Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC.
According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims.
“SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol,” Check Point said. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory.
Since its emergence in July 2025, The Gentlemen has quickly established itself as one of the most prolific ransomware groups, claiming more than 320 victims on its data leak site. Operating under a classic double-extortion model, the group is versatile as it’s sophisticated, exhibiting capabilities to target Windows, Linux, NAS, and BSD systems with a Go-based locker as well as employing legitimate drivers and custom malicious tools to subvert defenses.
Exactly how the threat actors obtain initial access is unclear, although evidence suggests that internet-facing services or compromised credentials are being abused to establish an initial foothold, followed by engaging in discovery, lateral movement, payload staging (i.e., Cobalt Strike, SystemBC, and the encryptor), defense evasion, and ransomware deployment. A notable aspect of the attacks is the abuse of Group Policy Objects (GPOs) to facilitate domain-wide compromise.
“By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets’ environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation,” security vendor Trend Micro noted in an analysis of the group’s tradecraft in September 2025.
The latest findings from Check Point show that an affiliate of The Gentlemen RaaS deployed SystemBC on a compromised host, with the C2 server linked to the proxy malware commandeering hundreds of victims across the globe, including the U.S., the U.K., Germany, Australia, and Romania.
While SystemBC has been used in ransomware operations as far back as 2020, the exact nature of the connection between the malware and The Gentlemen e-crime scheme remains unclear, such as whether it’s part of the attack playbook or if it’s something deployed by a specific affiliate for data exfiltration and remote access.
“During lateral movement, the ransomware makes an attempt to blind Windows Defender on each reachable remote host by pushing a PowerShell script that disables real-time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls, all before deploying and executing the ransomware binary on that host,” Check Point said.
The ESXi variant…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
