A large SystemBC proxy malware botnet, comprising over 1,570 hosts believed to be corporate victims, has been uncovered following an investigation into a Gentlemen ransomware attack, according to a recent report by Bleeping Computer.The Gentlemen ransomware-as-a-service (RaaS) operation, active since mid-2025, offers encryption for various systems including Windows, Linux, and ESXi hypervisors. Researchers from Check Point discovered that Gentlemen ransomware affiliates are expanding their toolkit by deploying the SystemBC proxy malware for covert payload delivery. SystemBC, known for its SOCKS5 tunneling capabilities, has been adopted by ransomware gangs to hide malicious traffic and deliver payloads. The botnet, despite previous law enforcement actions, remains active and is primarily infecting corporate and organizational environments, with victims concentrated in the United States, United Kingdom, Germany, Australia, and Romania.The infection chain involves attackers gaining Domain Admin privileges, using Cobalt Strike for lateral movement, and then deploying the ransomware across the network using Group Policy. The integration of SystemBC and Cobalt Strike into the Gentlemen ransomware operation suggests a move towards more sophisticated, mature post-exploitation frameworks and proxy infrastructure.Source:Bleeping Computer
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
