The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

The Gentlemen RaaS and SystemBC Activity Observed in Enterprise Intrusions

Apr 27, 2026 2:06:10 PM / by The Hivemind

THEGENTLEMENTRAASVerticals Targeted: Enterprise Networks
Regions Targeted: US, UK, Germany
Related Families: SystemBC, Cobalt Strike

Executive Summary

The Gentlemen ransomware-as-a-service (RaaS) operation has rapidly scaled in early 2026, leveraging multi-platform encryption capabilities and enterprise-focused intrusion techniques. Recent DFIR analysis shows affiliates using tools such as SystemBC and Cobalt Strike to establish covert access, pivot laterally, and deploy ransomware at scale via Group Policy, enabling rapid domain-wide encryption events. The Gentlemen has been observed targeting enterprise networks primarily in the US, UK, and Germany.

Key Takeaways

  • The Gentlemen RaaS has claimed over 320 victims, with most attacks occurring in 2026, indicating rapid affiliate adoption.
  • An observed affiliate deployed SystemBC to establish SOCKS5 tunnels for covert command-and-control and payload delivery.
  • Intrusions demonstrate full domain compromise, including Domain Admin access, credential harvesting, and lateral movement at scale.
  • Ransomware deployment via Group Policy enables rapid domain-wide encryption across domain-joined systems.

Overview

The Gentlemen is an emerging ransomware-as-a-service operation first observed around mid-2025 that has rapidly expanded its footprint through affiliate recruitment and a broad tooling offering. The group provides multi-platform lockers written primarily in Go for Windows, Linux, NAS, and BSD systems, along with a separate C-based encryptor targeting ESXi environments. This cross-platform capability aligns with modern enterprise environments, enabling affiliates to impact endpoints, servers, and virtualization infrastructure within a single campaign. The group also provides supporting tooling, including EDR evasion utilities and pivot infrastructure, which lowers barriers to entry while increasing operational effectiveness. Unlike some RaaS operations that centralize negotiations, The Gentlemen uses affiliate-controlled Tox IDs for victim communication, while maintaining a leak site and public-facing presence to increase pressure on victims. Check Point Research recently reported on this activity.

Intrusion Chain Analysis

Initial Access and Privilege Establishment

The precise initial access vector was not identified. The earliest confirmed activity shows the attacker operating from a Domain Controller with Domain Admin privileges. Early behavior includes credential validation through failed and successful logon attempts, consistent with controlled enumeration and access verification.

Lateral Movement and Execution

From this privileged position, the attacker deployed payloads across the environment using administrative shares (ADMIN$) and remote procedure call (RPC) execution. Cobalt Strike payloads were distributed to multiple hosts, enabling remote command execution and C2 communication. Discovery activity included system enumeration (systeminfo, whoami), file system inspection, and access to internal documentation, indicating a combination of automated tooling and operator-driven reconnaissance.

C2 and Proxy Activity

During the intrusion, an affiliate attempted to deploy SystemBC, a proxy malware used to establish SOCKS5 tunnels for covert communication. SystemBC uses RC4-encrypted communications and supports payload delivery via both disk and in-memory execution. Telemetry from the associated C2 infrastructure shows over 1,570 infected systems globally. The infection profile suggests a likely focus on corporate and organizational environments, though this is based on observed patterns rather than confirmed targeting. When SystemBC deployment was blocked, the attacker shifted to alternative C2l channels using Cobalt Strike infrastructure, demonstrating adaptability in maintaining external connectivity.

Defense Evasion, Persistence, and Expansion

The attacker employed multiple techniques to weaken defenses and maintain persistence, including the following:

  • Disabled Microsoft Defender real-time monitoring via PowerShell
  • Added filesystem and process exclusions
  • Disabled Windows Firewall and modified security configurations
  • Enabled Remote Desktop and deployed AnyDesk with a predefined password
  • Established persistence via scheduled tasks and registry run keys
  • Performed credential access using Mimikatz

These actions enabled sustained access while facilitating lateral movement across the domain.

Propagation was further supported through credential reuse and automated deployment mechanisms across reachable systems.

Ransomware Deployment and Impact

The final stage of the intrusion involved deployment of The Gentlemen ransomware using Group Policy Objects (GPOs). This technique allows attackers with Domain Controller access to execute payloads across domain-joined systems, resulting in rapid, widespread encryption.

The ransomware supports extensive command-line functionality, including:

  • Credential-based lateral movement via the --spread flag
  • Domain-wide deployment via the --gpo flag
  • Selective or full encryption modes
  • Speed-based partial encryption to accelerate impact

Encryption leverages modern cryptographic primitives, including X25519 key exchange and XChaCha20 encryption. Partial encryption modes allow attackers to encrypt as little as 1 percent of large files to accelerate execution while maintaining operational impact. The malware also terminates processes and services associated with databases, virtualization platforms, backups, and security tools, maximizing disruption and limiting recovery options.

Operational Assessment

The Gentlemen RaaS demonstrates a capable and rapidly evolving ransomware operation despite its relatively recent emergence. Its combination of multi-platform encryption capabilities, built-in lateral movement and propagation mechanisms, enterprise-focused intrusion techniques, and integration with established tooling such as Cobalt Strike indicates a developing but increasingly effective ecosystem. The observed use of SystemBC highlights the broader trend of ransomware affiliates incorporating modular post-exploitation tools to extend capability beyond native ransomware functions.

Analyst Commentary

PolySwarm analysts consider The Gentlemen to be an emerging threat. This ransomware’s activity reinforces a broader trend in ransomware operations: the convergence of multiple specialized tools into coordinated intrusion workflows. Rather than relying solely on the ransomware payload, affiliates leverage credential access tools, proxy malware, and centralized frameworks to establish resilient, multi-layered access prior to encryption.

Addressing this complexity requires broader visibility into diverse and rapidly evolving artifacts across the intrusion lifecycle. PolySwarm supports this by enabling organizations to submit and search artifacts across a marketplace of specialized micro-engines. These engines analyze samples and return verdicts and associated metadata, which are aggregated into a unified PolyScore. By leveraging multiple independent detection approaches, this model can increase the likelihood of identifying malicious or anomalous artifacts, including those that may not yet be widely recognized across traditional detection pipelines.

IOCs

PolySwarm has multiple samples of The Gentlemen.

 

The Gentlemen (Windows)

22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67

2ed9494e9b7b68415b4eb151c922c82c0191294d0aa443dd2cb5133e6bfe3d5d

3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235

48d9b2ce4fcd6854a3164ce395d7140014e0b58b77680623f3e4ca22d3a6e7fd

62c2c24937d67fdeb43f2c9690ab10e8bb90713af46945048db9a94a465ffcb8

860a6177b055a2f5aa61470d17ec3c69da24f1cdf0a782237055cba431158923

87d25d0e5880b3b5cd30106853cbfc6ef1ad38966b30d9bd5b99df46098e546c

8c87134c1b45e990e9568f0a3899b0076f94be16d3c40fa824ac1e6c6ee892db

91415e0b9fe4e7cbe43ec0558a7adf89423de30d22b00b985c2e4b97e75076b1

994d6d1edb57f945f4284cc0163ec998861c7496d85f6d45c08657c9727186e3

9f61ff4deb8afced8b1ecdc8787a134c63bde632b18293fbfc94a91749e3e454

a7a19cab7aab606f833fa8225bc94ec9570a6666660b02cc41a63fe39ea8b0ad

b67958afc982cafbe1c3f114b444d7f4c91a88a3e7a86f89ab8795ac2110d1e6

c7f7b5a6e7d93221344e6368c7ab4abf93e162f7567e1a7bcb8786cb8a183a73

ec368ae0b4369b6ef0da244774995c819c63cffb7fd2132379963b9c1640ccd2

efaf8e7422ffd09c7f03f1a5b4e5c2cc32b05334c18d1ccb9673667f8f43108f

f736be55193c77af346dbe905e25f6a1dee3ec1aedca8989ad2088e4f6576b12

fc75ed2159e0c8274076e46a37671cfb8d677af9f586224da1713df89490a958

 

The Gentlemen (Linux)

788ba200f776a188c248d6c2029f00b5d34be45d4444f7cb89ffe838c39b8b19


Click here to view all samples of The Gentlemen in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, RaaS, Cobalt Strike, SystemBC, lateral movement, enterprise compromise, GPO abuse, proxy malware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More