The Gentlemen RaaS has rapidly expanded in early 2026, claiming over 320 victims and offering multi‑platform lockers written in Go for Windows, Linux, NAS and BSD plus a C‑based ESXi variant. Incident response telemetry shows affiliates deploying SystemBC and Cobalt Strike, revealing a botnet of over 1,570 likely corporate victims and demonstrating GPO‑based mass deployment, robust lateral movement, and aggressive defense‑evasion. #TheGentlemen #SystemBC
Keypoints
- The Gentlemen RaaS advertises multi‑OS lockers and attracts numerous affiliates via underground forums.
- Affiliates deployed SystemBC and Cobalt Strike, and telemetry links a C2 to a ~1,570‑host botnet focused on organizations.
- Attackers achieved Domain Admin presence and propagated via ADMIN$ shares, PsExec, WMI, scheduled tasks, services, and GPO deployment (–gpo/–spread).
- The operation disables Defender and firewalls, deletes shadow copies and logs, and can overwrite free space to hinder recovery.
- Files are encrypted using ephemeral X25519 key exchange and XChaCha20 with selectable fast modes and per‑file footers for attacker‑only decryption.
Read More: https://research.checkpoint.com/2026/dfir-report-the-gentlemen/