# The Gentlemen Ransomware Gang Weaponizes SystemBC Botnet of 1,570 Corporate Hosts


A newly uncovered SystemBC proxy malware botnet comprising more than 1,570 compromised hosts — believed to be largely corporate victims — has been linked to The Gentlemen ransomware operation, revealing how the relatively young extortion crew has industrialized its pre-ransomware intrusion pipeline. The discovery, made during forensic work on a Gentlemen affiliate attack, underscores a growing trend in which ransomware gangs no longer rely solely on initial access brokers but instead cultivate persistent, bot-powered infrastructure that serves as both a staging ground and a living anonymization network for follow-on intrusions.


## Background and Context


The Gentlemen ransomware gang surfaced in the second half of 2024 and has steadily expanded its victimology across manufacturing, healthcare, construction, and professional services sectors. Like many modern extortion operations, The Gentlemen runs a Ransomware-as-a-Service (RaaS) model in which affiliates handle initial access and lateral movement while the core crew provides the locker, leak site, and negotiation infrastructure. Affiliates retain the bulk of any ransom paid, which incentivizes them to develop their own reusable tooling and tradecraft.


Researchers investigating a recent Gentlemen affiliate intrusion traced post-exploitation activity back to SystemBC, a long-running proxy malware family first identified in 2019. What began as a routine incident response case quickly expanded into the discovery of a sprawling botnet of more than 1,570 active hosts, many of which appear to be servers and workstations inside enterprise networks. The sheer scale — and the fact that so many of the infected endpoints belong to legitimate corporate environments — suggests SystemBC is being operated not as a throwaway tool but as a strategic asset that affiliates can tap on demand.


This is significant because SystemBC is no longer just a loader or a one-shot proxy. In this campaign it is being used as a persistent SOCKS5 relay network that ransomware operators route their command-and-control traffic through, effectively laundering malicious activity through trusted corporate IP space and frustrating geolocation-based detection.


## Technical Details


SystemBC is a compact C-based implant that establishes a SOCKS5 proxy on the infected host and tunnels traffic to attacker-controlled infrastructure. In the Gentlemen campaign, analysts observed the following operational characteristics:


  • Persistent proxy beaconing. Implants maintain long-lived TCP connections to tier-one command-and-control servers, with fallback routines that rotate through hardcoded IP addresses when primary infrastructure is sinkholed or taken offline.
  • Encrypted C2 channel. Communication between the implant and its controller is obfuscated with a custom XOR-plus-RC4 routine, wrapped in a protocol that superficially resembles legitimate TLS handshakes. Analysts have noted minor protocol drift across samples, indicating active development.
  • Payload staging. Beyond proxying, SystemBC can pull down and execute additional payloads — including Cobalt Strike beacons, credential harvesters, and, in this case, The Gentlemen locker binary.
  • Living-off-the-land integration. Affiliates paired SystemBC with legitimate administrative tools such as PsExec, AnyDesk, and PowerShell remoting, deliberately blending ransomware precursor activity with normal IT operations traffic.
  • Multi-tier infrastructure. Investigators mapped at least three tiers of controller infrastructure: victim-resident SOCKS nodes, mid-tier aggregation servers hosted on bulletproof providers, and operator workstations that connected only through the victim-tier proxies.

    • The 1,570-host figure is derived from passive telemetry collected against the mid-tier controllers, and researchers caution that the true footprint is almost certainly larger. Many victims had SystemBC dwelling on their networks for weeks or months before any ransomware detonation, which means the botnet also functions as a reconnaissance and access-brokering layer.


    ## Real-World Impact


    For the organizations unknowingly hosting SystemBC nodes, the consequences extend well beyond being a stepping stone in someone else's attack. A compromised host running SystemBC:


  • Provides attackers with interactive, trusted network access that bypasses many perimeter controls.
  • Routes malicious traffic — including intrusions against third parties — through the victim's public IP, creating potential legal and reputational exposure.
  • Typically signals that credential material, domain context, and sensitive data have already been enumerated.
  • Dramatically shortens the runway to a full ransomware event, since the affiliate already has resident access.

    • Downstream victims targeted through the botnet face the usual ransomware calculus: encrypted production systems, data exfiltration and double-extortion leaks, operational downtime measured in days, and remediation costs that routinely eclipse the ransom itself. In regulated industries, the presence of a proxy implant on systems processing personal or health data may also trigger breach notification obligations even if no ransomware is ultimately deployed.


    ## Threat Actor Context


    The Gentlemen have cultivated a reputation for disciplined, business-like operations: clear victim communications, functional decryptors when paid, and a relatively professional leak site. That polish tends to correlate with higher affiliate recruitment, and the SystemBC findings are consistent with a maturing operation that is investing in durable infrastructure rather than single-use tooling.


    SystemBC itself has been shared across numerous ransomware ecosystems historically, including Ryuk, Egregor, Conti, BlackBasta, and Play. Its reappearance under Gentlemen affiliates does not imply direct lineage with those groups, but it does reinforce that mid-tier commodity malware continues to anchor the pre-ransomware kill chain across the ecosystem. Attribution at the affiliate level remains difficult; the Gentlemen operator core appears to be Russian-speaking, with operational tempo that avoids CIS-region targets — a well-established heuristic for that origin.


    ## Defensive Recommendations


    Defenders should treat this campaign as a prompt to re-examine controls that specifically catch proxy malware and long-dwell precursors rather than only the ransomware detonation itself:


  • Hunt for persistent outbound SOCKS-like beacons, especially long-lived TCP sessions to unusual IP ranges on non-standard ports. Netflow and Zeek logs are invaluable here.
  • Baseline egress traffic by host role; servers that have no business initiating external connections should be flagged on first anomaly.
  • Disable or tightly restrict SMB and RDP lateral movement paths, and require phishing-resistant MFA for all remote administration.
  • Monitor for the living-off-the-land stack — PsExec, AnyDesk, remote PowerShell, and scheduled tasks created under service accounts — particularly in unusual parent-child process relationships.
  • Deploy EDR with memory-resident detections capable of catching SystemBC's reflective loading patterns, and ensure tamper protection is enforced.
  • Segment backup infrastructure on isolated credentials and network paths, and test offline restore quarterly.
  • Integrate threat intelligence feeds covering SystemBC indicators and rotate hunts as infrastructure shifts.

    • Organizations should also assume that any SystemBC detection is an incident, not a malware finding, and invoke full IR procedures including credential rotation, session invalidation, and privileged account review.


    ## Industry Response


    The security community has responded with renewed collaborative takedown interest, with researchers sharing indicators across ISACs and national CERTs. Several EDR vendors have pushed updated detection content specifically tuned to the SystemBC variants observed in Gentlemen intrusions. Law enforcement agencies continue to treat proxy botnets as priority disruption targets because of their cross-cutting role in enabling ransomware, credential theft, and fraud. Expect additional public advisories, and potentially coordinated infrastructure seizures, as investigators map more of the mid-tier controller network.


    ---


    **