An incident response engagement published this week by Check Point Research pulled the lid off the post-exploitation infrastructure behind The Gentlemen, a ransomware-as-a-service operation that has rapidly become one of the most active enterprise-focused crews of 2026. Telemetry pulled from one of the group’s SystemBC command-and-control servers revealed a botnet of more than 1,570 active victims — and the profile of those hosts strongly suggests corporate and organizational environments rather than home users.

What happened

Check Point’s DFIR team was called in on a Gentlemen intrusion and, during triage, identified a SystemBC payload running as a SOCKS5 proxy inside the victim’s environment. Pivoting from the beacon’s C2 channel, researchers obtained telemetry from the controller itself — a window into the wider population of hosts calling into that same proxy infrastructure. The count: 1,570+ likely corporate victims, with geography and uptime characteristics that ruled out a standard consumer botnet.

The Gentlemen operation has been running since mid-July 2025 and surfaced publicly on its data leak site in early September 2025. Since the turn of the year it has accelerated sharply — roughly 240 attacks have been claimed in the first four months of 2026, making it one of the most prolific new RaaS brands in the current landscape.

Technical details

Gentlemen’s arsenal is unusually broad for a newer RaaS. The locker portfolio is implemented in Go with builds for Windows, Linux, NAS, and BSD, plus a separate locker written in C specifically targeting VMware ESXi. That ESXi capability matters: once affiliates land on a vCenter or hypervisor host, a single run can encrypt every VM on an estate in minutes.

Post-exploitation tooling is where the campaign looks most “professionalized”:

  • SystemBC for SOCKS5 tunneling, with an RC4-encrypted custom protocol back to C2. SystemBC is the quiet layer that keeps operator traffic blended with normal outbound connections.
  • Cobalt Strike for hands-on-keyboard lateral movement and beaconing.
  • Group Policy-based mass deployment of the ransomware payload, turning a domain controller compromise into an estate-wide detonation.
  • Scheduled tasks and service installs for persistence, paired with routine disabling of endpoint protection before the locker fires.

Initial access, according to Group-IB’s earlier profile of the crew, leans heavily on CVE-2024-55591, the authentication bypass in FortiOS / FortiProxy. Affiliates are served from an internal “FortiGate Inventory Overview” page that, when last observed, listed roughly 14,700 already-exploited FortiGate devices by country, plus 969 validated brute-forced VPN credentials pre-staged for use. Affiliates are instructed to preferentially pick targets with LDAP integration and large user counts — in other words, enterprises with usable AD footholds behind the appliance. The group has also been discussing extending its reconnaissance and exploit work to SonicWall SSL VPN, Cisco ASA, and Oracle E-Business Suite, echoing the Cl0p Oracle campaigns of 2025.

Impact

A 1,570-host SOCKS5 botnet of corporate endpoints is not a scoreboard — it is staging. Each of those hosts is a potential pivot point for a future Gentlemen detonation, and the same proxy pool is plausibly rented or shared with other affiliates in the group’s toolchain. If your egress monitoring has been quiet on long-lived SOCKS5 sessions to unusual upstreams, that quiet is suspicious now rather than reassuring.

For organizations still exposing unpatched FortiGates or FortiProxy appliances: you should assume those are on the inventory. The group’s model is to pre-compromise the perimeter at scale and hand affiliates a menu, which means the window between appliance compromise and ransomware detonation is whatever the next affiliate’s calendar allows.

Mitigations

Patch the front door first, then hunt for the proxy.

  1. FortiOS / FortiProxy — CVE-2024-55591. If you haven’t already, patch to a fixed FortiOS 7.0.17 / 7.2.13 / 7.4.7 or later per Fortinet’s advisory. Then rotate all local admin and VPN credentials on those devices, review admin accounts for additions you didn’t make, and pull firewall config history for unauthorized policy changes. Patching alone does not evict the group from a device that’s already on the inventory.
  2. VPN exposure reduction. SonicWall SSL VPN, Cisco ASA WebVPN, and similar internet-exposed remote-access surfaces should be fronted by MFA enforced at the authentication layer (not just a portal prompt) and, where possible, restricted to known source ranges or ZTNA gateways.
  3. Hunt SystemBC. Look for long-running SOCKS5 sessions from endpoints and servers to non-standard upstreams, small-beacon RC4-looking custom TLS traffic on odd ports, and unexpected systembc, socks5, or randomly named services persisting via schtasks or service installs. Check Point’s writeup includes IOCs.
  4. Cobalt Strike detection. Even default-profile beacons are still catchable: named-pipe IPC patterns, malleable-C2 JARM fingerprints, and unsigned loaders injecting into rundll32 / werfault remain reliable signals.
  5. Contain the blast radius for ESXi. Restrict ESXi management interfaces to an isolated admin network, disable unused services (SLP, CIM), require MFA on vCenter, and keep hypervisor hosts patched. A working Go locker and a purpose-built C ESXi locker means Gentlemen affiliates will specifically look for your hypervisors.
  6. Audit Group Policy. Gentlemen’s GPO-based mass deployment pattern means unexpected new GPOs, logon scripts, or scheduled task GPOs pushed from a DC are a late-stage signal. If you see one appear, assume detonation is minutes away, not hours.

References