
SystemBC
Modular C2 framework and SOCKS5 proxy used by ransomware groups for covert infrastructure.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for SystemBC
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Cybersecurity: Threats and DefencesWhat is SystemBC malware?
Which ransomware groups use SystemBC?
How did researchers identify Gentlemen ransomware victims using SystemBC?
Background
SystemBC is a modular command-and-control (C2) framework and SOCKS5 proxy malware that has been commercially offered as a crimeware tool since at least 2019. It provides threat actors with an encrypted, proxied communications channel between compromised hosts and attacker-controlled infrastructure, routing C2 traffic through SOCKS5 tunnels to obscure the true server locations and evade network-based detection. SystemBC is often deployed as a secondary payload after initial access, providing persistent, stealthy connectivity for subsequent attack phases including ransomware staging.
SystemBC has been observed in intrusions associated with multiple ransomware-as-a-service (RaaS) groups and access brokers, including Ryuk, Conti, LockBit, and ALPHV/BlackCat affiliates. Its modular architecture allows operators to load additional plugins or payloads over the established C2 channel. The SOCKS5 proxy capability is particularly valued because it enables attackers to route all subsequent tooling through the victim network, making external detection by network monitoring difficult without inspecting encrypted traffic.
In U#3, Check Point Research used SystemBC C2 telemetry to surface a victim cluster of over 1,570 organisations linked to The Gentlemen ransomware group . The telemetry analysis — tracking SystemBC C2 beacon patterns, infrastructure clustering, and timing correlation — allowed researchers to identify the scale and geography of The Gentlemen's operation before many victims had publicly disclosed breaches.