Unmasking The Gentlemen RaaS: A Technical Guide to Understanding and Defending Against SystemBC Proxy Attacks

Overview

The cybersecurity landscape in early 2026 has witnessed the rapid rise of The Gentlemen ransomware-as-a-service (RaaS) operation, which has already claimed over 320 victims—240 of them in the first months of this year. This group provides a versatile locker portfolio written in Go for Windows, Linux, NAS, and BSD, plus a C-based ESXi locker, enabling affiliates to target the heterogeneous environments common in modern enterprises. During incident response engagements, Check Point Research observed affiliates deploying SystemBC, a proxy malware used for covert tunneling and payload delivery. Analysis of the associated command-and-control (C2) server revealed a botnet of over 1,570 victims, predominantly corporate networks rather than individual consumers. This tutorial provides a step-by-step guide for security analysts to understand, detect, and respond to attacks leveraging The Gentlemen RaaS and SystemBC.

Unmasking The Gentlemen RaaS: A Technical Guide to Understanding and Defending Against SystemBC Proxy Attacks — Source: research.checkpoint.com

Prerequisites

Before diving into the analysis, ensure you have the following:

Basic knowledge of ransomware operations and common TTPs (Tactics, Techniques, and Procedures).
Familiarity with network analysis tools such as Wireshark, Zeek, or tcpdump.
Access to endpoint detection and response (EDR) logs or sandbox environments for malware analysis.
Understanding of SOCKS5 proxies and tunneling concepts.
Optional: A virtual lab with Windows, Linux, and ESXi machines to simulate multi-platform infections.

Step-by-Step Analysis and Mitigation

Step 1: Identify The Gentlemen RaaS Characteristics

The Gentlemen emerged around mid-2025 and aggressively markets its RaaS platform on underground forums and social media (e.g., Twitter/X). Key identifiers include:

Multi-platform lockers: Go-based executables for Windows, Linux, NAS, and BSD; a C-based locker for ESXi.
EDR-killing tools provided to verified affiliates.
Multi-chain pivot infrastructure (proprietary server and client components).
Leak site on an onion domain, but negotiations occur via individual affiliate Tox IDs, not the portal.
Ransom note references a Twitter/X account that publicly shames victims.

Action: Monitor underground forums and social media for posts advertising The Gentlemen. Collect samples from open-source threat intel feeds (e.g., VirusTotal, Any.Run). Hash the lockers and add them to detection rules.

Step 2: Recognize SystemBC Proxy Malware

SystemBC is a proxy malware that establishes SOCKS5 tunnels within a victim’s network. It is frequently used in human-operated ransomware operations to:

Create covert channels for C2 communication.
Enable lateral movement by routing traffic through compromised hosts.
Deliver additional payloads (e.g., ransomware binaries).

Indicators of compromise (IoCs):

Outbound connections to unusual IPs/ports, especially on non-standard SOCKS5 ports (e.g., 1080, 8080).
Processes named after common system utilities but located in temporary directories.
Registry or file modifications creating persistence (e.g., scheduled tasks, services).

Action: Deploy network monitoring rules to flag SOCKS5 handshake patterns. Use YARA rules for SystemBC payload hashes (available from Check Point Research reports).

Step 3: Analyze the Infection Chain

During an incident response engagement, the affiliate used SystemBC to maintain access and later deploy The Gentlemen ransomware. The typical chain:

Initial access via phishing, exploited public-facing applications, or purchased credentials.
Persistence and reconnaissance using Cobalt Strike or similar frameworks.
SystemBC deployment to establish a SOCKS5 proxy for hidden C2.
Lateral movement using RDP or SMB, facilitated by the proxy.
Ransomware execution on multiple platforms using The Gentlemen lockers.

Action: Review EDR logs for process creation chains—look for command-line arguments that download SystemBC (e.g., powershell -enc ...). Use timeline analysis to correlate network connections and file writes.

Step 4: Detect C2 Activity via Telemetry

Check Point Research observed victim telemetry from SystemBC’s C2 server, revealing over 1,570 victims. Detection strategies include:

Network traffic analysis: Identify periodic beaconing to IPs that do not resolve to known CDNs or cloud providers. SystemBC often uses custom encryption and non-standard ports.
DNS anomalies: Look for DGA-like domain queries or excessive NXDOMAIN responses.
Endpoint indicators: SystemBC may inject into legitimate processes (e.g., svchost.exe) to blend in.

Action: Set up Zeek scripts to detect SOCKS5 initiation (e.g., the 0x05 byte sequence). Use suricata rules to alert on known SystemBC C2 IP ranges (from threat intel).

Step 5: Implement Mitigation and Response

To defend against The Gentlemen and SystemBC attacks, consider these steps:

Network segmentation to limit lateral movement through proxies.
Restrict outbound traffic using allowlists; block SOCKS5 on perimeter firewalls unless explicitly needed.
Endpoint hardening: Disable unused services, apply least privilege, and enable AppLocker or WDAC.
Logging and monitoring: Centralize logs from Windows Event Logs (4688, 5156), Linux syslog, and network flows.
Incident response playbook: Prepare procedures for isolating compromised hosts, revoking certificates, and notifying law enforcement.

Action: Test detection rules in a production-like lab. Coordinate with threat intel feeds to update IoCs regularly.

Common Mistakes

Ignoring non-Windows platforms: The Gentlemen targets Linux, NAS, BSD, and ESXi—securing only Windows leaves critical infrastructure vulnerable.
Assuming SystemBC is only a proxy: It can also deliver other payloads; treat any SOCKS5-related alert as a potential precursor to ransomware.
Relying solely on signature-based detection: SystemBC often evades static detection—use behavioral analysis and network heuristics.
Neglecting Tox ID monitoring: Affiliates use Tox for negotiations; tracking Tox IDs on underground forums can provide early warning.
Underestimating the scale: A single C2 server hosted over 1,570 victims—lack of visibility into proxy networks may hide widespread compromise.

Summary

This guide has covered the key aspects of The Gentlemen RaaS and SystemBC proxy malware, from identifying the threat actor’s modus operandi to practical detection and response steps. By understanding the multi-platform nature of the locker portfolio and the role of SystemBC in enabling covert C2, security teams can better safeguard corporate environments. Continuous monitoring, threat intel ingestion, and proactive testing of detection rules are essential to stay ahead of this rapidly growing threat.