editorially independent. We may make money when you click on links
to our partners.
Learn More
Security researchers at Silent Push identified more than 10,000 unique IPs infected with SystemBC, a proxy malware commonly used as an early foothold in ransomware attacks.
Using a custom SystemBC tracking fingerprint, analysts mapped a globally distributed botnet that includes compromised systems supporting government infrastructure.
“SystemBC proxies traffic through compromised systems and acts as a backdoor to maintain external access to infected internal networks,” said the researchers.
Understanding SystemBC’s Role in Intrusions
SystemBC is not a niche or short-lived threat, but a durable malware family that has become a recurring component in modern intrusion chains.
First documented in 2019, SystemBC — also tracked as Coroxy or DroxiDat — has consistently appeared in early-stage compromises, where it is used to establish covert access and enable follow-on activity.
Its inclusion in Europol’s multi-year Operation Endgame underscores SystemBC’s long-standing association with ransomware campaigns and large-scale network intrusions.
Unlike traditional malware focused on data theft or encryption, SystemBC is designed to function as an infrastructure layer.
Once deployed, it converts infected systems into SOCKS5 proxies, allowing attackers to route traffic through compromised hosts.
This capability enables adversaries to anonymize their operations, bypass network restrictions, and maintain persistent access to internal environments.
By functioning as a covert relay instead of a payload with immediate, visible impact, SystemBC can remain largely unnoticed while enabling additional malware deployment and hands-on-keyboard attacker activity.
SystemBC is a multi-platform proxy malware that encapsulates SOCKS5 traffic using a custom binary protocol combined with RC4 encryption.
This design helps obscure malicious communications and makes detection more difficult.
Rather than waiting for inbound connections, which are often blocked by firewalls or network address translation, SystemBC relies on a backconnect architecture.
Infected hosts initiate outbound connections to attacker-controlled command-and-control (C2) servers, which then relay external traffic back through the compromised systems.
This approach allows attackers to expose internal or otherwise unreachable networks, amplifying the impact of an initial compromise.
Silent Push researchers also identified a previously undocumented variant written in Perl that targets Linux systems, marking a notable evolution in the malware’s capabilities.
At the time of analysis, this variant had zero detections across major antivirus engines, indicating limited prior visibility.
The associated dropper was unusually aggressive, recursively scanning for writable directories and deploying hundreds of embedded payloads, including both ELF and Perl-based SystemBC components.
Additional artifacts observed in the Linux variant, including Russian-language strings, align with earlier reporting that suggests Russian-language development activity.
The campaign remains active in the wild.
Mitigating Risk From SystemBC
SystemBC is commonly used early in intrusion chains and often indicates the potential for additional malicious activity rather than an isolated infection.
Treating it as a routine malware issue may allow attackers to retain access, move laterally, or stage subsequent actions.
An effective response focuses on timely investigation, containment, and understanding how affected systems are being leveraged.
- Treat detection of SystemBC as a high-severity security event and prioritize immediate investigation rather than routine malware cleanup.
- Monitor for abnormal SOCKS5 proxy activity, long-lived outbound connections, and traffic patterns consistent with backconnect architectures.
- Restrict outbound proxy protocols and enforce egress filtering to prevent unauthorized external communications from servers and workloads.
- Isolate affected systems and investigate for follow-on malware, credential access, or lateral movement activity.
- Apply least-privilege controls to servers, services, and cloud workloads to prevent compromised systems from being repurposed as proxy infrastructure.
- Increase monitoring and scrutiny for infrastructure hosted with abuse-tolerant providers or linked to known malicious ASNs.
- Test incident response plans for pre-ransomware scenarios, ensuring teams can contain proxy-based threats before encryption or data theft occurs.
Collectively, these steps help limit the blast radius of a SystemBC infection while strengthening organizational resilience against downstream ransomware and network intrusion activity.
Hidden Risk of Proxy Malware
The scope and continued use of SystemBC show how proxy malware remains a common early component of ransomware and intrusion campaigns.
Because tools like SystemBC are designed to quietly establish access and support follow-on activity, treating them as low-priority infections can leave organizations exposed.
This pattern is driving organizations to adopt zero-trust solutions that assume initial compromise and focus on limiting access and containment from the start.
