{
	"id": "0aaf1772-5f10-4c30-a3e2-a874584d9b66",
	"created_at": "2026-04-06T01:31:25.782764Z",
	"updated_at": "2026-04-10T03:20:32.771956Z",
	"deleted_at": null,
	"sha1_hash": "fad689fa56ba40b0b9d3b5e42d5c2efc69a41b81",
	"title": "SystemBC: The Multipurpose Proxy Bot Still Breathes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1219768,
	"plain_text": "SystemBC: The Multipurpose Proxy Bot Still Breathes\r\nBy João Batista\r\nPublished: 2022-09-21 · Archived: 2026-04-06 00:43:37 UTC\r\nSystemBC is a malware written in C that turns infected computers into SOCKS5 proxies. The bot communicates\r\nwith the command and control server using a custom binary protocol over TCP and uses RC4 encryption. This\r\nmalware has evolved its capabilities since it was documented by Proofpoint [1] back in 2019, and now it can also\r\ndownload and run additional files. Moreover, this malware can target both Windows and Linux platforms.\r\nSystemBC is sold on underground marketplaces, and after completing the purchase, the buyer receives an archive\r\ncontaining the bot executable, the command and control (C2) server executable, and a PHP admin panel.\r\nFigure 1. Archive contents\r\nThe main capability of SystemBC is to turn the infected computers into SOCKS5 proxies. Since most bots are not\r\nreachable from the internet, this malware uses a backconnect architecture that allows clients to use the proxies\r\n(infected computers) through the backconnect (C2) server without ever needing to interact directly with them.\r\nIn practice, what happens is that for each infected computer that connects to the backconnect (C2) server, the\r\nserver opens a new TCP port that will accept the SOCKS5 traffic from clients. That traffic is wrapped inside\r\nSystemBC's communications protocol and forwarded to the infected computers that will unwrap the traffic, send it\r\nto the destination, and send the response back to the backconnect (C2) server that will finally forward that\r\nresponse back to the client that initialized the communication.\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 1 of 6\n\nFigure 2. SystemBC backconnect architecture\r\nThere are a couple of variants of SystemBC with some differences in the bot capabilities. All variants turn the\r\ninfected computer into a SOCKS5 proxy and can perform self-updates, but the more complete variant of\r\nSystemBC also presents the following capabilities:\r\nSupport for C2 communications over TORCheck for the Emsisoft Anti-Malware process (a2guard.exe)\r\nDownload and execute executable files (.exe and .dll)\r\nDownload and execute shellcode\r\nDownload and execute batch scripts (.cmd and .bat)\r\nDownload and execute PowerShell scripts (.ps1)\r\nDownload and execute Visual Basic scripts (.vbs)\r\nSeveral threat actors leveraged SystemBC to maintain a foothold within a company's network and launch\r\nadditional post-exploitation tools. In some panels, we could find tasks showing that SystemBC was used to push\r\nCobaltStrike [2] and PoshC2 [3].\r\nFigure 3. Tasks issued to an infected machine\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 2 of 6\n\nFigure 4. Tasks issued to an infected machine\r\nWhen the downloaded file is a DLL, SystemBC maps it into its own memory space and creates a new thread to\r\nexecute the entry point meaning that the DLL file does not touch the disk. Similarly, to download and run files\r\ncontaining shellcode, SystemBC allocates memory inside its process memory and creates a new thread to start the\r\nexecution.\r\nAll other types of files are downloaded and saved to disk under the C:\\Windows\\Temp directory with a random\r\nname and executed using scheduled tasks. The tasks registered to run the PowerShell files will launch\r\npowershell.exe with the following command line:\r\n-WindowStyle Hidden -ep bypass -file “\u003cDOWNLOADED POWERSHELL FILE\u003e”.\r\nWhile the usage of this malware has declined among threat actors, our telemetry via sinkholes and active\r\ncommand and control (C2) servers still reveals a significant number of infected systems. Since early August,\r\nBitsight has observed over 56,000 unique IP addresses infected with SystemBC.\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 3 of 6\n\nFigure 5. Daily infections observed by Bitsight\r\nThe geographic distribution reveals the wide impact of SystemBC around the world. Countries like India,\r\nIndonesia, Pakistan, Thailand, Brazil, United States, Egypt, Philippines, Algeria and Turkey are in the top 10 of\r\nthe most affected countries, representing around 58% of the total number of infections observed.\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 4 of 6\n\nFigure 6. Geographic distribution of infected systems\r\nSystemBC is an interesting piece of malware that can be leveraged differently depending on the threat actor's\r\ngoals. Sometimes infected computers are only used to send traffic, but they can also be instructed to download and\r\nrun post-exploitation tools such as CobaltStrike. While the usage of this malware has decreased compared to the\r\nprevious years, we continue to see significant numbers of victims all over the world.\r\n[1] https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\n[2] https://www.cobaltstrike.com/\r\n[3] https://github.com/nettitude/PoshC2/\r\nBackconnect (C2) servers observed since early August: \r\n193.106.191[.]168\r\n188.127.224[.]46\r\n45.10.42[.]221\r\n193.106.191[.]184\r\n193.106.191[.]185\r\n185.215.113[.]105\r\n188.214.129[.]3\r\n139.144.79[.]152\r\n45.66.248[.]209\r\n89.22.225[.]242\r\n195.62.53[.]253\r\n20.115.47[.]118\r\n92.53.90[.]84\r\n152.89.198[.]73\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 5 of 6\n\n194.36.177[.]46\r\n162.33.179[.]100\r\nUpdated list available in the following url:\r\nhttps://raw.githubusercontent.com/bitsight-research/threat_research/main/systembc/c2.txt\r\nSource: https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nhttps://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitsight.com/blog/systembc-multipurpose-proxy-bot-still-breathes"
	],
	"report_names": [
		"systembc-multipurpose-proxy-bot-still-breathes"
	],
	"threat_actors": [],
	"ts_created_at": 1775439085,
	"ts_updated_at": 1775791232,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fad689fa56ba40b0b9d3b5e42d5c2efc69a41b81.pdf",
		"text": "https://archive.orkl.eu/fad689fa56ba40b0b9d3b5e42d5c2efc69a41b81.txt",
		"img": "https://archive.orkl.eu/fad689fa56ba40b0b9d3b5e42d5c2efc69a41b81.jpg"
	}
}