← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
T1053.005
T1047
T1033
T1003
T1133
T1036.005
T1489
T1087.002
T1204.002
T1543.003
T1053.003
T1069.002
T1135
T1082
T1106
T1555
T1070.006
T1547.009
T1021.002
T1562.004
T1021.006
T1070.001
T1482
T1562.007
T1083
T1036.004
T1491.001
T1041
T1060
T1059.001
T1090.003
T1562.001
T1078
T1486
T1573.002
T1570
T1518.001
T1059.003
T1070.004
T1037.004
T1071.001
T1018
T1105
T1021.001
T1569.002
T1490
MALWARE FAMILIES
SystemBC
Cobalt Strike - S0154
The Gentlemen
Mimikatz
AnyDesk
PsExec
Indicators of Compromise (46)