CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SystemBC botnet expansion linked to The Gentlemen RaaS operation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A command-and-control (C2) server tied to the SystemBC proxy malware was found to control a botnet of over 1,570 compromised hosts, many of which are linked to The Gentlemen ransomware-as-a-service (RaaS) operation active since July 2025. SystemBC establishes encrypted SOCKS5 tunnels for remote access and can deliver additional payloads via disk or memory injection. The botnet spans multiple regions and targets across various operating systems, including Windows, Linux, NAS, and BSD, with affiliates deploying SystemBC during post-compromise phases alongside Cobalt Strike. Initial access vectors remain unclear, but likely involve internet-facing services or compromised credentials, followed by lateral movement, domain-wide compromise via Group Policy Objects (GPOs), and ransomware deployment. The discovery underscores a rapidly growing footprint for The Gentlemen, with reported victim counts exceeding public leak site claims and indicating a broader operational scale than previously documented.

Timeline

  1. 21.04.2026 21:18 1 articles · 4h ago

    SystemBC botnet linked to The Gentlemen RaaS operation expands to over 1,570 victims

    A command-and-control server associated with the SystemBC proxy malware was discovered to control a botnet of more than 1,570 compromised systems, many tied to The Gentlemen ransomware-as-a-service operation. The botnet spans multiple regions and operating systems, with affiliates deploying SystemBC during lateral movement to establish remote access tunnels, deliver additional malware, and facilitate domain-wide compromise via Group Policy Objects (GPOs). The discovery highlights a larger operational footprint for The Gentlemen than indicated by their public leak site, underscoring the group’s rapid growth and sophisticated post-compromise tooling, including Defender evasion scripts and ESXi-targeting capabilities.

    Show sources
    Open in new tab

Information Snippets

  • SystemBC establishes SOCKS5 network tunnels within victim environments and communicates with its C2 server using a custom RC4-encrypted protocol.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • The SystemBC C2 server identified by Check Point Research is linked to a botnet of more than 1,570 compromised hosts across multiple regions, including the U.S., U.K., Germany, Australia, and Romania.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • The Gentlemen RaaS operation, active since July 2025, has claimed over 320 victims on its data leak site but is estimated to have compromised many more, with evidence of at least 1,570 systems compromised by affiliates leveraging SystemBC.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • The Gentlemen targets Windows, Linux, NAS, and BSD systems using a Go-based locker and employs legitimate drivers, custom tools, and Group Policy Objects (GPOs) for domain-wide compromise.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • During lateral movement, The Gentlemen affiliates disable Windows Defender via PowerShell scripts, add exclusions, shut down firewalls, re-enable SMB1, and loosen LSA anonymous access controls on remote hosts before deploying ransomware.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • The ESXi variant of The Gentlemen’s ransomware shuts down virtual machines for improved effectiveness, adds persistence via crontab, and inhibits recovery prior to encryption.

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources

  • Ransomware and digital extortion incidents recorded by ZeroFox reached at least 2,059 in Q1 2026, with The Gentlemen responsible for 192 incidents during that period and showing a shifting regional targeting pattern (20% North America in Q3 2025, 2% in Q4 2025, and 13% in Q1 2026).

    First reported: 21.04.2026 21:18
    1 source, 1 article
    Show sources