{ "id": "e01a066b-e3dc-4d32-b6a1-8daea14baa99", "created_at": "2026-04-06T00:11:01.907087Z", "updated_at": "2026-04-10T03:35:42.348321Z", "deleted_at": null, "sha1_hash": "3df115517485d8114780ed16f4fd83d7f314032a", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48794, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 16:21:56 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SystemBC\n Tool: SystemBC\nNames\nSystemBC\nCoroxy\nDroxiDat\nCategory Malware\nType Backdoor, Tunneling\nDescription\n(Sophos) First seen in 2019, SystemBC is a proxy and remote administrative tool, named by\nresearchers after the string in the URI its control panel used. It acts both as a network proxy for\nconcealed communications and as a remote administration tool (RAT)—capable of executing\nWindows commands, and delivering and executing scripts, malicious executables and dynamic\nlink libraries (DLLs). After being dropped by other malware, it provides attackers with a\npersistent backdoor.\nWhile SystemBC has been around for over a year, we’ve seen both its use and its features\ncontinue to evolve. The most recent samples of SystemBC carry code that, instead of acting\nessentially as a virtual private network via a SOCKS5 proxy, uses the Tor anonymizing\nnetwork to encrypt and conceal the destination of command and control traffic.\nInformation\nMalpedia Last change to this tool card: 06 March 2024\nDownload this tool card in JSON format\nAll groups using tool SystemBC\nChanged Name Country Observed\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dd23b5ad-bb56-45fb-9376-dc12ba4147bb\nPage 1 of 2\n\nAPT groups\r\n  Sprite Spider, Gold Dupont [Unknown] 2015-Nov 2022  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dd23b5ad-bb56-45fb-9376-dc12ba4147bb\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dd23b5ad-bb56-45fb-9376-dc12ba4147bb\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=dd23b5ad-bb56-45fb-9376-dc12ba4147bb" ], "report_names": [ "listgroups.cgi?u=dd23b5ad-bb56-45fb-9376-dc12ba4147bb" ], "threat_actors": [ { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434261, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3df115517485d8114780ed16f4fd83d7f314032a.pdf", "text": "https://archive.orkl.eu/3df115517485d8114780ed16f4fd83d7f314032a.txt", "img": "https://archive.orkl.eu/3df115517485d8114780ed16f4fd83d7f314032a.jpg" } }