Security researchers investigating a Gentlemen ransomware attack have uncovered a SystemBC proxy botnet of more than 1,570 compromised hosts believed to be corporate victims. The discovery reveals that Gentlemen ransomware affiliates are operating a substantial botnet infrastructure to power their ransomware campaigns.
Gentlemen Ransomware: Background
Gentlemen ransomware is a relatively recent ransomware-as-a-service (RaaS) operation that has attracted affiliates from other dismantled groups. Like most modern ransomware gangs, it operates on a double-extortion model — encrypting data and threatening to publish stolen files on a leak site if ransoms are not paid.
The latest discovery marks an evolution in the group's operational capabilities: rather than relying solely on traditional C2 infrastructure, the Gentlemen affiliate in this campaign has built a SystemBC-powered botnet that amplifies their attack surface and provides resilient proxy infrastructure.
SystemBC: The Proxy Backbone
SystemBC is a commodity malware toolkit that functions primarily as a SOCKS5 proxy and backdoor. It has been widely used as a supporting tool in ransomware operations, providing:
| Function | Description |
|---|---|
| SOCKS5 proxy | Routes attacker traffic through compromised hosts to anonymize operations |
| Persistent backdoor | Maintains access to victim environments for continued exploitation |
| C2 communication | Encrypted communications between infected hosts and operator infrastructure |
| Payload delivery | Can be used to stage and execute additional malware on compromised systems |
| Lateral movement aid | Provides attackers with footholds across corporate networks |
SystemBC has been linked to ransomware groups including Ryuk, Egregor, BlackMatter, and others — its availability as a commodity tool makes it accessible to affiliates across multiple ransomware ecosystems.
The Botnet Discovery
Researchers discovered the botnet while investigating a Gentlemen ransomware attack carried out by a gang affiliate. During forensic analysis of the victim environment, they identified SystemBC implants that pointed back to a broader network of compromised infrastructure.
Key findings from the investigation:
- 1,570+ hosts in the botnet, predominantly believed to be corporate victims
- The botnet acts as a proxy layer between the attacker's actual C2 and target environments
- SystemBC implants are deployed across the botnet to maintain persistent access
- The affiliate uses the botnet to route ransomware operations traffic and obscure attack origins
The use of corporate victim hosts as botnet infrastructure is a particularly concerning technique — it means the attacker is running their campaign through the networks of other ransomware victims, making attribution and blocking more difficult.
Attack Flow
1. Affiliate compromises corporate networks via phishing,
exposed RDP, or exploitation of public-facing services
2. SystemBC is deployed on compromised hosts as a persistent implant
3. Infected hosts join the botnet as SOCKS5 proxy nodes
4. Botnet infrastructure is used for:
- Routing further intrusion activity through victim networks
- Staging ransomware payloads for deployment
- Exfiltrating data before encryption
5. Gentlemen ransomware is deployed across target environments
6. Double extortion: data published unless ransom is paid
Detection and Response
Indicators to Hunt For
Security teams should investigate for SystemBC presence in their environments:
# Check for SystemBC-related registry persistence (Windows)
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
# Look for unusual SOCKS proxy processes
netstat -anob | findstr "ESTABLISHED"
# Check for unexpected outbound connections on common SystemBC ports
# SystemBC commonly uses high-numbered TCP ports for C2
netstat -anob | findstr ":443\|:80\|:8080\|:4444\|:9050"Network-Level Detection
# Hunt for SystemBC C2 communication patterns:
# - Persistent outbound connections to low-reputation IPs
# - SOCKS5 proxy traffic originating from non-proxy hosts
# - Encrypted beaconing with regular intervals
# - Unusual DNS queries for DGA-like domains
Endpoint Investigation
If SystemBC is suspected, look for:
- Unusual processes establishing persistent network connections
- New or modified registry Run keys pointing to unfamiliar executables
- Files dropped in
%APPDATA%,%TEMP%, or system directories with randomized names - Scheduled tasks executing unsigned binaries
Mitigation Recommendations
- Patch and harden internet-facing services — especially RDP, VPN gateways, and web applications, which remain primary initial access vectors for ransomware affiliates
- Deploy endpoint detection with behavioral rules for SystemBC and proxy malware patterns
- Monitor outbound proxy traffic — legitimate corporate hosts should not be functioning as SOCKS5 proxies
- Enable network segmentation to limit lateral movement and contain botnet pivoting across environments
- Implement MFA across all remote access to prevent credential-based initial access
The Broader Ransomware Ecosystem
The integration of SystemBC into Gentlemen operations reflects a maturation of ransomware affiliate tactics. Rather than each attack being an isolated intrusion, sophisticated affiliates now maintain persistent botnet infrastructure that:
- Provides operational security by routing activity through compromised corporate hosts
- Creates multi-victim interconnection, where one victim's network becomes infrastructure for attacking others
- Gives the affiliate resilient, distributed infrastructure that survives individual takedowns
This operational model increases the complexity of incident response — a Gentlemen victim may discover that their environment was also used as a stepping stone in attacks against other organizations.
Source: BleepingComputer