The Gentlemen RaaS and SystemBC: New Proxy Malware Botnet Exposes 1,570 Corporate Victims
A rapidly expanding ransomware-as-a-service (RaaS) program known as The Gentlemen has claimed more than 320 victims since mid-2025, with 240 attacks recorded in the first months of 2026, according to new incident response findings. During a recent compromise, an affiliate of the group deployed SystemBC, a proxy malware that creates covert SOCKS5 tunnels, enabling persistent remote access and data exfiltration.
Check Point Research observed telemetry from the SystemBC command-and-control server, revealing a botnet of over 1,570 victims. The infection profile strongly suggests a focus on corporate and organizational environments rather than opportunistic consumer targeting.
“The combination of a versatile RaaS platform with a dedicated proxy tool like SystemBC marks a dangerous escalation in human-operated ransomware tactics,” said a senior threat intelligence analyst at Check Point. “Affiliates now have a stealthy, multi-platform arsenal to breach and pivot within enterprise networks.”
The Gentlemen RaaS provides affiliates with a broad locker portfolio implemented in Go for Windows, Linux, NAS, and BSD, plus an additional locker written in C for ESXi. This coverage spans the multiple platforms commonly found in corporate environments.
Background
The Gentlemen emerged around mid-2025, advertising their ransomware platform on underground forums and inviting penetration testers and technically skilled actors to join as affiliates. The group grants verified partners access to EDR-killing tools and its own multi-chain pivot infrastructure, including server and client components.
The operators maintain an onion site for publishing stolen data from non-paying victims, but negotiations occur directly via the affiliate’s Tox ID — a decentralized, peer-to-peer encrypted messaging protocol. The group also uses a Twitter/X account, referenced in the ransom note, to publicly name victims and increase pressure to pay.
“The explicit use of social media to shame victims is a coercive tactic we’re seeing more frequently,” noted an incident response lead at a major cybersecurity firm. “It adds a public relations dimension to the ransom negotiation.”
What This Means
The growing popularity of The Gentlemen RaaS and its integration with SystemBC signals a shift toward more organized, multi-stage ransomware campaigns. Affiliates can now leverage a modular proxy malware to establish persistent tunnels, bypass network defenses, and exfiltrate data before triggering the locker.
Security teams should prioritize network segmentation, monitor for unusual SOCKS5 traffic, and deploy endpoint detection rules specific to SystemBC’s tunneling behavior. Regular threat intelligence feeds from sources like Check Point can help identify emerging command-and-control infrastructure.
“This is not a matter of if but when an organization will encounter these tools,” the Check Point analyst added. “Proactive threat hunting and rapid incident response are no longer optional — they are essential.”
Related Articles
- Shaping the Invisible: The Wireless Innovations of Ana Inês Inácio
- Anthropic and SpaceX's Compute Pact: A New Era for AI Infrastructure
- Hijacked University Domains Flooding the Web with Porn and Malware, Researcher Warns
- Clean Room Upgrades Pave the Way for Roman Space Telescope Processing at Kennedy
- Russia’s Soyuz 5 Rocket Achieves Successful Maiden Flight
- Critical Clean Room Hardware Delivered for Roman Space Telescope Launch Prep
- 10 Shocking Facts About 'Slither': The Cult Horror-Comedy That Launched James Gunn's Career
- How NASA Aims to Give Emergency Drones Priority in Crowded Skies