S9001: SystemBC
SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]
Analyst context for executives and security teams
SystemBC matters because it is positioned as a malware-as-a-service family for command and control, proxying, persistence, file ingestion, and follow-on activity including ransomware deployment. For leaders, the key risk is not only the malware itself, but its role as infrastructure that can let an intruder maintain access, move traffic through SOCKS5 or other proxy paths, and stage additional tools on Windows or Linux systems.
Executive priority
Prioritize SystemBC as a resilience and incident-readiness concern: if it is present, assume the organization may be dealing with an access-maintenance and follow-on deployment capability, not a single isolated payload. Executives should ask whether network egress controls, endpoint telemetry, DNS visibility, scheduled task monitoring, and incident response playbooks can prove containment across both Windows and Linux. The relationships to FIN7, Wizard Spider, and Fox Kitten increase intelligence relevance, but local evidence is required before drawing attribution or exposure conclusions.
Technical view
SOC and IR teams should validate coverage across the behaviors ATT&CK relates to this malware: command-and-control obfuscation, DNS-based communication, multi-hop proxying, non-application-layer communication, non-standard ports, symmetric cryptography, ingress tool transfer, scheduled task persistence, command execution through PowerShell, Windows command shell, Visual Basic, and native APIs, plus discovery of processes, system information, local accounts, and system time. Because ATT&CK provides no official detection text for S9001, detection engineering should be behavior-led rather than signature-only, with emphasis on correlating unusual outbound network patterns with new persistence, script execution, file transfer, and host discovery activity.
Likely telemetry
- Endpoint process creation and command-line telemetry on Windows and Linux
- PowerShell, Windows command shell, and script execution logs where available
- Windows Scheduled Task creation, modification, and execution events
- DNS query and response logs, including unusual domains, frequency, and client patterns
- Network flow, proxy, firewall, and egress logs showing non-standard ports, SOCKS-like behavior, or unusual protocol/port pairings
Detection direction
- Build detections around chained behaviors: new or unusual persistence followed by discovery, outbound C2-like traffic, proxy behavior, and tool ingress is more meaningful than any single event.
- Validate DNS and egress monitoring, especially where DNS is allowed broadly or before network authentication; these are common blind spots for C2 visibility.
- Tune scheduled task and shell detections to distinguish legitimate administration from suspicious task creation, hidden execution, or uncommon parent-child process relationships.
- Review non-standard port and protocol use, but account for business applications that legitimately use alternate ports to reduce false positives.
- Correlate encrypted or obfuscated outbound traffic with endpoint behaviors because symmetric cryptography or data obfuscation may limit content inspection.
Mitigation priorities
- Restrict and monitor outbound network access so endpoints cannot freely establish arbitrary external C2, proxy, DNS, or non-standard-port communications.
- Harden persistence paths, including Windows Scheduled Tasks, with monitoring, least privilege, and change review.
- Apply least privilege and administrative control over scripting and shell usage, especially PowerShell, command shell, Visual Basic, and native execution paths where feasible.
- Ensure endpoint protection and logging are deployed consistently across Windows and Linux assets in scope.
- Maintain incident response procedures for rapid host isolation, credential review, persistence removal, and scoping of follow-on file transfers.
Analyst notes and limits
ATT&CK describes SystemBC as MaaS malware used for C2, SOCKS5 proxying, persistence, malicious file ingestion, and follow-on activity including ransomware deployment. The object is related to multiple C2, execution, discovery, persistence, and stealth techniques, and to FIN7, Wizard Spider, and Fox Kitten usage relationships. The strongest defensive value is validating whether the environment can see the combination of proxy/C2 activity, persistence, discovery, and tool transfer across Windows and Linux.
MITRE provides no official detection text for this object, and the object’s own tactics are not specified. This take therefore uses the supplied description, external references, and relationship context only. It does not assert active exploitation, attribution in any specific incident, customer exposure, or guaranteed detection coverage.
SystemBC
SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.[1][2][3][4][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | SystemBC has used hidden scheduled tasks to execute PowerShell commands by adding the following: `-WindowStyle Hidden -ep bypass -file `.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SystemBC has used `cmd.exe` to execute VBS scripts, BAT scripts and CMD scripts.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1087.001 | Local Account Sub-technique | SystemBC has collected the Windows account username on the victim machine.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1124 | System Time Discovery | SystemBC has leveraged the time of the device to create a text file with a filename that uses the function of `uniqid(time()).‘.txt`, consisting of the 10 character UNIX timestamp and 13 hexadecimal characters.CitationTrumanKroll_SYSTEMBCServer_Jan2024 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1106 | Native API | SystemBC has utilized native Windows API functions such as `EnumWindows`and `GetVolumeInformationA` during discovery activities.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1001 | Data Obfuscation | SystemBC has encoded with XOR and encrypted with RC4 its beacon.CitationLumen_SystemBC_Sept2025 |
| Enterprise | T1071.004 | DNS Sub-technique | SystemBC has used DNS servers to resolve .bit domains to C2 infrastructure.CitationHarmonProofpoint_SystemBC_Aug2019 |
| Enterprise | T1571 | Non-Standard Port | The server component of SystemBC has used various TCP ports for C2 communication.CitationTrumanKroll_SYSTEMBCServer_Jan2024 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | SystemBC has utilized the `-WindowStyle Hidden -ep bypass -file `to conceal PowerShell windows.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | SystemBC has used multiple proxy layers, such as SOCKS5 and Tor, for C2 communication.CitationHarmonProofpoint_SystemBC_Aug2019CitationSophosGnGal_SystemBC_Dec2020CitationTrumanKroll_SYSTEMBCServer_Jan2024CitationBlackBasta SystemBC has also leveraged Tor for encrypting and concealing C2 traffic.CitationSophosGnGal_SystemBC_Dec2020 The server component of SystemBC has used SOCKS5 for C2 communication.CitationTrumanKroll_SYSTEMBCServer_Jan2024 |
| Enterprise | T1480 | Execution Guardrails | SystemBC has checked if the last characters of DNS server names end in .bit before initializing C2 communication.CitationHarmonProofpoint_SystemBC_Aug2019 SystemBC has identified running processes associated with anti-virus solutions to include `a2guard.exe` to determine whether it executes or not.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1057 | Process Discovery | SystemBC has the ability to enumerate running processes.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1620 | Reflective Code Loading | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SystemBC has encrypted its C2 traffic with RC4.CitationHarmonProofpoint_SystemBC_Aug2019CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1678 | Delay Execution | SystemBC has leveraged the Sleep functions before and after commands to ensure execution using the hexadecimal values within commands to include `Sleep(0x2710u)` that waits 10 seconds, and `Sleep(0xEA60u)` for 60 seconds.CitationSophosGnGal_SystemBC_Dec2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | SystemBC has used raw TCP on non-standard ports, such as 4044, for C2 communications and for HTTP communications, which include downloading binaries.CitationSophosGnGal_SystemBC_Dec2020CitationAhnLab_SystemBC_Apr2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | SystemBC has leveraged VBScript to execute malicious code.CitationSophosGnGal_SystemBC_Dec2020 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0117: Fox Kitten
Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. Fox Kitten has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.[1][2][3][4]
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 47c0e31b8714… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrumanKroll_SYSTEMBCServer_Jan2024
Truman, D. (2024, January 19). Inside the SYSTEMBC Command-and-Control Server. Retrieved June 18, 2025.
Open source URL -
[2]
SophosGnGal_SystemBC_Dec2020
Gallagher, S., Gn, S. (2020, December 16). Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor. Retrieved May 16, 2025.
Open source URL -
[3]
BlackBasta
Antonio Cocomazzi and Antonio Pirozzi. (2022, November 3). Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor. Retrieved March 14, 2023.
Open source URL -
[4]
AhnLab_SystemBC_Apr2022
AhnLab. (2022, April 4). SystemBC Being Used by Various Attackers . Retrieved June 18, 2025.
Open source URL -
[5]
Lumen_SystemBC_Sept2025
Black Lotus Labs . (2025, September 18). SystemBC: Bringing the noise. Retrieved December 15, 2025.
Open source URL -
[6]
Broadcom_SystemBCCoroxy_Nov2023
Broadcom. (2023, November 17). SystemBC (Coroxy) continuous activities. Retrieved December 15, 2025.
Open source URL -
[7]
Coroxy
(Citation: BlackBasta)(Citation: Broadcom_SystemBCCoroxy_Nov2023)(Citation: Microsoft_Coroxy_Oct2020)
-
[8]
Microsoft_Coroxy_Oct2020
Microsoft Security Intelligence. (2020, October 30). Backdoor:Win32/Coroxy.A. Retrieved December 15, 2025.
Open source URL -
[9]
mitre-attack S9001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.