Research shows affiliates of The Gentlemen ransomware‑as‑a‑service deployed the SystemBC proxy, with its C2 linked to a botnet of over 1,570 compromised corporate networks worldwide. The operation demonstrates rapid growth and versatile tooling—targeting Windows, Linux, NAS, and ESXi—while using tactics like GPO abuse and Defender disabling to enable fast, domain‑wide encryption #TheGentlemen #SystemBC
Keypoints
- The Gentlemen RaaS has claimed more than 320 victims and rapidly expanded via an affiliate model.
- Check Point tied a SystemBC C2 to a botnet of over 1,570 victims across multiple countries.
- SystemBC provides SOCKS5 tunnels, uses an RC4‑encrypted protocol, and can deliver in‑memory or on‑disk payloads.
- Attack chains include initial access via exposed services or credentials, lateral movement, payload staging (Cobalt Strike, SystemBC), and GPO abuse for domain compromise.
- Ransomware trends show faster dwell times, specialization (e.g., Kyber, Akira), and increasing targeting of ESXi, OT, and SMB environments.
Read More: https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html