Ransomware operators are actively using the SystemBC RAT to maintain persistence on infected machines. The malware has been on sale at underground forums since 2019. Recently, it has evolved to use Tor for encryption of command and control traffic.

What has happened?

Earlier, the SystemBC malware acted as a virtual private network by using a SOCKS5 proxy into a backdoor. However, it has now evolved as an off-the-shelf tool.
  • It is capable of running Windows commands, implementing malicious DLLs, script deployment, remote administration and monitoring, and establishing backdoors for operators to receive commands.
  • Over time, it has evolved into a sophisticated backdoor, that leverages the anonymity of the TOR network to hide its communications with its C2 servers. 
  • Recently, the malware was deployed as an off-the-shelf tool, which could be obtained via malware-as-a-service deals. In some cases, it was present on infected machines for days or weeks.

Recent attacks

SystemBC has been recently used by several ransomware operators including Ryuk and Egregor, along with post-exploitation tools such as Cobalt Strike.  
  • A few weeks ago, Egregor ransomware operators were observed using SystemBC to create an obfuscated backchannel for data exfiltration and attack communications.
  • Ryuk ransomware operators were also observed using SystemBC during attacks to maintain persistence.


Off-the-shelf tools are being favored by ransomware operators because they offer several features for persistence. Thus, experts suggest using a reliable anti-malware solution to detect malware, take a good backup of important data, and provide training to employees for spotting phishing or spam emails.

Cyware Publisher