Gentlemen Ransomware RaaS Deploys SystemBC Proxy Malware, Exposes Over 1,570 Victims
What Happened — The Gentlemen ransomware‑as‑a‑service (RaaS) group has been observed deploying the SystemBC proxy malware to create SOCKS5 tunnels on compromised hosts. Analysis of the SystemBC command‑and‑control server uncovered a botnet of more than 1,570 victim machines.
Why It Matters for TPRM —
- Proxy malware can be leveraged to hide lateral movement and exfiltration, increasing the risk to third‑party data.
- The scale of infection suggests a broad attack surface that may include suppliers, MSPs, and downstream customers.
- Visibility into compromised endpoints is limited, making vendor risk assessments more challenging.
Who Is Affected — Enterprises across multiple sectors (finance, healthcare, manufacturing, SaaS) that may have been compromised by the Gentlemen ransomware operation or its proxy infrastructure.
Recommended Actions —
- Review any third‑party relationships with known exposure to the Gentlemen ransomware group.
- Verify that all vendors enforce strict network segmentation and monitor for unauthorized SOCKS5 traffic.
- Conduct endpoint detection and response (EDR) sweeps for SystemBC indicators of compromise (IOCs).
Technical Notes — The SystemBC malware establishes SOCKS5 tunnels, enabling attackers to route traffic through compromised hosts. No specific CVE is cited; the threat relies on existing ransomware infection vectors (phishing, exploit kits). Data types potentially at risk include internal communications and exfiltrated files. Source: https://thehackernews.com/2026/04/systembc-c2-server-reveals-1570-victims.html