Threat actors linked to The Gentlemen ransomware-as-a-service operation have been observed attempting to deploy SystemBC, a known proxy malware, in a development that researchers say has exposed a botnet of more than 1,570 victims and points to the expanding reach of the group’s infrastructure.
SystemBC Deployment Highlights Expanding Tradecraft
According to research, Check Point linked a command-and-control server associated with SystemBC to a botnet affecting more than 1,570 victims. The malware establishes SOCKS5 network tunnels within a victim’s environment and connects to its command-and-control server through a custom RC4-encrypted protocol. Researchers said it can also download and execute additional malware, with payloads either written to disk or injected directly into memory.
The Gentlemen has emerged rapidly since July 2025 and has claimed more than 320 victims on its data leak site. It is described as operating a double-extortion model and targeting Windows, Linux, NAS and BSD systems with a Go-based locker, while also employing legitimate drivers and custom tools to evade defences.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Ransomware Group Tied to Broad Global Activity
The exact route of initial access remains unclear, though evidence suggests abuse of internet-facing services or compromised credentials, followed by discovery, lateral movement, payload staging and ransomware deployment. One notable feature is the abuse of Group Policy Objects to facilitate domain-wide compromise.
Check Point said an affiliate of The Gentlemen deployed SystemBC on a compromised host, with the linked command server controlling hundreds of victims across the United States, the United Kingdom, Germany, Australia and Romania. The precise relationship between SystemBC and The Gentlemen remains unclear, including whether the malware is a standard part of the group’s playbook or something used by a specific affiliate for data exfiltration and remote access.
Researchers also said the ransomware attempts to disable Windows Defender during lateral movement by pushing a PowerShell script that turns off real-time monitoring, broadens exclusions, shuts down the firewall, re-enables SMB1 and loosens LSA anonymous access controls before deploying the ransomware binary. The ESXi variant, the material says, includes fewer functions than the Windows version but is able to shut down virtual machines, add persistence through crontab and inhibit recovery before deployment.
Wider Ransomware Pressure Continues to Build
A Check Point researcher said the true scale of The Gentlemen operation appears larger than public reporting suggests and is still growing. The findings are placed alongside separate research on another ransomware family, Kyber, which surfaced in September 2025 and targets Windows and VMware ESXi infrastructure using encryptors developed in Rust and C++.
They also cite data from ZeroFox showing at least 2,059 separate ransomware and digital extortion incidents in the first quarter of 2026, with March alone accounting for 747 incidents. During that period, the most active groups were listed as Qilin, Akira, The Gentlemen, INC Ransom and Cl0p. North America-based victims accounted for about 20 per cent of The Gentlemen’s attacks in the third quarter of 2025, 2 per cent in the fourth quarter of 2025 and 13 per cent in the first quarter of 2026.
Separate findings cited from Halcyon describe ransomware as a maturing, business-driven criminal enterprise marked by increasing attempts to impair endpoint detection and response tools, the use of bring your own vulnerable driver techniques, and more aggressive targeting of small and mid-sized organisations and operational technology environments. Ransomware attacks are becoming faster, with dwell times shrinking from days to hours, and that about 69 per cent of observed attack attempts were deliberately staged during nights and weekends to outpace defender response.
About the author – Rehan Khan is a law student and legal journalist with a keen interest in cybercrime, digital fraud, and emerging technology laws. He writes on the intersection of law, cybersecurity, and online safety, focusing on developments that impact individuals and institutions in India.
