler for ransomware operations, providing encrypted SOCKS5 proxy tunneling and TOR-based command-and-control to groups including Ryuk, Conti, DarkSide (Colonial Pipeline), and Black Basta.
Overview & Evolution
SystemBC was initially marketed on Russian-language cybercrime forums as a "proxy bot" for routing traffic through compromised machines. Its primary function — acting as a SOCKS5 proxy with encrypted communications — made it attractive to operators who needed to tunnel malicious traffic through victim networks without triggering network detection.
As of early 2025, SystemBC maintains 80+ active C2 servers and compromises an estimated 1,500 new victims daily. Despite being targeted in Operation Endgame (May 2024), the malware's infrastructure has proven remarkably resilient.
- June 2019: First observed as XOR-encrypted proxy bot distributed via exploit kits (RIG, Fallout)
- 2020: Upgraded to RC4 encryption and TOR integration; adopted by Ryuk and Egregor operators
- 2021: Became a standard tool in Conti's playbook; DarkSide used it in the Colonial Pipeline attack
- 2023: DroxiDat lean variant deployed against South African power utility
- 2024-25: New Perl-based Linux variant emerges; survives Operation Endgame disruption
Technical Architecture
Core Functionality
SystemBC operates as a SOCKS5 proxy daemon on compromised hosts. When activated, it opens a local listening port and routes traffic from the operator through the victim machine, enabling the attacker to:
- Tunnel C2 traffic through victim infrastructure, masking the true origin T1090.003
- Route ransomware operator connections through compromised networks for lateral movement T1090
- Download and execute additional payloads via TOR hidden services T1105
- Maintain persistent access independent of primary C2 channels T1573.001
Persistence Mechanisms
- Registry Run keys: Adds itself to
HKCU\Software\Microsoft\Windows\CurrentVersion\RunT1547.001 - Scheduled tasks: Creates recurring execution tasks T1053.005
- File copy: Drops to
%ProgramData%or%APPDATA%with randomized filenames
Encryption & C2 Protocol
SystemBC's C2 protocol uses a layered encryption scheme:
- Layer 1 — XOR encoding: Initial obfuscation of the data stream
- Layer 2 — RC4 encryption: Stream cipher with a hardcoded or configuration-derived key
- Layer 3 — XOR encoding: Additional layer applied after RC4
SystemBC bundles a lightweight TOR client (mini-tor) that establishes connections to .onion hidden services for C2 communication. This eliminates the need for TOR Browser on the victim and makes C2 traffic significantly harder to block or intercept.
C2 Communication Flow
- Registration: Beacon sends system info (hostname, IP, OS version, bot ID) to C2
- Task polling: Regularly checks C2 for new commands or payloads
- Proxy activation: C2 instructs bot to open SOCKS5 listener on specified port
- Payload delivery: Downloads and executes additional malware (ransomware, Cobalt Strike, etc.)
DroxiDat Variant (2023)
In early 2023, a lean SystemBC variant dubbed DroxiDat was deployed against a South African critical infrastructure power utility. The attack was attributed to a threat actor with suspected ties to Russian-speaking groups.
DroxiDat represents a streamlined evolution of SystemBC:
- Reduced codebase: Stripped down to core proxy and beacon functionality (~8KB)
- System profiling focus: Collects detailed host information before enabling proxy
- No TOR dependency: Uses direct TCP for C2, reducing footprint
- Potential precursor: Believed to be a reconnaissance/staging implant preceding ransomware deployment
Ransomware Partnerships
| Ransomware | Year | SystemBC Role |
|---|---|---|
| Ryuk | 2020 | Post-exploitation proxy and persistence |
| Egregor | 2020 | Network tunneling during data exfiltration |
| Conti | 2021 | Standard toolkit component; mentioned in leaked playbooks |
| DarkSide | 2021 | Used in Colonial Pipeline attack infrastructure |
| Black Basta | 2022-25 | Primary proxy tool for lateral movement and staging |
| Royal / BlackSuit | 2023-24 | Proxy persistence alongside Cobalt Strike Beacons |
| Play | 2023-24 | Network tunneling during double extortion operations |
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Execution | T1059.003 Windows Command Shell | Command execution via cmd.exe |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Persistence | T1053.005 Scheduled Task | Recurring execution tasks |
| Defense Evasion | T1573.001 Encrypted Channel | RC4-encrypted C2 communications |
| C2 | T1090.003 Multi-hop Proxy | SOCKS5 proxy through TOR network |
| C2 | T1090 Proxy | SOCKS5 proxy tunneling for operators |
| C2 | T1105 Ingress Tool Transfer | Download additional payloads |
| Discovery | T1082 System Info Discovery | Host profiling sent to C2 |
Linux Variant (2024-2025)
In late 2024, researchers identified a new Perl-based Linux variant of SystemBC, representing a significant platform expansion:
- Written in Perl: Avoids native binary detection; leverages Perl's ubiquity on Linux systems
- Targets VMware ESXi: Designed for hypervisor environments common in enterprise infrastructure
- SOCKS5 functionality preserved: Core proxy capability maintained on Linux
- Cron-based persistence: Uses crontab entries for survival across reboots
Detection & Defense
- TOR traffic detection: Monitor for connections to known TOR entry/relay nodes and .onion DNS queries
- SOCKS5 anomaly detection: Identify unexpected SOCKS5 proxy listeners on endpoints
- Registry monitoring: Alert on new Run key entries, especially in
HKCUpaths dropping to%ProgramData% - RC4 traffic patterns: Look for high-entropy encrypted traffic to uncommon external IPs
- Named pipe monitoring: SystemBC creates distinctive named pipes for IPC
- YARA rules: Available from Sophos, Proofpoint, and the ESET malware research community
- Network segmentation: Limit proxy capabilities by restricting outbound connections from endpoints
Detect & Disrupt Proxy-Based Threats
Mjolnir Security specializes in detecting proxy-based backdoors and ransomware precursor activity before encryption begins.
- Ransomware Precursor Detection Proactive identification of SystemBC, Cobalt Strike, and other pre-ransomware tools before data exfiltration and encryption stages begin.
- Network Traffic Analysis Deep inspection of encrypted proxy traffic, TOR connections, and anomalous SOCKS5 activity within your environment.
- 24/7 Incident Response Rapid containment when proxy-based backdoors are detected. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts