The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy
· Published 20/04/2026 15:00 · Modified 20/04/2026 16:54
Essential information
- Published
- 20/04/2026 15:00
- Modified
- 20/04/2026 16:54
- Tags
- 2026-04-20 anydesk cobalt strike domain compromise esxi-encryption group-policy-deployment lateral movement mimikatz psexec ransomware-as-a-service systembc the gentlemen
- Related entities
- 27 observables, 1 intrusion sets (apt), 46 techniques (mitre), 6 malware, 4 others
Description
The Gentlemen ransomware-as-a-service program has rapidly expanded since mid-2025, claiming over 320 victims with 240 attacks occurring in early 2026. The service provides multi-platform lockers for Windows, Linux, NAS, BSD, and ESXi, enabling comprehensive coverage of corporate environments. During an incident response engagement, an affiliate deployed SystemBC proxy malware for covert tunneling and payload delivery. Analysis of the SystemBC command-and-control server revealed a botnet of over 1,570 victims, primarily corporate and organizational targets. The intrusion progressed from domain controller compromise through credential validation, remote execution via administrative shares, and deployment of Cobalt Strike payloads. Attackers disabled defenses, established persistence through scheduled tasks and services, and ultimately deployed ransomware via Group Policy. The operation demonstrates sophisticated lateral movement capabilities, defense evasion techniques, and integration of mature post-exploit...
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (27)
http://tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion/994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e65dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892dbc46b5a18ab3fb5fd1c5c8288a41c75bf0170c10b5e829af89370a12c86dd10f8c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b1987d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c025fc0976c548fb5a880c83ea3eb21a5f23c5d53c4e51e862bb893c11adf712a9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e6822b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd22ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f992c951f4af57ca7cd8396f5ed69c2199fd6fd4ae5e93726da3e198e78bec0a562c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb848d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fdcc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78ef736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 16:02 · Modified 27/05/2026 15:52
Techniques (MITRE) (46)
-
OS Credential Dumping
-
Windows Management Instrumentation
-
RC Scripts
-
Domain Account
-
SMB/Windows Admin Shares
-
Match Legitimate Resource Name or Location
-
Valid Accounts
-
File Deletion
-
Security Software Discovery
-
Multi-hop Proxy
-
Service Stop
-
Lateral Tool Transfer
-
Web Protocols
-
Inhibit System Recovery
-
Windows Remote Management
-
Credentials from Password Stores
-
Shortcut Modification
-
PowerShell
-
Asymmetric Cryptography
-
Malicious File
-
Scheduled Task
-
Internal Defacement
-
Disable or Modify Cloud Firewall
-
Data Encrypted for Impact
-
Windows Command Shell
-
Native API
-
Remote System Discovery
-
Ingress Tool Transfer
-
External Remote Services
-
Domain Groups
-
System Owner/User Discovery
-
Masquerade Task or Service
-
Cron
-
Disable or Modify Tools
-
Windows Service
-
Clear Windows Event Logs
-
Remote Desktop Protocol
-
Disable or Modify System Firewall
-
Service Execution
-
File and Directory Discovery
-
Timestomp
-
System Information Discovery
-
Domain Trust Discovery
-
Network Share Discovery
-
Exfiltration Over C2 Channel
Malware (6)
-
FamilyPublished 12/06/2026 21:29 · Modified 12/06/2026 21:29
-
FamilyPublished 20/04/2026 15:00 · Modified 20/04/2026 15:00
-
FamilyPublished 28/05/2026 19:56 · Modified 28/05/2026 19:56
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 19:39 · Modified 27/05/2026 21:40
-
FamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
FamilyPublished 11/05/2026 16:15 · Modified 11/05/2026 16:15
Others (4)
- United Kingdom of Great Britain and Northern Ireland
- Germany
- United States of America
- tezwsse5czllksjb7cwp65rvnk4oobmzti2znn42i43bjdfd2prqqkad.onion