Emerging ThreatsMalware & Ransomware

Gentlemen Ransomware Gang Taps SystemBC for Botnet Attacks

Analyst 207||Source: BleepingComputer
Dimly lit server room with eerie laptop screen glow showing shadowy suited figure.

How do you defend a business when the very infrastructure meant to carry your traffic has been turned into a fleet of malicious proxies? That question is no longer hypothetical: investigators uncovered a SystemBC proxy malware botnet of more than 1,570 hosts after probing a Gentlemen ransomware incident, and those hosts are believed to be corporate victims.

What investigators found

An investigation into a Gentlemen ransomware attack carried out by a gang affiliate revealed a large-scale SystemBC proxy malware botnet. The botnet comprises in excess of 1,570 hosts and is believed to consist of corporate victims whose systems have been co-opted to run proxy services for the malware.

Why the discovery matters

At a minimum, the finding changes the calculus for responders and defenders. A proxy botnet of this size can mask command-and-control traffic, relay malicious connections, and complicate attribution and containment efforts. That complexity raises the cost and difficulty of incident response and heightens the risk that initial intrusions will spread or blend into legitimate network activity.

Perspectives and implications

  • Technologists: Network defenders and security teams face a longer tail for clean-up when corporate machines serve as proxies. Tools that rely on endpoint isolation or straightforward traffic-blocking may be less effective if malware traffic is relayed through widely distributed corporate hosts.
  • Policymakers: The presence of large proxy botnets built from corporate systems underscores the need for policies and incentives that improve threat visibility, incident reporting, and cooperative mitigation across sectors—especially when criminal affiliates leverage third-party infrastructure.
  • Users and organizations: Companies whose systems are unknowingly enlisted into a botnet confront reputational, operational, and legal risks. Even absent direct extortion, being part of a proxy network can expose an organization to liability and downstream abuse.
  • Adversaries: For criminal operators, a sizable proxy layer offers operational advantages—greater obfuscation and resilience. For affiliates working with ransomware gangs, such resources can increase the scale and stealth of attacks.

What to watch next

The discovery ties a significant proxy-capable botnet to a specific ransomware incident, emphasizing how criminal ecosystems leverage compromised corporate infrastructure. The details reported—more than 1,570 hosts, use of SystemBC, and linkage to a Gentlemen ransomware affiliate—are concrete indicators that defenders should treat similar traffic patterns and post-compromise proxy activity as high-priority signals. As organizations and authorities respond, the central question remains: will detection and coordination outpace the adversary's ability to repurpose legitimate systems into weapons?

Read the original report: https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/

Emerging ThreatsMalware OperationsRansomware OperationsGentlemen RansomwareSystembcBotnet AttacksProxy Malware
Related Intelligence

Continue Reading

Futuristic tech facility with blurred AI servers and data storage.

Australia's Security Threats Converge as AI Compresses Risk Timeline

When Australia's critical infrastructure is disrupted, it will be a shock, but not a surprise - and with AI supercharging threats, that disruption may come sooner than we think. The warning signs are clear: AI is rapidly expanding the offensive toolkit, making threats more immediate, concurrent, and devastating.

Analyst 207
Network operations room with a central controller device on a desk amidst computer equipment.

Cisco SD-WAN Zero-Day Exploited for Root Access

A shocking new discovery reveals that a Cisco SD-WAN zero-day vulnerability, CVE-2026-20245, was exploited for root access at least two months before its public disclosure. This highly critical flaw, with a CVSS score of 7.8, allows attackers to execute arbitrary commands with elevated privileges.

Analyst 207
Technicians in a network equipment room, one concerned technician foreground checking a Cisco SD-WAN Manager device.

Hackers Exploit Cisco Zero-Day for High-Level Access at Telecom Provider

In a chilling cyberattack, hackers exploited a previously unknown Cisco zero-day vulnerability to gain unrestricted access to a major telecom provider's system, creating a rogue admin account with full control. The breach, detected in March, was carried out in two waves, allowing the attackers to infiltrate the provider's SD-WAN Manager devices.

Analyst 207
Industrial setting with machinery and equipment at a power plant or utility facility.

ASIO Disrupts Nation-State Cyber Sabotage Targeting Australian Infrastructure

ASIO director general Mike Burgess revealed that nation-state hackers had infiltrated a critical Australian infrastructure provider's network, gaining login credentials to sabotage it at will. The alarming breach was thwarted thanks to ASIO's swift action and dedicated response.

Analyst 207