Sophos reported that SystemBC, a backdoor and proxy remote-access trojan first seen in 2019, has been used in ransomware intrusions tied to Ryuk and Egregor operators. In the investigated cases, attackers deployed the malware after obtaining administrative access and moving laterally through victim networks, using it to maintain persistence and deliver follow-on payloads. SystemBC can execute commands, scripts, shellcode, executables, and DLLs directly on compromised Windows systems, giving intruders a flexible post-compromise foothold.
Researchers said newer SystemBC variants have evolved from simple SOCKS5-style proxying to concealed command-and-control over Tor as well as raw TCP, helping attackers hide their infrastructure during hands-off operations. Sophos observed hundreds of attempted deployments worldwide and assessed that ransomware-as-a-service affiliates are using SystemBC as a shared utility alongside Cobalt Strike and loaders including Buer Loader, Bazar, Zloader, and Qbot. The report also noted an evasion feature in which the malware avoids creating a service if Emsisoft process a2guard.exe is present.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Sophos publicly released research describing how ransomware operators were using SystemBC as an off-the-shelf Tor-enabled backdoor and persistence mechanism. The report documented its role in automated payload delivery and hands-off persistence across compromised networks.
In recent intrusions investigated by Sophos, attackers linked to Ryuk and Egregor operations deployed SystemBC after obtaining administrative access and moving laterally in victim networks. Sophos observed hundreds of attempted deployments worldwide and assessed that ransomware affiliates were using SystemBC alongside tools such as Cobalt Strike, Buer Loader, Bazar, Zloader, and Qbot.
Newer SystemBC samples added concealed command-and-control over the Tor network, expanding beyond raw TCP and earlier proxy-focused behavior. The malware also supported persistence and execution of commands, scripts, shellcode, executables, and DLLs on infected Windows systems.
Sophos reported that SystemBC, a backdoor/proxy RAT later used in ransomware intrusions, was first seen in 2019. Early variants functioned primarily as a SOCKS5-style proxy before later evolving.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.