Gentlemen Ransomware Leverages SystemBC Botnet to Target Corporate Networks Globally
What Happened – The Gentlemen ransomware‑as‑a‑service (RaaS) group has integrated the SystemBC proxy malware botnet (≈1,570 compromised hosts) into its payload‑delivery chain, enabling covert, high‑volume traffic to corporate victims. The botnet, originally a SOCKS5 tunneling tool, is now being used to stage ransomware attacks on Windows, Linux, NAS, BSD and ESXi environments.
Why It Matters for TPRM –
- Ransomware affiliates are expanding their infrastructure, increasing the likelihood of multi‑vector attacks on third‑party vendors.
- The use of a large, persistent botnet raises the risk of lateral movement and data exfiltration across supply‑chain relationships.
- Organizations that host or rely on virtual private servers (VPS) may inadvertently provide infrastructure for the botnet, exposing partners to indirect compromise.
Who Is Affected – Energy utilities (e.g., Oltenia Energy Complex), large enterprises in the United States, United Kingdom, Germany, Australia, Romania, and any MSP/MSSP or cloud‑hosting provider whose customers may be compromised.
Recommended Actions –
- Review contracts with any vendors that operate or lease VPS resources; demand evidence of botnet‑mitigation controls.
- Validate that endpoint detection and response (EDR) solutions can detect SystemBC traffic and proxy‑based C2 communications.
- Conduct threat‑intel‑driven phishing and credential‑theft assessments to rule out initial‑access vectors that feed the botnet.
Technical Notes – The SystemBC malware provides SOCKS5 tunneling for payload delivery; its C2 infrastructure was observed communicating with >1,500 corporate‑grade hosts. The Gentlemen ransomware delivers a Go‑based locker for Windows/Linux/NAS/BSD and a C‑based locker for ESXi hypervisors. Initial access vectors remain unknown, but the botnet’s presence suggests a blend of malware‑drop and credential‑theft techniques. Source: BleepingComputer