SystemBC
Modular C2 framework and SOCKS5 proxy used by ransomware groups for covert infrastructure.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for SystemBC
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Cybersecurity: Threats and Defences- What is SystemBC malware?
- SystemBC is a crimeware framework that provides attackers with an encrypted SOCKS5 proxy channel between compromised computers and attacker infrastructure. It is sold to ransomware operators and used to maintain covert C2 access while hiding true server locations from network defenders.
- Which ransomware groups use SystemBC?
- SystemBC has been used by affiliates of multiple ransomware groups including Ryuk, Conti, LockBit, ALPHV/BlackCat, and The Gentlemen. It functions as a shared-access tool in the ransomware-as-a-service ecosystem, available for purchase to any operator.
- How did researchers identify Gentlemen ransomware victims using SystemBC?
- Check Point Research tracked SystemBC command-and-control beacon patterns, infrastructure clustering, and timing correlations across The Gentlemen group's C2 network, identifying over 1,570 victim organisations before many had disclosed breaches publicly.Source: event
Background
SystemBC is a modular command-and-control (C2) framework and SOCKS5 proxy malware that has been commercially offered as a crimeware tool since at least 2019. It provides threat actors with an encrypted, proxied communications channel between compromised hosts and attacker-controlled infrastructure, routing C2 traffic through SOCKS5 tunnels to obscure the true server locations and evade network-based detection. SystemBC is often deployed as a secondary payload after initial access, providing persistent, stealthy connectivity for subsequent attack phases including ransomware staging.
SystemBC has been observed in intrusions associated with multiple ransomware-as-a-service (RaaS) groups and access brokers, including Ryuk, Conti, LockBit, and ALPHV/BlackCat affiliates. Its modular architecture allows operators to load additional plugins or payloads over the established C2 channel. The SOCKS5 proxy capability is particularly valued because it enables attackers to route all subsequent tooling through the victim network, making external detection by network monitoring difficult without inspecting encrypted traffic.
In U#3, Check Point Research used SystemBC C2 telemetry to surface a victim cluster of over 1,570 organisations linked to The Gentlemen ransomware group . The telemetry analysis — tracking SystemBC C2 beacon patterns, infrastructure clustering, and timing correlation — allowed researchers to identify the scale and geography of The Gentlemen's operation before many victims had publicly disclosed breaches.