Kaspersky researchers reported that the DroxiDat malware operation was being used to infect Windows systems and deploy SystemBC, a proxy and backdoor trojan commonly associated with follow-on criminal activity. The campaign relied on malicious delivery chains that installed DroxiDat as an initial payload, after which it fetched additional components and established persistence on compromised hosts, giving operators a foothold for further malware deployment and covert network access.
The reporting linked DroxiDat and SystemBC as part of a broader financially motivated intrusion ecosystem in which lightweight loaders and proxy malware are used to prepare victims for later-stage attacks. SystemBC enabled attackers to tunnel traffic, evade detection, and maintain command-and-control communications, increasing the value of infected machines for credential theft, malware staging, or potential ransomware operations.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Securelist published a report focused on the DroxiDat malware and the SystemBC malware family. No additional incident-specific events are provided in the reference content.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.