SystemBC Malware Unleashed: 1,570+ Corporate Networks Compromised via The Gentlemen Ransomware Affiliate + Video

By /

Listen to this Post

Featured Image

Introduction:

SystemBC is a multi-platform proxy malware that transforms infected systems into SOCKS5 proxies, enabling ransomware affiliates to anonymize their command-and-control (C2) traffic while maintaining persistent backdoor access. In a recent incident, a SystemBC C2 server linked to The Gentlemen ransomware operation was discovered containing telemetry on over 1,570 compromised hosts—primarily corporate environments in the US, UK, and Germany—demonstrating how modern RaaS (Ransomware-as-a-Service) groups are leveraging proxy botnets to scale their attacks.

Learning Objectives:

  • Understand SystemBC’s SOCKS5 proxy architecture and RC4-encrypted C2 communication
  • Identify indicators of compromise (IOCs) across Linux and Windows environments
  • Implement detection and containment measures for proxy-based ransomware staging infrastructure

You Should Know:

  1. SystemBC Malware Overview: SOCKS5 Proxy & Backconnect Architecture

SystemBC (also tracked as “Coroxy” or “DroxiDat”) is a long-running malware family first documented in 2019. Its primary function is to turn compromised systems into SOCKS5 proxies, allowing attackers to route malicious traffic through infected hosts while masking their true infrastructure. The malware uses a backconnect architecture: infected systems initiate outbound connections to the C2 server, which then relays external traffic back through the proxy. This design bypasses inbound firewall restrictions and enables persistent, covert access.

Technical Capabilities

  • Multi-platform: Windows, Linux (including a newly discovered Perl variant), NAS, BSD
  • Encrypted C2: Uses a custom binary protocol over TCP with RC4 encryption
  • Payload delivery: Can download and execute additional malware either to disk or directly into memory
  • Persistence mechanisms: Scheduled tasks, registry modifications, and WMI event subscriptions

Windows Detection Commands (Run as Administrator)

 Check for suspicious scheduled tasks (common SystemBC persistence)
schtasks /query /fo LIST /v | findstr /i "systembc"

Search registry for unusual proxy-related keys
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

List active network connections on atypical SOCKS5 ports (1080, 9050, etc.)
netstat -ano | findstr :1080

Check for PowerShell-based SystemBC variants (often memory-resident)
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Message -match "SystemBC|SOCKS5|proxy"}

Linux Detection Commands

 Check for unusual outbound connections on common proxy ports
sudo netstat -tunap | grep -E ':1080|:9050|:9150'

Search for SystemBC-related processes
ps aux | grep -iE "systembc|coroxy|droxidat"

Examine scheduled cron jobs for persistence
crontab -l 2>/dev/null
sudo cat /etc/crontab

Look for Perl-based SystemBC variant (recently observed)
find / -name ".pl" -exec grep -l "SystemBC|SOCKS5" {} \;
  1. The Gentlemen Ransomware: RaaS Evolution & Attack Chain

The Gentlemen ransomware-as-a-service operation emerged around mid-2025 and has rapidly expanded, claiming over 320 victims—240 of which occurred in early 2026. Affiliates are provided with multi-platform lockers: a Go-based encryptor for Windows, Linux, NAS, and BSD, plus a C-based locker for ESXi hypervisors. The group maintains an onion site for victim shaming and uses Tox (P2P encrypted messaging) for negotiations.

Observed Attack Chain

  1. Initial access: Unclear vector, but likely phishing, exploit kits, or stolen RDP credentials
  2. Domain compromise: Attacker gains Domain Admin privileges on a Domain Controller
  3. Lateral movement: Use of Cobalt Strike, PsExec, and RPC to move laterally
  4. Credential harvesting: Mimikatz used to extract domain credentials
  5. Defense evasion: EDR-killing tools and disabling of security controls
  6. SystemBC deployment: Proxy malware installed for covert C2 tunneling and payload staging
  7. Encryption: Ransomware deployed via Group Policy for near-simultaneous execution

Network Traffic Analysis (Wireshark/TCPDump)

 Capture traffic on suspicious ports
sudo tcpdump -i eth0 port 1080 or port 9050 or port 9150 -n

Look for RC4-encrypted custom protocol (identifiable by low entropy payloads)
sudo tcpdump -i eth0 -A | grep -i "systembc"

Monitor for backconnect patterns (outbound to known malicious IPs)
sudo tcpdump -i eth0 'tcp[bash] & 2 != 0' -n  SYN-ACK packets

3. SystemBC C2 Infrastructure & Bulletproof Hosting

The SystemBC botnet leverages resilient hosting providers to maintain operations despite law enforcement efforts. Silent Push identified C2 infrastructure on bthoster[.]com and AS213790 (BTCloud), known for “bulletproof” services that ignore abuse complaints. SystemBC has been active for years, surviving Europol’s Operation Endgame in May 2024. Recent findings show the malware infecting 1,500 commercial VPS instances daily.

IOCs for Blocklisting

 Known malicious IP ranges (based on Silent Push research)
- 45.14.49.0/24
- 185.174.137.0/24

Suspicious domains associated with SystemBC
- bthoster[.]com
- btcloud[.]ru

Registry keys for geofencing (SystemBC checks country code)
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Windows scheduled task names observed in the wild
- "SystemBCUpdate"
- "ProxyHelper"
- "CoroxyTask"

Firewall Rules (Windows Defender Firewall with Advanced Security)

 Block outbound connections to known malicious IPs
New-NetFirewallRule -DisplayName "Block SystemBC C2" -Direction Outbound -RemoteAddress 45.14.49.0/24,185.174.137.0/24 -Action Block

Restrict outbound proxy protocols (SOCKS5 default ports)
New-NetFirewallRule -DisplayName "Block SOCKS5 Outbound" -Direction Outbound -Protocol TCP -RemotePort 1080,9050,9150 -Action Block

Enable logging for blocked connections
Set-NetFirewallProfile -All -LogBlocked True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
  1. Detection & Evasion: EDR Bypass and Memory-Only Execution

SystemBC variants have evolved to evade endpoint detection. The PowerShell version can execute entirely in memory, leaving minimal forensic artifacts. Researchers observed a case where an EDR failed to flag the PowerShell-based SystemBC backdoor running via a malicious scheduled task.

Advanced Detection (Sysmon + PowerShell Logging)

 Enable PowerShell Script Block Logging (Group Policy or registry)
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f

Install Sysmon with custom config (requires Sysmon64.exe)
sysmon64.exe -accepteula -i sysmon_config.xml

Hunt for process injection (EventID 8)
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Id -eq 8}

Detect creation of suspicious scheduled tasks (EventID 4698)
Get-WinEvent -LogName Security | Where-Object {$<em>.Id -eq 4698 -and $</em>.Message -match "SystemBC"}

Linux EDR Evasion Patterns

 SystemBC Perl variant scans recursively for writable directories
sudo auditctl -w /var/tmp -p wa -k systembc_activity
sudo auditctl -w /dev/shm -p wa -k systembc_activity

Monitor for suspicious ELF payload drops
inotifywait -m -e create /tmp /var/tmp /dev/shm | grep -iE ".elf|.bin"

Check for LD_PRELOAD hooking (common evasion)
sudo grep -r "LD_PRELOAD" /proc//environ 2>/dev/null

5. Mitigation & Incident Response: Containment Playbook

SystemBC infections indicate a high-severity security event requiring immediate investigation—not routine malware cleanup. The presence of proxy malware often signals that a human-operated intrusion is in progress, with ransomware deployment likely imminent.

Immediate Containment Steps

  1. Isolate affected systems: Disable network interfaces or move to quarantine VLAN
  2. Block C2 outbound traffic: Implement firewall rules for known IOCs
  3. Revoke compromised credentials: Force password reset for all domain accounts
  4. Disable scheduled tasks: Remove any SystemBC-related tasks immediately

Post-Containment Forensic Collection

 Collect PowerShell history (Windows)
copy %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt .\forensics\

Capture running processes and network state
tasklist /v > running_processes.txt
netstat -anob > network_connections.txt

Extract registry persistence keys
reg export HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .\run_keys.reg
reg export HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run .\run_keys_currentuser.reg

Collect Windows Event Logs (Security, System, PowerShell)
wevtutil epl Security .\Security.evtx
wevtutil epl System .\System.evtx
wevtutil epl "Microsoft-Windows-PowerShell/Operational" .\PowerShell.evtx

 Linux forensic collection
 Capture network connections
ss -tunap > netstat.txt

Extract cron jobs
crontab -l > crontab_user.txt
cat /etc/crontab > crontab_system.txt

Collect bash history
cat ~/.bash_history > bash_history.txt

Search for SystemBC files
find / -name "systembc" -o -name "coroxy" -o -name "droxidat" 2>/dev/null

6. Long-Term Hardening: Preventing Proxy Malware Deployment

To reduce the risk of SystemBC and similar proxy-based threats, organizations should implement egress filtering, restrict outbound proxy protocols, and enforce application whitelisting.

Windows Group Policy Hardening

 Block PowerShell execution from temporary directories
Set-ExecutionPolicy -ExecutionPolicy Restricted -Scope LocalMachine

Enable Windows Defender Application Guard
Add-WindowsCapability -Online -Name "Microsoft.Windows.AppGuard" -ErrorAction SilentlyContinue

Configure AppLocker rules to prevent execution from %TEMP%
New-AppLockerPolicy -RuleType Exe -User Everyone -Path %TEMP%\ -Action Deny

Linux Hardening (AppArmor/Seccomp)

 Install and configure AppArmor
sudo apt install apparmor-utils
sudo aa-enforce /etc/apparmor.d/

Block execution from world-writable directories
mount -o noexec,remount /tmp
mount -o noexec,remount /var/tmp
mount -o noexec,remount /dev/shm

Restrict cron jobs to authorized users
echo "ALL" > /etc/cron.deny
echo "root" > /etc/cron.allow

Network-Level Defenses

  • Implement TLS inspection to detect RC4-encrypted custom protocols
  • Deploy IDS/IPS signatures for SystemBC C2 beaconing patterns
  • Use DNS sinkholing for known malicious domains

What Undercode Say:

  • Proxy malware is the new battleground: Attackers increasingly rely on SOCKS5 proxies to anonymize C2 traffic, shifting focus from ransomware payloads to the infrastructure enabling them.
  • Corporate networks are prime targets: Over 1,570 corporate victims indicate a deliberate focus on enterprise environments, where SystemBC can pivot to critical systems and cause maximum disruption.
  • Defense requires layered visibility: Traditional antivirus alone fails against memory-resident PowerShell variants—organizations must deploy Sysmon, PowerShell logging, and network anomaly detection.

Prediction:

The integration of SystemBC into RaaS affiliate toolkits signals a maturation of the cybercrime ecosystem, where proxy botnets become a commodity service. Expect to see more ransomware groups adopting similar “infrastructure-as-a-service” models, leading to increased attack velocity and harder-to-trace campaigns. Law enforcement takedowns will face diminishing returns as attackers shift to abuse-tolerant hosting and multi-platform variants (including emerging Linux/Perl strains). Organizations must prioritize egress filtering, memory forensics, and rapid incident response to counter this evolving threat.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Hackermohitkumar Ransomware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: