1 article
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
KidsProtect's use of VS Code Remote Tunnels and Discord webhooks for command-and-control is not a stalkerware quirk — it is the latest example of a systematic shift toward legitimate cloud services as attack infrastructure. When defenders cannot block VS Code tunnels without breaking developer workflows, the standard network-layer controls that security architecture depends on stop working.
CipherWatch Editorial
Security Intelligence Platform