Ransomware , Threat Intelligence SystemBC botnet linked to Gentlemen ransomware attacks April 21, 2026 Share By SC Staff (Adobe Stock) A large SystemBC proxy malware botnet, comprising over 1,570 hosts believed to be corporate victims, has been uncovered following an investigation into a Gentlemen ransomware attack, according to a recent report by Bleeping Computer. The Gentlemen ransomware-as-a-service (RaaS) operation, active since mid-2025, offers encryption for various systems including Windows, Linux, and ESXi hypervisors. Researchers from Check Point discovered that Gentlemen ransomware affiliates are expanding their toolkit by deploying the SystemBC proxy malware for covert payload delivery. SystemBC, known for its SOCKS5 tunneling capabilities, has been adopted by ransomware gangs to hide malicious traffic and deliver payloads. The botnet, despite previous law enforcement actions, remains active and is primarily infecting corporate and organizational environments, with victims concentrated in the United States, United Kingdom, Germany, Australia, and Romania. The infection chain involves attackers gaining Domain Admin privileges, using Cobalt Strike for lateral movement, and then deploying the ransomware across the network using Group Policy. The integration of SystemBC and Cobalt Strike into the Gentlemen ransomware operation suggests a move towards more sophisticated, mature post-exploitation frameworks and proxy infrastructure. Source: Bleeping Computer An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More SC Staff Related Phishing Tycoon 2FA relinquishes crown to similar PhaaS platforms SC Staff April 20, 2026 Last month's takedown of over 300 active domains used by the Tycoon 2FA phishing-as-a-service platform, which was once the most prolific PhaaS kit, has prompted threat actors to transfer to the Mamba 2FA, Sneaky 2FA, and EvilProxy platforms that have since integrated Tycoon 2FA's tools, according to SecurityWeek. Phishing Apple account notifications abused for iPhone purchase phishing scams SC Staff April 20, 2026 The phishing campaign involves creating an Apple ID and strategically placing scam text within the first and last name fields. Data Security Payouts King ransomware abuses QEMU for hidden VMs and backdoors SC Staff April 20, 2026 The Payouts King ransomware operation is leveraging the QEMU emulator to create hidden virtual machines and establish reverse SSH backdoors on compromised systems, allowing them to bypass endpoint security measures. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI Wed May 13 Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Account Harvesting Brute Force Deepfake Defacement Dictionary Attack Distributed Scans Fault Line Attacks Google Hacking Hybrid Attack Reconnaissance You can skip this ad in 5 seconds