[{"data":1,"prerenderedAt":164},["ShallowReactive",2],{"article-slug-gentlemen-raas-leverages-systembc-botnet-for-widespread-attacks":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":37,"sources":38,"events":50,"mitre_techniques":51,"mitre_mitigations":71,"d3fend_countermeasures":112,"iocs":124,"cyber_observables":125,"tags":147,"extract_datetime":153,"article_type":154,"impact_scope":155,"pub_date":42,"reading_time_minutes":163,"createdAt":153,"updatedAt":153},"d8ee2d84-5be4-477b-9d26-8228212cede2","gentlemen-raas-leverages-systembc-botnet-for-widespread-attacks","Gentlemen RaaS Expands with SystemBC Botnet for Covert Attacks","Gentlemen RaaS Gang Linked to SystemBC Botnet for Covert Proxy and Payload Delivery","The Gentlemen ransomware-as-a-service (RaaS) operation is now leveraging the SystemBC proxy malware botnet to enhance its attacks, according to research from Check Point. Affiliates of the group have been observed deploying SystemBC to create covert SOCKS5 tunnels, hiding their C2 traffic and staging ransomware payloads. The associated botnet comprises over 1,570 compromised corporate systems. Gentlemen RaaS provides multi-platform lockers for Windows, Linux, and ESXi, and the addition of SystemBC to its toolkit signals a move towards more sophisticated and evasive attack methods.","## Executive Summary\n\nThe rapidly growing **The Gentlemen** ransomware-as-a-service (RaaS) operation is increasing its sophistication by incorporating the **[SystemBC](https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc)** proxy botnet into its attack chain. Research from **[Check Point](https://www.checkpoint.com/)** has revealed that Gentlemen affiliates are using **SystemBC** to establish covert SOCKS5 tunnels on compromised hosts. This allows them to obscure their command-and-control (C2) traffic, evade detection, and deliver additional malicious payloads, including the ransomware itself. The investigation uncovered a **SystemBC** botnet of over 1,570 compromised corporate systems linked to this activity. This adoption of a dedicated proxy botnet marks a significant enhancement of the RaaS group's operational capabilities, enabling more stealthy and resilient attacks across a wide range of target platforms.\n\n---\n\n## Threat Overview\n\n**The Gentlemen** RaaS group, which emerged in mid-2025, has quickly scaled its operations by advertising on underground forums and providing affiliates with a versatile toolkit. The group offers multi-platform ransomware lockers, including:\n-   A Go-based locker for Windows, Linux, NAS, and BSD systems.\n-   A C-based locker specifically for VMware ESXi hypervisors, targeting the core of modern data centers.\n\nThe integration of **SystemBC** into their playbook provides affiliates with a powerful tool for stealth and persistence. **SystemBC** is a well-known malware that functions as a backdoor and proxy. By routing their traffic through the compromised systems in the botnet, attackers can make it difficult for defenders to trace the origin of the attack or block C2 communications.\n\n## Technical Analysis\n\nDuring an incident response engagement, Check Point observed a Gentlemen affiliate's attack chain in detail.\n\n**Typical Attack Chain:**\n1.  **Initial Access:** The affiliate gains initial access to the network (vector not specified, but likely phishing or exploiting vulnerabilities).\n2.  **Privilege Escalation:** The attacker escalates privileges to become a Domain Admin.\n3.  **Reconnaissance & Staging:** The attacker deploys **[Cobalt Strike](https://attack.mitre.org/software/S0154/)** beacons for C2 and performs network discovery to identify high-value targets.\n4.  **Covert Tunneling:** The affiliate deploys **SystemBC** on a compromised host. **SystemBC** connects to its C2 server and establishes a SOCKS5 proxy, creating a covert tunnel for subsequent attacker communications.\n5.  **Payload Delivery:** The attacker uses the **SystemBC** tunnel to download and stage the Gentlemen ransomware payload.\n6.  **Impact:** The ransomware is detonated across the network, encrypting critical systems, including ESXi hosts to take down multiple virtual machines at once ([`T1486`](https://attack.mitre.org/techniques/T1486/)).\n\n**MITRE ATT&CK TTPs:**\n- [`T1090 - Proxy`](https://attack.mitre.org/techniques/T1090/): The core functionality provided by the **SystemBC** botnet to obscure C2 traffic.\n- [`T1059.003 - Windows Command Shell`](https://attack.mitre.org/techniques/T1059/003/): Used for executing commands and deploying tools like Cobalt Strike and SystemBC.\n- [`T1588.002 - Tool`](https://attack.mitre.org/techniques/T1588/002/): The affiliate acquires and uses commercial/public tools like Cobalt Strike and SystemBC.\n- [`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/): The final goal of the ransomware deployment.\n- [`T1490 - Inhibit System Recovery`](https://attack.mitre.org/techniques/T1490/): Targeting ESXi hosts is a common technique to inhibit recovery by encrypting virtual machines and their snapshots.\n\n## Impact Assessment\n\nThe use of **SystemBC** makes Gentlemen ransomware attacks harder to detect and block. By tunneling C2 traffic through legitimate-looking SOCKS5 proxies, they can bypass many simple network-based IOCs. The ability to target ESXi hypervisors is particularly damaging, as a single command can encrypt dozens of virtual machines, causing massive operational disruption. The group's double-extortion model, using a Tor-based leak site to publish data from over 320 claimed victims, adds the threat of data breach and reputational damage to the operational impact of encryption.\n\n## IOCs — Directly from Articles\n\nNo specific file hashes, IP addresses, or domains were provided in the source articles.\n\n## Cyber Observables — Hunting Hints\n\nSecurity teams can hunt for Gentlemen and SystemBC activity using these patterns:\n\n| Type | Value | Description | Context |\n| :--- | :--- | :--- | :--- |\n| Process Name | `system.exe` or `svchost.exe` (with unusual parent process) | SystemBC often masquerades as a legitimate system process. Look for instances with no parent or an unusual parent like `explorer.exe`. | EDR process tree analysis. |\n| Network Traffic Pattern | Outbound connections on unusual ports to residential IP space. | SystemBC botnet nodes are often on compromised home or small business systems. Look for persistent connections from servers to such IPs. | NetFlow, firewall logs. |\n| Command Line Pattern | `powershell.exe -enc \u003Cbase64>` | PowerShell is frequently used to download and execute SystemBC in a fileless manner. | EDR, PowerShell script block logging (Event ID 4104). |\n| File Name | Randomly named executables in `C:\\Users\\\u003Cuser>\\AppData\\Roaming\\` | SystemBC is often dropped into user profile directories. | EDR, file integrity monitoring. |\n\n## Detection & Response\n\n**Detection:**\n1.  **Network Egress Filtering:** Monitor and restrict outbound traffic. Connections from corporate servers to residential IP addresses or known malicious C2 servers should be blocked and investigated.\n2.  **Behavioral Analysis:** Use EDR to detect the chain of activity: a process spawning PowerShell, which then makes a network connection to download and execute a payload in memory.\n3.  **Threat Intelligence:** Integrate threat intelligence feeds that provide up-to-date IOCs for **SystemBC** C2 servers.\n\n**Response:**\n1.  **Block C2:** If **SystemBC** is detected, immediately block the C2 IP addresses at the firewall to sever the attacker's connection.\n2.  **Isolate Host:** Isolate the compromised host from the network to prevent lateral movement.\n3.  **Forensic Analysis:** Analyze the host to identify the initial access vector and any other tools or backdoors the attacker may have installed.\n\n## Mitigation\n\n1.  **Egress Traffic Filtering:** Implement a default-deny policy for outbound network traffic from servers. Only allow connections to known, legitimate destinations.\n2.  **Patch Management:** Keep all systems, especially hypervisors like VMware ESXi, fully patched to prevent exploitation of known vulnerabilities.\n3.  **PowerShell Security:** Enable PowerShell script block logging and transcription to capture and analyze PowerShell activity. Use Constrained Language Mode where possible.\n4.  **Network Segmentation:** Segment the network to make it harder for attackers to move laterally from a compromised workstation to a critical server like an ESXi host.","Gentlemen RaaS is upgrading its toolkit, using the SystemBC botnet for covert SOCKS5 proxying. The combo enables stealthy C2 and payload delivery for attacks on Windows, Linux, and ESXi. 💣 #Ransomware #SystemBC #Gentlemen #CyberSecurity","The Gentlemen ransomware-as-a-service (RaaS) operation has been linked to the SystemBC proxy malware botnet, enabling affiliates to conduct more stealthy and resilient attacks.",[13,14,15],"Ransomware","Malware","Threat Actor","high",[18,21,25,29,32,34],{"name":19,"type":20},"The Gentlemen","threat_actor",{"name":22,"type":23,"url":24},"SystemBC","malware","https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc",{"name":26,"type":27,"url":28},"Check Point","vendor","https://www.checkpoint.com/",{"name":30,"type":23,"url":31},"Cobalt Strike","https://attack.mitre.org/software/S0154/",{"name":33,"type":23},"Gentlemen Ransomware",{"name":35,"type":36},"VMware ESXi","product",[],[39,45],{"url":40,"title":41,"date":42,"friendly_name":43,"website":44},"https://gbhackers.com/gentlemen-raas-hits-windows-linux-and-esxi/","Gentlemen RaaS Hits Windows, Linux, and ESXi With New C-Based Locker","2026-04-21","GBHackers on Security","gbhackers.com",{"url":46,"title":47,"date":42,"friendly_name":48,"website":49},"https://www.scmagazine.com/brief/systembc-botnet-linked-to-gentlemen-ransomware-attacks","SystemBC botnet linked to Gentlemen ransomware attacks | brief","SC Magazine","scmagazine.com",[],[52,56,60,64,68],{"id":53,"name":54,"tactic":55},"T1090","Proxy","Command and Control",{"id":57,"name":58,"tactic":59},"T1059.003","Windows Command Shell","Execution",{"id":61,"name":62,"tactic":63},"T1588.002","Tool","Resource Development",{"id":65,"name":66,"tactic":67},"T1486","Data Encrypted for Impact","Impact",{"id":69,"name":70,"tactic":67},"T1490","Inhibit System Recovery",[72,82,91],{"id":73,"name":74,"d3fend_techniques":75,"description":80,"domain":81},"M1037","Filter Network Traffic",[76],{"id":77,"name":78,"url":79},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Implement strict egress filtering to block unexpected outbound connections from servers, which can disrupt SystemBC C2 communications.","enterprise",{"id":83,"name":84,"d3fend_techniques":85,"description":90,"domain":81},"M1051","Update Software",[86],{"id":87,"name":88,"url":89},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Keeping VMware ESXi and other systems fully patched reduces the potential for initial access via vulnerability exploitation.",{"id":92,"name":93,"d3fend_techniques":94,"description":111,"domain":81},"M1030","Network Segmentation",[95,99,103,107],{"id":96,"name":97,"url":98},"D3-BDI","Broadcast Domain Isolation","https://d3fend.mitre.org/technique/d3f:BroadcastDomainIsolation",{"id":100,"name":101,"url":102},"D3-ET","Encrypted Tunnels","https://d3fend.mitre.org/technique/d3f:EncryptedTunnels",{"id":104,"name":105,"url":106},"D3-ISVA","Inbound Session Volume Analysis","https://d3fend.mitre.org/technique/d3f:InboundSessionVolumeAnalysis",{"id":108,"name":109,"url":110},"D3-ITF","Inbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:InboundTrafficFiltering","Proper segmentation prevents attackers who compromise a workstation from easily moving laterally to critical data center assets like ESXi hosts.",[113,118],{"technique_id":114,"technique_name":115,"url":116,"recommendation":117,"mitre_mitigation_id":73},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","To counter the core functionality of the SystemBC botnet used by Gentlemen affiliates, organizations must implement strict outbound traffic filtering, especially from server segments. The purpose of SystemBC is to create a covert tunnel to an external C2 server. By configuring firewalls with a default-deny egress policy, you can block these unauthorized connections. Servers should only be allowed to communicate outbound to a small, well-defined list of IP addresses and ports required for their function (e.g., patch servers, specific API endpoints). Any attempt by SystemBC to connect to its C2, which is likely hosted on a compromised residential system or other non-standard IP, would be blocked and logged. This single control can neutralize the attacker's ability to maintain persistence and deliver the final ransomware payload.",{"technique_id":119,"technique_name":120,"url":121,"recommendation":122,"mitre_mitigation_id":123},"D3-NTA","Network Traffic Analysis","https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis","For detecting the presence of SystemBC, Network Traffic Analysis (NTA) is crucial. NTA tools can identify the characteristic beaconing of SOCKS5 proxy malware. Even if the traffic is encrypted, NTA can analyze metadata such as connection frequency, duration, and data volume. A corporate server suddenly making a persistent, low-and-slow connection to a residential IP address in another country is a high-confidence indicator of a proxy botnet infection. Furthermore, since the Gentlemen group targets ESXi hosts, monitoring the ESXi management network is critical. Any unexpected traffic from an ESXi host to an external address should be treated as a major red flag. NTA provides the visibility needed to spot these anomalous patterns that EDR on the host might miss.","M1031",[],[126,132,137,142],{"type":127,"value":128,"description":129,"context":130,"confidence":131},"process_name","system.exe","SystemBC often masquerades as a legitimate system process like `system.exe` or `svchost.exe`. Look for instances with no parent process or an unusual parent like `explorer.exe` or `winlogon.exe`.","EDR process tree analysis, Sysmon Event ID 1.","medium",{"type":133,"value":134,"description":135,"context":136,"confidence":131},"network_traffic_pattern","Outbound connections on unusual ports to residential IP space.","SystemBC botnet nodes are often on compromised home or small business systems. Persistent connections from corporate servers to such IPs are highly suspicious.","NetFlow analysis, firewall logs, threat intelligence feeds.",{"type":138,"value":139,"description":140,"context":141,"confidence":16},"command_line_pattern","powershell.exe -enc","PowerShell is frequently used to download and execute SystemBC in a fileless manner. Look for encoded commands, a common evasion technique.","EDR, PowerShell script block logging (Event ID 4104).",{"type":143,"value":144,"description":145,"context":146,"confidence":131},"file_path","C:\\Users\\*\\AppData\\Roaming\\*.exe","SystemBC is often dropped as a randomly named executable into user profile directories to establish persistence.","EDR file creation monitoring, file integrity monitoring.",[148,149,22,150,151,30,152,26],"Gentlemen","RaaS","ransomware","botnet","ESXi","2026-04-21T15:00:00.000Z","NewsArticle",{"geographic_scope":156,"industries_affected":157,"other_affected":161},"global",[158,159,160],"Technology","Manufacturing","Finance",[162],"Corporate and Organizational environments",5,1776792970110]