SystemBC
SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
SystemBC has collected the Windows account username on the victim machine.[2] |
| Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
SystemBC has used DNS servers to resolve .bit domains to C2 infrastructure.[8] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
SystemBC has used hidden scheduled tasks to execute PowerShell commands by adding the following: |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
SystemBC has used |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
SystemBC has leveraged VBScript to execute malicious code.[2] |
||
| Enterprise | T1001 | Data Obfuscation |
SystemBC has encoded with XOR and encrypted with RC4 its beacon.[5] |
|
| Enterprise | T1678 | Delay Execution |
SystemBC has leveraged the Sleep functions before and after commands to ensure execution using the hexadecimal values within commands to include |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SystemBC has the ability to decrypt RC4 encrypted packets and to decode obfuscated data before C2 communication.[4] Additionally, SystemBC has decrypted its config file that was encoded with XOR and a hardcoded 40-byte key.[5] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography | |
| Enterprise | T1480 | Execution Guardrails |
SystemBC has checked if the last characters of DNS server names end in .bit before initializing C2 communication.[8] SystemBC has identified running processes associated with anti-virus solutions to include |
|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
SystemBC has utilized the |
| Enterprise | T1105 | Ingress Tool Transfer |
SystemBC has downloaded additional files for execution on the victim’s machine.[2][1] The server component of SystemBC has the ability to send additional files to victim machines.[1] |
|
| Enterprise | T1106 | Native API |
SystemBC has utilized native Windows API functions such as |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
SystemBC has used raw TCP on non-standard ports, such as 4044, for C2 communications and for HTTP communications, which include downloading binaries.[2][4] |
|
| Enterprise | T1571 | Non-Standard Port |
The server component of SystemBC has used various TCP ports for C2 communication.[1] |
|
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
SystemBC has used multiple proxy layers, such as SOCKS5 and Tor, for C2 communication.[8][2][1][3] SystemBC has also leveraged Tor for encrypting and concealing C2 traffic.[2] The server component of SystemBC has used SOCKS5 for C2 communication.[1] |
| Enterprise | T1620 | Reflective Code Loading |
SystemBC has downloaded a text file into memory and set the area of memory via the VirtualProtect call. Then, SystemBC has executed the file via the CreateThread call.[1] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
SystemBC has executed a copy of itself as a scheduled task with the |
| Enterprise | T1082 | System Information Discovery |
SystemBC has collected username , build number and serial number, then sent the information to the C2 server.[2][4] SystemBC has also gathered device name, operating system, and processor type.[8] |
|
| Enterprise | T1124 | System Time Discovery |
SystemBC has leveraged the time of the device to create a text file with a filename that uses the function of |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0102 | Wizard Spider | |
| G0117 | Fox Kitten | |
| G0046 | FIN7 |
References
- Truman, D. (2024, January 19). Inside the SYSTEMBC Command-and-Control Server. Retrieved June 18, 2025.
- Gallagher, S., Gn, S. (2020, December 16). Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor. Retrieved May 16, 2025.
- Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.
- AhnLab. (2022, April 4). SystemBC Being Used by Various Attackers . Retrieved June 18, 2025.
- Black Lotus Labs . (2025, September 18). SystemBC: Bringing the noise. Retrieved December 15, 2025.
- Broadcom. (2023, November 17). SystemBC (Coroxy) continuous activities. Retrieved December 15, 2025.
- Microsoft Security Intelligence. (2020, October 30). Backdoor:Win32/Coroxy.A. Retrieved December 15, 2025.
- Harmon, K., et al. (2019, August 1). SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits . Retrieved June 13, 2025.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Microsoft. (2024, January 25). Financially Motivated Threat Actor Pistachio Tempest. Retrieved December 15, 2025.
- Robson, M., et al. (2025, March 7). Investigating Iranian Intrusion into Strategic Middle East Critical Infrastructure. Retrieved June 18, 2025.