SystemBC C2 Server Exposes 1,570+ Victims Tied to Gentlemen Ransomware Crew

A misconfigured SystemBC command-and-control server has leaked the operational footprint of The Gentlemen ransomware group, exposing more than 1,570 compromised hosts routed through the proxy malware. SystemBC functions as a SOCKS5 proxy implant that ransomware affiliates use to tunnel traffic, stage payloads, and maintain persistent access to victim networks without tripping egress controls.

The victim count suggests The Gentlemen are operating at a far larger scale than their public leak-site postings indicate, with most intrusions never reaching the extortion stage or being resolved quietly. The mix of infected hosts spans enterprise endpoints and likely includes pivoted infrastructure used to launder further attacks, which is consistent with SystemBC’s role as shared tooling across multiple ransomware ecosystems.

The exposure is a reminder that affiliate-driven ransomware operations leave durable infrastructure artifacts. When operators fail to lock down their own C2, defenders and researchers gain a rare ground-truth view of scope, targeting patterns, and overlap between supposedly distinct threat brands.