Cybersecurity researchers revealed a large-scale compromise linked to the SystemBC malware infrastructure, uncovering a command-and-control server associated with more than 1,570 infected victims worldwide. The activity is tied to a rapidly growing ransomware-as-a-service operation known as “The Gentlemen,” which has emerged as a significant threat actor since mid-2025. The discovery provides rare visibility into the internal scale and operational reach of a modern ransomware ecosystem.
SystemBC is a proxy-based malware that plays a critical role in advanced intrusion campaigns by establishing covert communication channels between compromised systems and attacker-controlled infrastructure. It operates by creating SOCKS5 tunnels, allowing attackers to route traffic through infected machines while maintaining anonymity and persistence. The malware communicates with its command-and-control servers using encrypted protocols and is capable of downloading and executing additional payloads directly in memory or on disk, making detection significantly more difficult.
The exposure of the command-and-control server revealed that the majority of victims are corporate environments rather than individual users, indicating that the campaign is focused on high-value organizational targets. The infections span multiple countries, including the United States, the United Kingdom, Germany, Australia, and Romania, demonstrating the global scale of the operation. This distribution suggests a deliberate targeting strategy aimed at enterprises where ransomware attacks can yield higher financial returns.
The broader attack chain associated with this campaign follows a structured and highly coordinated approach. Initial access is believed to be achieved through compromised credentials or vulnerable internet-facing services. Once inside the network, attackers perform reconnaissance, move laterally across systems, and deploy tools such as Cobalt Strike and SystemBC to establish persistence and maintain control. The final stage involves the deployment of ransomware, often accompanied by data exfiltration as part of a double-extortion strategy.
A notable characteristic of this operation is the use of Group Policy Objects (GPOs) to propagate the attack across entire domains, enabling attackers to rapidly scale their impact within enterprise environments. This technique allows for centralized execution of malicious payloads, effectively turning legitimate administrative mechanisms into tools for mass compromise. The attackers also demonstrate a high level of adaptability, tailoring their techniques to bypass specific security controls and modifying their tools based on the target environment.
The ransomware group behind the campaign, The Gentlemen, operates under a ransomware-as-a-service model, providing affiliates with the tools and infrastructure needed to conduct attacks. Since its emergence, the group has claimed hundreds of victims and continues to grow rapidly, indicating an increasing level of organization and sophistication within the cybercrime ecosystem. The integration of SystemBC into its operations enhances its ability to maintain stealthy access and coordinate attacks across multiple victims simultaneously.
The impact of this campaign is severe and far-reaching. Confidentiality is compromised through unauthorized access and data exfiltration, integrity is threatened by unauthorized system modifications and malware deployment, and availability is affected through ransomware encryption and service disruption. The scale of the botnet and the enterprise focus of the attacks significantly increase the potential damage, particularly for organizations lacking advanced detection and response capabilities.
This incident highlights the evolving nature of ransomware operations, where attackers are increasingly relying on modular, scalable infrastructures and proxy-based malware to enhance their effectiveness. The use of centralized command-and-control systems combined with distributed infection points allows for efficient management of large victim networks and coordinated attack execution.
In conclusion, the exposure of the SystemBC command-and-control server provides critical insight into the scale and sophistication of modern ransomware campaigns. It underscores the importance of securing internet-facing systems, monitoring for unusual network tunneling activity, and implementing strong identity and access controls. Organizations must adopt proactive threat detection and response strategies to identify and disrupt such operations before they escalate into full-scale ransomware incidents.