How to Investigate a The Gentlemen RaaS Infection with SystemBC Proxy Malware

What You Need

• Network telemetry (e.g., firewall logs, proxy logs, DNS queries)
• Endpoint detection and response (EDR) data from compromised hosts
• Threat intelligence feeds covering ransomware-as-a-service (RaaS) groups and proxy malware
• Access to underground forum archives and onion sites for victim leaks
• Malware analysis tools (e.g., sandboxes, debuggers) for examining SystemBC payloads
• SIEM or log aggregation platform to correlate events across the environment

Introduction

Investigating a ransomware incident often involves understanding the full attack chain, from initial access to final payload deployment. This guide focuses on a specific scenario: an affiliate of The Gentlemen ransomware-as-a-service (RaaS) program deploying SystemBC, a proxy malware commonly used for covert tunneling. The Gentlemen group emerged around mid-2025 and has since claimed over 320 victims, with the majority occurring in early 2026. Their broad locker portfolio covers Windows, Linux, NAS, BSD (Go-based) and ESXi (C-based). SystemBC establishes SOCKS5 tunnels, enabling affiliates to maintain persistence and deliver additional tools. The following steps will help you identify, analyze, and contextualize such an infection using the same methodology as observed by threat researchers.

Step 1: Identify Indicators of The Gentlemen RaaS Activity

Begin by searching for hallmarks of The Gentlemen RaaS within your environment or threat intel. Look for:

• Ransomware notes referencing a Tox ID for negotiations and a Twitter/X account (e.g., @thegentlemen_raas). The note may also mention their onion leak site.
• Affiliate advertisements on underground forums promoting the RaaS, typically offering multi-OS lockers and EDR-killing tools.
• Public victim shaming posts on their Twitter/X account, often including screenshots of stolen data.
• Leak site data (onion domain) listing victims who did not pay. Check for any internal references like hostnames or IPs.

If you find any of these indicators in your telemetry, confirm by cross-referencing with known hash values or patterns from threat reports (e.g., Figure 1 and 2 in original DFIR analysis).

Step 2: Detect SystemBC Proxy Malware Deployment

SystemBC is typically deployed after initial compromise via phishing or exploitation. Focus on:

• Network traffic to unusual ports over SOCKS5 protocol. SystemBC often uses standard HTTP ports (80, 443) but with non-standard payloads. Look for persistent outbound connections to IPs associated with known C2 servers.
• Endpoint artifacts: SystemBC executables may be named innocuously (e.g., svchost.exe variants) but exhibit high memory usage or unusual registry run keys. Scan for processes opening raw sockets or performing proxy routing.
• Log correlation: The Check Point Research observed a SystemBC C2 server with over 1,570 victims globally. If your environment matches telemetry from that server (e.g., specific JA3 fingerprints, beacon intervals), flag it immediately.

Use EDR queries to find processes that initiate outbound connections and write to %TEMP% or %APPDATA% with obfuscated payloads.

Step 3: Analyze the Affiliate’s Multi-Platform Lockers

The Gentlemen RaaS provides affiliates with a broad locker portfolio. Once SystemBC is confirmed, check for:

• Go-based lockers targeting Windows, Linux, NAS, and BSD. These executables are statically compiled and often packed. Use file analysis to identify Go runtime strings (e.g., goroutine, crypto/tls).
• C-based ESXi locker – typically a smaller binary that terminates virtual machines and encrypts VMDK files. Look for commands like esxcli in process logs.
• EDR-killing tools – The Gentlemen group provides verified affiliates with tools to disable endpoint protection. Check for attempts to stop services (e.g., net stop) or delete security products.
• Multi-chain pivot infrastructure – Server and client components that allow hop-to-hop pivoting. Network logs may show successive connections to internal hosts via compromised machines.

Gather all such binaries for sandbox execution (in an isolated environment) to extract IOCs like mutex names, scheduled tasks, and C2 domains.

Step 4: Correlate Botnet Telemetry and Scope

The SystemBC botnet associated with this campaign is not random consumer infections; it's heavily concentrated on corporate and organizational environments. To assess impact:

• Enumerate all systems that communicated with the same C2 server identified in your investigation. Use network flow records to map out the blast radius.
• Check for lateral movement using RDP, SMB, or PsExec. The affiliate may have used SystemBC to proxy RDP sessions into other parts of the network.
• Review compromised accounts – SystemBC often operates under user context. Look for privileged credentials that were exfiltrated through the SOCKS5 tunnel.

Document the number of affected endpoints, their roles (e.g., domain controller, file server, database), and any encrypted files if ransom was deployed. This scope will guide containment.

Step 5: Use Threat Intelligence to Contextualize the Attack

Combine your findings with external sources to understand the threat actor’s operational tempo:

• Underground forum posts by The Gentlemen operators – they actively recruit affiliates and share updates about their locker features.
• Tox protocol – negotiations are via individual affiliate Tox IDs, not the leak site. Any Tox IDs found in ransomware notes can be linked to specific threat actors.
• Timeline mapping: The group’s burst of activity in early 2026 suggests a growing affiliate base, meaning similar attacks may escalate. Update your detection rules accordingly.

Share IOCs (hashes, IPs, domains) with your threat intelligence platform and consider publishing anonymized findings to help the wider community.

Tips

• Prioritize network segmentation: The use of SystemBC for tunneling means attackers can bypass typical egress controls. Ensure that critical segments are isolated and monitored for unusual internal proxy usage.
• Monitor for Tox clients: If you detect the Tox messenger application on a corporate host, treat it as a high-priority indicator of compromise.
• Leverage memory forensics: SystemBC may be memory-resident only. Use tools like Volatility to extract payloads from RAM before they are encrypted.
• Keep detection signatures updated: The Gentlemen group updates its lockers frequently. Regularly review open-source threat reports (e.g., from Check Point) for new IOC feeds.
• Practice incident response playbooks: Simulate a SystemBC plus ransomware attack to test your team’s ability to detect and contain proxy tunnels before encryption occurs.

By following these steps, you can systematically investigate a The Gentlemen RaaS infection involving SystemBC, from initial identification through to broader contextual analysis. The key is to integrate network, endpoint, and intelligence sources to uncover the full scope of the incident.