TL-2026-0101 HIGH 2026-02-22 Threat Analysis

SystemBC Malware Resurges — SOCKS5 Proxy Backdoor Powering 10+ Ransomware Families

Threadlinqs Intelligence 7 min
systembcsocks5-proxyransomwaremaaslockbitblack-bastacobalt-strikedroxidatfin12rem-proxy

Threat ID: TL-2026-0101 | Severity: HIGH | Status: ACTIVE

Actor: Multiple (Commodity MaaS — FIN12, UNC4393, Pistachio Tempest) | Motivation: FINANCIAL

MITRE Techniques: 30 | Detections: 9

SystemBC is back — and it brought friends. LockBit, Cobalt Strike, and SOCKS5 tunnels across enterprise networks.

This commoditized SOCKS5 proxy backdoor has operated continuously since 2017, surviving Europol's Operation Endgame in May 2024 and maintaining infrastructure across 80+ command-and-control servers with approximately 1,500 daily active infections. Lumen Black Lotus Labs' September 2025 analysis revealed the botnet has pivoted from residential targets to compromised VPS infrastructure — 80% of current victims are commercial hosting servers — making it the most widely adopted tunneling platform in the ransomware affiliate ecosystem. SOCKS5 proxy. Full tunnel. Game over. What follows is SystemBC's architecture, its integration with 10+ RaaS families, and 9 production-ready detection queries targeting the proxy establishment, persistence mechanisms, and C2 beacon patterns that precede ransomware deployment.

Lumen Black Lotus Labs research on SystemBC proxy bot evolution — 'Bringing the Noise' — documenting its role in modern ransomware affiliate operations. Lumen Black Lotus Labs research on SystemBC proxy bot evolution — 'Bringing the Noise' — documenting its role in modern ransomware affiliate operations.

Executive Summary

Technical Analysis

SystemBC operates as a three-component platform. The C2 web server runs a monolithic PHP admin panel on port 4000 with per-victim SOCKS5 port management, RFC 1929 authentication, and IP-based access control. The C2 proxy listener manages SOCKS5 tunnels that enable victim network pivoting without direct attacker-to-victim connections. The backdoor payload ships as Windows EXE, DLL, and a Linux variant — a dual-platform capability that distinguishes it from most commodity malware. Our tracking of this threat across the platform shows it is one of the most resilient pieces of infrastructure in the ransomware ecosystem.

Communication uses a custom protocol with triple-layer encryption: XOR encoding with a hardcoded 40-byte key wrapping RC4 encryption. The initial beacon is distinctive — 40-byte key followed by 10 bytes of padding and an encrypted payload starting with 0xffff plus 48 null bytes. Each sample decrypts its embedded C2 configuration at runtime.

Beyond proxy functionality, SystemBC includes a loader capability that downloads and executes files via scheduled tasks (the parent process becomes svchost.exe for AV evasion) and supports fileless shellcode injection via VirtualProtect + CreateThread, enabling in-memory execution of Meterpreter and other frameworks with no disk artifacts.

Three Faces of SystemBC

The Proxy — The core capability. Infected hosts become SOCKS5 exit nodes, enabling ransomware affiliates to route lateral movement traffic through victim infrastructure. The backconnect architecture means clients use proxies through the C2 server without ever interacting directly with compromised hosts. Lumen Black Lotus Labs documented these proxies serving multiple criminal networks: at least two Russian proxy services, one Vietnamese proxy service, and a Russian parsing service.

The Loader — Downloaded payloads land in %TEMP% with random 19-character lowercase filenames, executing via one-time scheduled tasks that use svchost.exe as parent to evade process-tree analysis.

The Injector — Fileless execution path: shellcode downloaded from C2 is written directly to memory, VirtualProtect sets PAGE_EXECUTE_READWRITE (0x40), and CreateThread executes the payload — no disk artifact, no file hash to detect.

Known Staging Artifacts

SystemBC uses consistent filenames and directories across campaigns documented by Kroll, Kaspersky, and DFIR Report:

TypeArtifactContext
EXEsyscheck.exe, hos.exe, host.exe, hostt.exeWindows dropper/implant
DLLsvch.dll, svcpost.dll, svchoct.dllDLL variant loaded via rundll32/regsvr32
DirectoryC:\perflogs\, %TEMP%Staging paths
RegistryHKCU\...\Run value socks5Persistence pointing to hidden PowerShell
WindowClass: Microsoft, Text: win32appMutex equivalent — present in all variants

The Ransomware Affiliate Swiss Knife

SystemBC's role in the ransomware ecosystem is infrastructure, not encryption. It provides the tunneling layer that allows operators to hop boxes through victim networks after initial access, appearing as internal traffic. Old technique. Still effective. Documented integration spans the full spectrum of RaaS operations:

Tier 1 (Confirmed by multiple sources): LockBit (DFIR Report, 2025), Black Basta (Mandiant M-Trends 2025, Rapid7), Conti, Ryuk (Sophos, 2020)

Tier 2 (Single-source confirmation): Akira, Nokoyawa, 8Base, Rhysida, BlackSuit, RansomHub, DarkSide/Colonial Pipeline context

ANSSI's FIN12 report documents SystemBC deployment across 8+ RaaS families by a single affiliate group, confirming it is vendor-neutral tooling — the same implant serves whichever RaaS the affiliate is operating under.

DroxiDat — The Critical Infrastructure Variant

In March 2023, Kaspersky detected an 8KB compact SystemBC variant dubbed DroxiDat targeting a South African power utility. DroxiDat retains system profiling (hostname, username, local IP, volume serial number), SOCKS5 proxy establishment, and RC4/XOR encrypted C2 communication. It was paired with Cobalt Strike beacons, with low-confidence attribution to FIN12/Pistachio Tempest. The targeting of critical infrastructure with a stripped-down variant represents the most concerning evolution of SystemBC from commodity crime tool to potential state-adjacent capability. What caught our attention was the 8KB footprint — that is not commodity code, that is purpose-built.

The DFIR Report documenting a full intrusion chain — Cobalt Strike beacons with SOCKS proxy pivoting through SystemBC leading to LockBit ransomware deployment. The DFIR Report documenting a full intrusion chain — Cobalt Strike beacons with SOCKS proxy pivoting through SystemBC leading to LockBit ransomware deployment.

Detection

Threadlinqs Intelligence provides 9 production-ready detection rules targeting SystemBC's persistence mechanisms, proxy establishment, C2 beacon patterns, and lateral movement indicators. The detection strategy prioritizes the pre-encryption window — SystemBC deployment typically precedes ransomware execution by hours to days. Catch the proxy, kill the chain. Based on platform data, the SOCKS5 handshake and the socks5 registry value are the two most reliable signals.

Splunk SPL — SOCKS5 Proxy on Non-Standard Ports

This SPL query hunts for the SOCKS5 handshake pattern (version byte 0x05) on high-numbered ports. SystemBC C2 assigns per-victim dynamic ports, making static port blocking ineffective — so we target the protocol signature instead.

SPLindex= sourcetype IN ("bro:conn:json", "pan:traffic", "stream:tcp")
| where dest_port > 10000 AND dest_port < 65535
| where NOT cidrmatch("10.0.0.0/8", dest_ip)
    AND NOT cidrmatch("172.16.0.0/12", dest_ip)
    AND NOT cidrmatch("192.168.0.0/16", dest_ip)
| where bytes_out < 500 AND bytes_in > 5000
| stats count, avg(duration) as avg_duration, dc(dest_port) as port_count
    by src_ip, dest_ip
| where count > 50 AND avg_duration > 300 AND port_count < 5
| sort -count
Long-lived connections with small outbound and large inbound payload asymmetry to high-numbered external ports are the signature pattern. Legitimate SOCKS5 usage (SSH tunnels, corporate proxy clients) should be baselined and excluded.

Splunk SPL — SystemBC Shellcode Injection Pattern

Catching the fileless execution chain here: VirtualProtect with PAGE_EXECUTE_READWRITE followed by CreateThread from processes executing out of SystemBC staging directories. No disk artifact. No file hash. Just memory. 
SPLindex= sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where match(ParentImage, "(?i)(perflogs|\\\\Temp\\\\)")
| where match(Image, "(?i)(svchost\.exe|rundll32\.exe)")
| eval is_suspicious_parent=if(match(ParentImage, "(?i)(syscheck|hos\.exe|host\.exe|hostt\.exe|svch\.dll|svcpost\.dll)"), 1, 0)
| where is_suspicious_parent=1
    OR match(CommandLine, "(?i)(VirtualProtect|CreateThread|PAGE_EXECUTE)")
| stats count by _time, ComputerName, User, ParentImage, Image, CommandLine
| sort -_time
Processes in C:\perflogs\ or %TEMP% spawning svchost.exe or rundll32.exe with memory manipulation API calls in the chain are noisy — inherently suspicious with very low false positive rates.

Microsoft KQL — SystemBC Persistence Detection

Here we target the documented persistence mechanisms: registry Run key with value name socks5 pointing to hidden PowerShell execution, and scheduled tasks with random lowercase names executing from staging directories. 
KQLlet systembc_persistence = union
    (DeviceRegistryEvents
    | where Timestamp > ago(30d)
    | where RegistryKey has @"CurrentVersion\Run"
    | where RegistryValueName =~ "socks5"
        or RegistryValueData has_any ("perflogs", "hos.exe", "host.exe", "hostt.exe",
            "powershell.exe -windowstyle hidden")
    | project Timestamp, DeviceName, RegistryKey, RegistryValueName,
        RegistryValueData, InitiatingProcessFileName),
    (DeviceProcessEvents
    | where Timestamp > ago(30d)
    | where FileName == "schtasks.exe"
    | where ProcessCommandLine has_any (@"\perflogs\", @"\Temp\")
    | where ProcessCommandLine matches regex @"/tn\s+[a-z]{15,25}"
    | project Timestamp, DeviceName, FileName, ProcessCommandLine,
        InitiatingProcessFileName);
systembc_persistence
| sort by Timestamp desc
The socks5 registry value name is extremely specific to SystemBC — DroxiDat variants create this exact entry running powershell.exe -windowstyle hidden -Command c:\perflogs\hos.exe.

Sigma — SystemBC Dropper Execution

This Sigma rule covers known SystemBC filenames, staging directories, and execution patterns documented across DarkSide, Egregor, Ryuk, and DroxiDat campaigns. 
SIGMAtitle: SystemBC Dropper Execution — Known Filenames and Staging Directories
id: b3d4e7a1-6c9f-48e2-a5b3-2d1f8c7e4a90
status: experimental
description: |
    Detects SystemBC implant execution via known filenames and staging paths
    documented across LockBit, Black Basta, Conti, Ryuk, and DroxiDat campaigns.
references:
    - https://intel.threadlinqs.com/#TL-2026-0101
    - https://blog.lumen.com/systembc-bringing-the-noise/
    - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.execution
    - attack.t1059.001
    - attack.persistence
    - attack.t1053.005
    - attack.t1547.001
    - attack.defense_evasion
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_filenames:
        Image|endswith:
            - '\syscheck.exe'
            - '\hos.exe'
            - '\host.exe'
            - '\hostt.exe'
    selection_dll:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'svch.dll'
            - 'svcpost.dll'
            - 'svchoct.dll'
    selection_staging:
        Image|contains:
            - '\perflogs\'
        Image|endswith:
            - '.exe'
            - '.dll'
    condition: selection_filenames or selection_dll or selection_staging
falsepositives:
    - Windows Performance Monitor may create files in C:\perflogs\ with Microsoft binary names
    - Legitimate installers using temp filenames (should not match known SystemBC names)
level: critical
Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence
Kaspersky Securelist analysis of DroxiDat/SystemBC variants deployed against critical infrastructure targets in Southern Africa. Kaspersky Securelist analysis of DroxiDat/SystemBC variants deployed against critical infrastructure targets in Southern Africa.

Indicators of Compromise

Network Indicators

TypeIndicatorContext
Port4000 (default C2 panel)SystemBC PHP admin panel default port
ProtocolSOCKS5 on high-numbered ports (10000-65535)Per-victim dynamic proxy ports assigned by C2
Beacon40-byte key + 10-byte padding + encrypted payloadInitial C2 beacon signature (XOR/RC4)
TrafficSmall outbound / large inbound asymmetrySOCKS5 proxy backconnect pattern
TorConnections to Tor relay portsEmbedded mini-Tor client for C2 fallback

File Indicators

TypeIndicatorContext
Filenamesyscheck.exe, hos.exe, host.exe, hostt.exeWindows EXE dropper variants
Filenamesvch.dll, svcpost.dll, svchoct.dllDLL variants loaded via rundll32/regsvr32
PathC:\perflogs\Primary staging directory
Size8KB (DroxiDat)Compact critical infrastructure variant
WindowClass Microsoft, Text win32appMutex equivalent across all variants

Behavioral Indicators

Timeline

DateEvent
2017-07Earliest known SystemBC executable compiled
2019-08Proofpoint publishes first public documentation
2020-12-16Sophos links SystemBC to Ryuk and Egregor ransomware with automated deployment
2021-05-07DarkSide Colonial Pipeline attack — SystemBC identified in affiliate toolsets
2023-03Kaspersky detects DroxiDat (8KB variant) targeting South African power utility
2024-01-19Kroll publishes definitive C2 server analysis documenting PHP panel, SOCKS5, and shellcode injection
2024-05-30Europol Operation Endgame — largest-ever botnet takedown burning SystemBC infrastructure alongside IcedID, SmokeLoader, TrickBot
2024-07-29Mandiant documents UNC4393 (Black Basta) using SystemBC as persistent access layer
2024-12-04Rapid7 documents Black Basta campaign dropping SystemBC alongside Zbot and DarkGate
2025-01-27DFIR Report documents complete LockBit attack chain using Cobalt Strike + SystemBC
2025-09-18Lumen Black Lotus Labs publishes full-scope analysis: 80+ C2s, 1,500 daily victims, REM Proxy connection

MITRE ATT&CK Mapping

TacticTechniqueIDDescription
Command and ControlProtocol TunnelingT1572SOCKS5 proxy establishment from victim to C2
Command and ControlExternal ProxyT1090.002Victims converted to SOCKS5 exit nodes
Command and ControlMulti-hop ProxyT1090.003Traffic routed through multiple proxy layers
Command and ControlSymmetric CryptographyT1573.001RC4/XOR triple-layer encryption on C2 channel
Command and ControlWeb ProtocolsT1071.001HTTP/HTTPS C2 communication
Command and ControlNon-Standard PortT1571Dynamic high-numbered ports per victim
Command and ControlIngress Tool TransferT1105Payload download via loader capability
ExecutionPowerShellT1059.001Hidden PowerShell for persistence execution
ExecutionScheduled TaskT1053.005One-time tasks with random names for payload execution
ExecutionNative APIT1106VirtualProtect + CreateThread for shellcode injection
PersistenceRegistry Run KeysT1547.001socks5 value under Run key
Defense EvasionProcess InjectionT1055Fileless shellcode injection into memory
Defense EvasionObfuscated FilesT1027RC4/XOR encrypted C2 configuration
Defense EvasionMasqueradingT1036.005svchost.exe parent process for loader payloads
Lateral MovementRemote Desktop ProtocolT1021.001RDP tunneled through SOCKS5 proxy
Lateral MovementSMB/Windows Admin SharesT1021.002SMB lateral movement via proxy tunnel
Resource DevelopmentAcquire Infrastructure: BotnetT1583.00580+ C2 servers under single AS
ImpactData Encrypted for ImpactT1486Ransomware deployment as final objective
ImpactInhibit System RecoveryT1490Shadow copy deletion preceding encryption
Full MITRE ATT&CK mapping with 30 techniques: View coverage on Threadlinqs
TL-2026-0101 on Threadlinqs Intelligence — SystemBC proxy malware resurgence tracked with 9/9 detection coverage and 21 shared IOCs. TL-2026-0101 on Threadlinqs Intelligence — SystemBC proxy malware resurgence tracked with 9/9 detection coverage and 21 shared IOCs.

Recommendations

  1. Hunt for SOCKS5 proxy connections on high-numbered ports from internal systems to external infrastructure. SystemBC's per-victim dynamic port assignment means static port blocking is insufficient — protocol-level detection is required.
  2. Monitor C:\perflogs\ for any executable content. This directory is a legitimate Windows performance logging path but is consistently abused by SystemBC as a staging directory. Executable files in this path are always suspicious.
  3. Alert on registry Run key entries containing socks5 or pointing to hidden PowerShell execution from C:\perflogs\. This is the highest-fidelity persistence indicator specific to SystemBC.
  4. Deploy network segmentation to limit the blast radius of SOCKS5 proxy pivoting. Once SystemBC establishes a proxy on a compromised host, operators go low and slow — tunneling SMB, RDP, and WinRM through the victim, all appearing as internal traffic.
  5. Patch VPS infrastructure aggressively — Lumen documented SystemBC victims averaging 20 unpatched CVEs with at least 1 critical. The shift to VPS targeting means hosting providers and their customers are primary targets.

References

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0101.

// related_reports