Inside The Gentlemen's Operation: How a Single SystemBC C2 Server Exposed 1,570+ Ransomware Victims

Original research credit: Check Point Research. Source reporting via The Hacker News. CypherByte analysis and commentary is independent.

Executive Summary

A single exposed command-and-control server tied to The Gentlemen ransomware-as-a-service (RaaS) operation has yielded one of the more revealing windows into active ransomware infrastructure seen in recent months. Research published by Check Point has identified a live botnet comprising more than 1,570 confirmed victims, all connected through the well-documented proxy malware SystemBC. The server's exposure did not require a novel exploit or zero-day — it is a story about operational security failures on the threat actor's side, and what defenders can learn when criminals make mistakes. Security teams responsible for enterprise endpoints, managed service providers, and organizations in ransomware-targeted verticals — manufacturing, healthcare, legal, and financial services in particular — should treat this research as a live threat brief, not a retrospective.

The significance of this finding extends well beyond the victim count. The Gentlemen operation represents a maturing RaaS ecosystem where affiliates are handed ready-built tooling — including SystemBC as a persistent, stealthy proxy layer — that dramatically lowers the technical bar for conducting sophisticated intrusions. When the infrastructure of such an operation is exposed, it offers defenders a rare, high-fidelity intelligence opportunity: observable botnet size, infection geography, victim profiling, and the specific network behaviors that distinguish SystemBC traffic from legitimate activity. Security teams that move on this intelligence quickly gain a measurable defensive advantage.

Technical Analysis

SystemBC is not new malware. It has circulated in the cybercriminal ecosystem since at least 2019 and has been repeatedly observed as a supporting tool in major ransomware deployments, including those attributed to Ryuk, Conti, and BlackCat/ALPHV affiliates. Its core function is to establish a SOCKS5 network tunnel between a compromised host and attacker-controlled infrastructure, effectively anonymizing the threat actor's traffic and providing a persistent, low-profile communications channel that survives reboots and evades many perimeter-based detection controls.

In The Gentlemen's operation, SystemBC functions as the initial persistence and communications layer deployed after initial access is achieved — most likely through phishing lures, exposed RDP services, or commodity malware loaders sold through underground markets. Once installed, the implant beacons to the C2 server over encrypted SOCKS5 connections, registering the victim host into the botnet. From the operator's perspective, each registered bot represents a foothold ready for deeper exploitation: lateral movement using tools like Cobalt Strike or Brute Ratel, Active Directory enumeration, data exfiltration staging, and ultimately ransomware payload delivery.

The C2 server's exposure — likely the result of misconfigured access controls or a researcher-accessible administrative panel — revealed the full victim roster. This kind of operational security failure is increasingly common in RaaS operations where technical infrastructure management is delegated to affiliates of varying skill levels. The affiliate model that makes RaaS profitable also introduces inconsistency in how infrastructure is hardened and maintained. The Gentlemen's apparent failure to properly restrict access to their C2 administrative interface handed researchers a complete operational picture.

From a malware behavior standpoint, SystemBC samples associated with this campaign exhibit several consistent characteristics: they use encrypted, custom-protocol communications over non-standard high ports, employ process injection to masquerade within legitimate Windows processes, and maintain persistence through scheduled tasks or registry run keys. The malware is intentionally lightweight — its job is to stay quiet and hold the door open, not to perform the heavy lifting of the intrusion itself.

Impact Assessment

A botnet of 1,570+ confirmed victims is not an abstraction. Each host in that registry represents a business or organization where threat actors have already achieved persistent access and are, at minimum, capable of escalating to full ransomware deployment at a time of their choosing. The actual number of organizations at risk is likely higher — botnet counts from single C2 servers represent only the slice of infrastructure that was exposed, not the totality of an operation's reach.

The affected systems skew heavily toward Windows enterprise environments, consistent with SystemBC's design and the typical targeting profile of RaaS operations seeking high-value ransom payments. Organizations running unpatched or internet-exposed Windows infrastructure — particularly those with legacy RDP configurations or weak email gateway filtering — represent the highest concentration of victims. The real-world consequences for any organization in this botnet that has not yet detected the infection are severe: ransomware deployment, multi-terabyte data exfiltration for double-extortion leverage, and the cascading operational, legal, and reputational damage that follows.

CypherByte's Perspective

The Gentlemen's operation is, in many respects, a textbook illustration of how modern ransomware economics work — and why they are so difficult to disrupt at scale. The RaaS model decentralizes execution while centralizing tooling and profit-sharing, creating a franchise structure where even low-skill affiliates can deploy enterprise-grade intrusion infrastructure. SystemBC is the connective tissue of this model: a reliable, battle-tested implant that provides the stable C2 channel on which everything else depends.

What this research underscores, from our perspective, is the compounding risk of proxy-based persistence. Organizations that focus detection resources exclusively on ransomware payload execution are already in the worst-case scenario by the time they get an alert. The more strategically valuable detection opportunity is at the SystemBC stage — when the implant is beaconing, when the SOCKS5 tunnel is being established, when scheduled tasks are being created by unusual parent processes. Detecting the pre-ransomware access layer is where defenders can still win the encounter. The victim count in this botnet also raises serious questions about detection efficacy across the affected organizations — 1,570 hosts with active C2 connectivity represent a significant collective failure of endpoint and network monitoring.

It is also worth noting the intelligence value of operational security failures by threat actors. The exposure of this C2 server is the kind of event that, when acted on quickly by the security community, can accelerate remediation across hundreds of organizations simultaneously. Threat intelligence sharing at speed is the appropriate response to findings like this one.

Indicators and Detection

Security teams should prioritize detection across the following behavioral and technical indicators associated with SystemBC and The Gentlemen's operational profile:

Network-Based Indicators:

• Outbound SOCKS5 proxy connections to non-categorized or newly registered external IPs, particularly over high-numbered ports (4000–9999 range commonly observed in SystemBC deployments)

• Periodic, low-volume encrypted beaconing with consistent jitter patterns from workstations or servers that do not typically initiate external connections

• DNS queries for domains with high entropy names or recently registered infrastructure (under 30 days)

• Unusual SOCKS proxy traffic originating from svchost.exe, explorer.exe, or other commonly abused host processes

Endpoint-Based Indicators:

• Scheduled tasks or registry run keys created by atypical parent processes, particularly those referencing %APPDATA% or %TEMP% directories

• Process injection events targeting long-running Windows processes

• Unsigned or low-prevalence executables establishing network connections shortly after creation

• Presence of SystemBC sample hashes — current IOC lists available via Check Point Research and open-source threat intelligence platforms including MalwareBazaar and VirusTotal

Recommendations

Based on this research, CypherByte recommends the following prioritized actions for security teams:

1. Immediate Threat Hunt: Deploy a retrospective hunt across EDR telemetry and network flow data for SystemBC IOCs published by Check Point Research. Focus the hunt on the past 90 days. Prioritize internet-facing Windows hosts, RDP gateways, and endpoints that received email attachments during the same window.

2. Harden Internet-Exposed Attack Surface: Audit and restrict RDP exposure. Any RDP service reachable from the public internet without VPN pre-authentication is a high-probability initial access vector for this and similar campaigns. Implement Network Level Authentication (NLA) at minimum; eliminate public RDP exposure wherever operationally feasible.

3. Tune Network Detection for SOCKS5 Proxy Abuse: If your network monitoring stack does not currently alert on anomalous outbound SOCKS5 connections from internal hosts, this research is the prompt to implement that capability. Zeek, Suricata, and most commercial NDR platforms support SOCKS5 protocol detection and connection profiling.

4. Enrich Threat Intelligence Feeds: Ingest the IOC set associated with this campaign into your SIEM, EDR, and firewall blocklists. Treat IOC aging aggressively — C2 infrastructure in active RaaS operations rotates frequently, so IOCs older than 30 days should be weighted lower in priority while fresh indicators are actioned immediately.

5. Validate Backup Integrity and Segmentation: Given the confirmed active nature of this botnet, organizations should immediately validate that backup systems are both current and network-isolated from production environments. A reachable backup server is a target; an isolated one is a recovery capability. Run a tabletop exercise simulating ransomware deployment from an assumed-compromised endpoint to identify gaps before threat actors do.

6. Share Intelligence: If your organization identifies evidence of SystemBC infection tied to this campaign, report to relevant ISACs, CISA, or national cybersecurity agencies. The exposed C2 server represents a rare opportunity for coordinated victim notification — collective action accelerates remediation across all 1,570+ affected organizations.

CypherByte will continue to monitor developments related to The Gentlemen RaaS operation and update this analysis as new technical intelligence becomes available. Original research by Check Point Research; source reporting by The Hacker News.