A cyberattack tool that quietly turns victim computers into tunnels for criminal traffic has been gaining ground across enterprise networks. Security researchers have linked it to some of the most destructive ransomware operations in recent years.
Known as SystemBC, this malware helps threat actors maintain a hidden foothold inside targeted systems while routing harmful traffic through unsuspecting hosts.
SystemBC, also tracked under the alias Coroxy, is a Windows malware that works as a SOCKS5 proxy, a backdoor, and a remote access tool all in one.
It was first observed around 2018 and 2019 when it appeared as a payload delivered by the RIG and Fallout exploit kits. Since then, it has become a widely available weapon sold on underground forums and adopted by dozens of criminal groups.
Analysts at Picus identified SystemBC as a persistent backdoor and proxy that turns infected machines into traffic tunnels while executing commands, scripts, and binaries from an attacker-controlled server.
Picus said in a report shared with Cyber Security News (CSN). The malware has been linked to ransomware families including Ryuk, Egregor, Conti, BlackBasta, Play, and Rhysida, cementing its role in some of the most damaging intrusions of recent years.
What makes SystemBC especially dangerous is how easily it blends into normal network traffic. Because it routes other malware’s communications through infected hosts, defenders often cannot tell these connections apart from legitimate activity.
This stealth capability has made it a preferred choice for ransomware operators who need to move quietly before delivering a destructive payload.
The malware is frequently paired with loaders like Buer, QBot, and Emotet to gain initial access before SystemBC is deployed deeper.
Once in place, it gives attackers a reliable channel to push tools, run scripts, and maintain persistent control. Its small footprint and modular design make it effective across both small business and large enterprise environments.
Hackers Use SystemBC Malware
At its core, SystemBC establishes an encrypted connection to a command-and-control server, tunneling traffic through victims in ways that evade standard detection.
Earlier builds used raw TCP and SOCKS5 protocols, but newer versions have shifted toward Tor using a client that resembles the open-source mini-tor library. This shift makes detection harder since Tor traffic blends into normal activity on many systems.
The malware embeds known Tor directory-authority gateway addresses directly in its binary, including 193.23.244.244, 86.59.21.38, 199.58.81.140, and 204.13.164.118.
When contacting its C2 server, SystemBC sends a 100-byte packet where the first 50 bytes hold a plaintext RC4 key and the remaining 50 carry RC4-encrypted host and user details. This makes it considerably harder for analysts to interpret what the malware is transmitting.
Beyond proxying, SystemBC operates as a remote execution engine capable of running EXE files, DLL modules, shellcode, VBS, BAT, CMD, and PowerShell scripts delivered from C2.
It can also execute payloads directly in memory without writing files to disk, reducing the forensic evidence left on any compromised host.
Persistence Techniques and Attack Flow
SystemBC rarely arrives as the first tool in an intrusion. It is typically dropped after a loader gains access, then pushed further into the network once attackers have gathered credentials and lateral movement capability.
In one documented case, it was placed on a domain controller during a Ryuk ransomware attack, handing operators remote control over the most critical server.
Once executed, the malware checks if it is already running and, if not, copies itself into a randomly named folder under ProgramData. It registers as both a scheduled task and a registry Run key entry, creating two persistence layers that survive reboots.
Security teams should watch for random-named scheduled tasks, unexpected CurrentVersion Run registry entries, and anomalous outbound Tor or SOCKS5 traffic.
Behavior-based detection is strongly recommended over signature scanning alone, since SystemBC’s in-memory execution and randomized file naming can bypass traditional antivirus tools.
Simulating these attack techniques in your own environment remains one of the most practical ways to find security gaps before attackers do.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 193.23.244.244 | Tor directory-authority gateway embedded in SystemBC binary |
| IP Address | 86.59.21.38 | Tor directory-authority gateway embedded in SystemBC binary |
| IP Address | 199.58.81.140 | Tor directory-authority gateway embedded in SystemBC binary |
| IP Address | 204.13.164.118 | Tor directory-authority gateway embedded in SystemBC binary |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | SystemBC persistence registry Run key (value name: socks5) |
| File Path | %ProgramData%[random][random].exe | SystemBC self-copy persistence path |
| File Path | C:\Windows\Tasks[random].job | Scheduled task file created by SystemBC for persistence |
| File Path | %TEMP%[random].exe | Temporary location used by SystemBC when deploying payloads |
| DNS Domain | ns1.vic.au.dns.opennic[.]glue | Alternate DNS server used by SystemBC for .bit domain resolution |
| DNS Domain | ns2.vic.au.dns.opennic[.]glue | Alternate DNS server used by SystemBC for .bit domain resolution |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
