Cybersecurity researchers have recently analyzed the command-and-control (C2) server of the SystemBC malware [2] [3], a well-known family that can be purchased on underground marketplaces [3] [4] [5]. This analysis exposes payload delivery tricks used by the malware [2], including its ability to serve as a persistent backdoor for threat actors.


SystemBC is a malware that allows hackers to remotely control compromised hosts and deliver additional payloads [4] [5], such as trojans [5], Cobalt Strike [5], and ransomware [1] [5]. It supports the launching of additional modules to expand its functionality [5]. To mask network traffic to and from the C2 infrastructure [3] [4] [5], SystemBC utilizes SOCKS5 proxies [5]. Customers who purchase SystemBC receive an installation package that includes an implant executable [3] [4] [5], C2 server binaries for Windows and Linux [4], and a PHP file for the C2 panel interface [3] [4] [5]. The C2 server opens multiple TCP ports for C2 traffic [3] [4] [5], inter-process communication [5], and each active implant [5]. The PHP-based panel not only displays a list of active implants but also enables the execution of shellcode and arbitrary files on victim machines [3].

In addition to the SystemBC analysis [3], cybersecurity researchers have also discovered a weakness in the custom Base64 alphabet used by the DarkGate remote access trojan (RAT). This weakness makes it easy to decode sensitive files, such as configuration and keylogger files [3], which contain valuable information, including passwords and composed emails [3].


The availability of SystemBC on the dark web highlights the ease with which malicious tools can be acquired and raises questions about the cybersecurity landscape [1]. Its use by ransomware groups is particularly significant [1], as it allows them to launch further attacks and potentially deploy ransomware [1]. Robust security measures and proactive defense strategies are necessary to mitigate the risks associated with this tool [1]. Security practitioners must stay informed [1], collaborate [1], and adapt their security practices to defend against emerging threats in an ever-evolving cybersecurity landscape [1].