Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SystemBC Malware. Show all posts
SystemBC Malware
botnet cybersecurity Cobalt Strike Cyber Security Gentlemen ransomware ransomware attack 2026 SystemBC Malware

Gentlemen Ransomware Expands Reach with SystemBC Botnet Targeting Corporate Networks

 

A large-scale botnet powered by SystemBC proxy malware, comprising more than 1,570 infected machines, has been uncovered during an investigation into a Gentlemen ransomware attack carried out by an affiliate of the group. Evidence suggests that the majority of affected systems belong to corporate environments.

The Gentlemen ransomware-as-a-service (RaaS) operation surfaced around mid-2025, offering attackers multiple encryption tools. Its toolkit includes a Go-based locker capable of targeting Windows, Linux, NAS, and BSD systems, as well as a C-based encryptor designed for ESXi hypervisors.

In December, the group successfully breached one of Romania’s biggest energy companies, the Oltenia Energy Complex. More recently, The Adaptavist Group revealed a separate incident that was also claimed by the ransomware gang on its leak portal. While the operators have publicly listed around 320 victims—most from this year—researchers at Check Point note that affiliates are increasingly enhancing their infrastructure and attack methods.

During an incident response investigation, experts observed that a ransomware affiliate attempted to deploy SystemBC malware to enable stealthy delivery of malicious payloads. “Check Point Research observed victim telemetry from the relevant SystemBC command-and-control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting,” the researchers say in a report today.

SystemBC, active since at least 2019, is commonly used for SOCKS5 proxy tunneling. Its ability to deliver additional malicious payloads has made it a preferred tool among ransomware operators. Even after a law enforcement disruption in 2024, the botnet has remained active. In fact, Black Lotus Labs reported last year that it was compromising approximately 1,500 commercial virtual private servers (VPS) daily to route harmful traffic.

According to Check Point, the majority of infections tied to Gentlemen’s use of SystemBC are concentrated in the United States, the United Kingdom, Germany, Australia, and Romania. "The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human-operated intrusion workflows rather than massive targeting," Check Point says.

Researchers have not yet determined exactly how SystemBC integrates into the Gentlemen ransomware ecosystem, nor whether multiple affiliates are using the malware simultaneously.

Infection Chain and Encryption Strategy

Although the initial entry point remains unclear, investigators found that attackers operated from a Domain Controller with Domain Admin privileges. They validated credentials, performed network reconnaissance, and deployed Cobalt Strike payloads across systems using Remote Procedure Call (RPC).

The attackers moved laterally by harvesting credentials with Mimikatz and executing commands remotely. The ransomware payload was staged on an internal server and distributed using built-in propagation techniques and Group Policy Objects (GPO), enabling near-simultaneous encryption across domain-connected machines.

The encryption process uses a hybrid cryptographic model combining X25519 (Diffie–Hellman) and XChaCha20, generating a unique ephemeral key pair for each file. Files smaller than 1 MB are fully encrypted, while larger files are partially encrypted in chunks ranging from approximately 1% to 9%.

Before initiating encryption, the ransomware terminates database services, backup tools, and virtualization processes, while also deleting Shadow Copies and logs. The ESXi variant additionally shuts down virtual machines to ensure disk-level encryption.

Although Gentlemen ransomware has maintained a relatively low profile, Check Point warns that it is rapidly evolving. The group is actively recruiting affiliates through underground forums and expanding its capabilities. Researchers believe that the integration of SystemBC, combined with tools like Cobalt Strike and a sizable botnet, indicates that the operation is advancing into a more sophisticated threat actor. "actively integrating into a broader toolchain of mature, post-exploitation frameworks and proxy infrastructure."

In addition to identifying indicators of compromise (IoCs), Check Point has released a YARA rule to assist organizations in detecting and mitigating similar threats.
Read more »
Threat Detection
Botnet Activity Cyber Threats Command And Control Data Breach Endpoint Protection Network Security Ransomware SystemBC Malware Threat Detection

SystemBC Infrastructure Breach Sheds Light on The Gentlemen Ransomware Network


 

Parallel to this, operators appear to employ public channels to reinforce coercion, selectively disclosing victim information in order to increase pressure and speed up payment, demonstrating a hybrid strategy combining technical sophistication with calculated psychological advantage. 

Check Point recently conducted an analysis which further contextualizes the scale of the operation, revealing that telemetry from a SystemBC command-and-control node reveals that 1,570 compromised systems have been compromised. As a covert access facilitator, the malware’s architecture is designed to establish SOCKS5-based tunneling within infected environments while maintaining communication with its control infrastructure via RC4-encrypted channels, which enable the malware to establish secure communication with its control infrastructure. 

Aside from providing persistent remote access, this also allows for staged delivery of secondary payloads, which may be deployed either on the disk or directly in memory. This complicates traditional detection mechanisms. Since surfacing in July 2025, The Gentlemen have rapidly expanded their operational tempo, with hundreds of victims publicly listed on its leak infrastructure, emphasizing both the efficiency and effectiveness of its affiliate model as well as its double-extortion strategies. 

There is still no definitive indication of the initial intrusion vector, but observed attack patterns suggest the use of exposed services and credential compromise followed by a structured intrusion lifecycle that incorporates reconnaissance, propagation, and the deployment of tools, including frameworks such as Cobalt Strike and SystemBC. 

There is particular concern regarding the group's demonstration of the use of Group Policy Objects by the group to propagate malicious components across domains, which indicates a degree of post-exploitation control which allows attackers to scale their impact quickly and remain stealthy. In addition to providing important context for its role within this campaign, the broader technical background of SystemBC traces to at least 2019 when it was designed as a covert SOCKS5 tunneling and proxying malware family. 

In the past several years, its evolution into a payload delivery mechanism has made it particularly appealing to ransomware operators, who have exploited its ability to discreetly deploy and execute secondary tools within compromised environments. It has been observed that, despite partial disruption attempts by law enforcement in 2024, SystemBC's infrastructure has proven highly resilient, and previous threat intelligence indicates sustained activity at scale, including the compromise of large numbers of commercial virtual private servers used to relay malicious traffic. 

It is currently being discovered that the majority of victims associated with its deployment are located in enterprise-intensive regions such as the United States, the United Kingdom, Germany, Australia, and Romania, which confirms the assessment that infections are largely the result of human-operated intrusions rather than indiscriminate mass exploitation. It has been observed that the attack workflows reflect a high degree of operational control following compromise in the observed incidents. 

Researchers found that attackers operated using domain controllers with elevated administrative privileges to validate credentials, perform reconnaissance, and move laterally. A variety of tools associated with advanced intrusion sets was deployed to facilitate the extension of access across networked systems, often through remote procedure calls, including credential harvesting utilities such as Mimikatz and adversary simulation frameworks such as Cobalt Strike. 

As a result of preparing and propagating the ransomware payload internally, such as Group Policy Objects, the malware was executed almost simultaneously across domain-joined assets. In the encryption routine, unique ephemeral keys are generated per file through the use of elliptic curve key exchange, combined with high-speed symmetric encryption, and partial encryption strategies are applied to optimize execution time on larger datasets. 

In addition to encrypting files, this malware systematically disables databases, backup services, and virtualisation processes, including forcefully shutting down virtual machines in ESXi environments as well as deleting shadow copies of data and system logs to hinder recovery and forensic investigation. There is still some uncertainty as to the precise role of SystemBC within The Gentlemen's broader operational stack, particularly the question of whether it is centrally managed or affiliate-driven. 

The convergence of proxy malware, post-exploitation frameworks, and a significant botnet footprint suggests a maturing and modular threat model. Researchers conclude that this integration indicates that the transition toward structured and scaleable attack orchestration is being initiated, supported by shared infrastructure and tools. 

The defensive guidance also incorporates signature-based detection artifacts like YARA rules and detailed indicators of compromise in order to assist organizations in identifying and mitigating similar intrusion patterns before they escalate into a full-scale ransomware attack. SystemBC has a long history of providing covert SOCKS5 tunnelling and traffic proxying services as a malware family dating back to at least 2019 that provides important context for its role within this campaign.

Due to its evolution into a payload delivery mechanism, it proved to be particularly valuable to ransomware operators. These operators were able to discreetly introduce and execute secondary tooling within compromised systems. Although law enforcement attempted to partially disrupt SystemBC's infrastructure in 2024, the infrastructure that underpins it has demonstrated notable resilience, as prior threat intelligence indicates sustained activity, including compromises of large volumes of virtual private servers, which are often used to relay malicious traffic.

It is currently being discovered that the majority of victims associated with its deployment are located in enterprise-intensive regions such as the United States, the United Kingdom, Germany, Australia, and Romania, which confirms the assessment that infections are largely the result of human-operated intrusions rather than indiscriminate mass exploitation. It has been observed that the attack workflows reflect a high degree of operational control following compromise in the observed incidents. 

It is noted by investigators that threat actors appeared to use domain controllers with elevated administrative privileges to validate credentials, conduct reconnaissance, and control lateral movement. In order to extend access across networked systems, often by way of remote procedure calls, sophisticated tools used to perform credential harvesting such as Mimikatz and adversary simulation frameworks such as Cobalt Strike have been deployed, including credential harvesting utilities such as Mimikatz. 

It was possible to stage and propagate ransomware payloads internally and deploy them using native mechanisms such as Group Policy Objects, resulting in near-simultaneous execution across domain-joined assets. The encryption routine itself uses a hybrid cryptographic model combining elliptic curve key exchange with high-speed symmetric encryption, generating individual ephemeral keys for each file and applying partial encryption strategies to optimize execution time on larger datasets. 

It is believed that this integration indicates a move toward more structured and scalable attack orchestration supported by shared infrastructure and tools. The defensive guidance includes detailed indications of compromise as well as signature-based detection artifacts such as YARA rules, which provide organizations with the ability to identify and mitigate similar intrusion patterns before they develop into large-scale ransomware attacks.
Read more »
Subscribe to: Posts (Atom)