Threat actors connected to the Gentlemen ransomware-as-a-service (RaaS) operation have recently been observed making efforts to deploy a well-known proxy malware called SystemBC. This alarming development was highlighted in new research issued by Check Point, which indicates that the command-and-control (C2 or C&C) server associated with SystemBC has facilitated the creation of a botnet consisting of over 1,570 compromised victims.
SystemBC operates by establishing SOCKS5 network tunnels within the environment of the victim, allowing it to communicate with its C2 server via a custom RC4-encrypted protocol. The malware has the capacity to not only download and execute additional malicious payloads but can also write these payloads directly to the disk or inject them into memory.
Since its emergence in July 2025, the Gentlemen group has rapidly solidified its reputation as one of the most aggressive ransomware collectives. They have claimed more than 320 victims on their data leak site alone. Operating under a classic double-extortion model, this group demonstrates a remarkable level of sophistication and versatility, targeting multiple platforms, including Windows, Linux, NAS, and BSD systems. They utilize a Go-based locker and incorporate genuine drivers and custom malicious tools to bypass traditional defenses effectively.
While the exact methods used by these threat actors to gain initial access remain unclear, evidence points toward the exploitation of internet-facing services or compromised credentials to establish their initial footing within victim networks. Following this, a series of steps ensue: reconnaissance, lateral movement, payload staging—utilizing tools like Cobalt Strike and SystemBC—and ultimately, the deployment of ransomware. A distinguishing feature of their attacks is their employment of Group Policy Objects (GPOs) to facilitate broad domain-wide compromise, enhancing their operational effectiveness.
The Gentlemen’s tactics indicate a pronounced understanding of their targets’ environments. An analysis by security vendor Trend Micro noted that the group engages in extensive reconnaissance and modification of their tools to tailor their approaches against specific security vendors. This adaptability demonstrates a level of sophistication that sets them apart from typical ransomware operators.
In one recent incident outlined by Check Point, an affiliate of the Gentlemen RaaS was identified deploying SystemBC on a compromised system, with the associated C2 server commandeering hundreds of victims across various countries, including the United States, the United Kingdom, Germany, Australia, and Romania. Although SystemBC has been utilized in ransomware operations since at least 2020, the specific nature of its relationship with the Gentlemen’s criminal enterprise remains ambiguous. It is unclear whether the malware is a standard component of their attack strategy or if it has been employed by certain affiliates for more targeted objectives such as data exfiltration and remote access.
During lateral movement, the ransomware attempts to blind Windows Defender on every reachable remote host. This is executed by deploying a PowerShell script that disables real-time monitoring, adds extensive exclusions, shuts down the firewall, re-enables SMB1, and decreases LSA anonymous access controls—all before launching the ransomware binary on the compromised host. The ESXi variant of the ransomware, while less feature-rich than its Windows counterpart, is adept at shutting down virtual machines, enhancing the effectiveness of its attack by adding persistence through crontab while inhibiting recovery efforts.
Eli Smadja, a group manager at Check Point Research, remarked that the Gentlemen have distinguished themselves in the ransomware landscape. Unlike many groups that tend to make headlines with high-profile attacks only to disappear, the Gentlemen have effectively solved the affiliate recruitment challenge by providing a more appealing offering within the criminal ecosystem. They have even uncovered over 1,570 compromised corporate networks that had remained under the radar, indicating that the true scale of this operation is far larger than publicly perceived, and it continues to expand.
As a counterpoint, Rapid7 has recently detailed another emergent ransomware family named Kyber, which surfaced in September 2025. This particular group is known for targeting Windows and VMware ESXi infrastructures, utilizing encryptors developed in Rust and C++. The ESXi variant is tailored specifically for VMware environments, capable of datastore encryption, optional virtual machine termination, and even manipulation of management interfaces.
Data compiled by ZeroFox indicates that there were at least 2,059 ransomware and digital extortion incidents observed in the initial quarter of 2026, with March alone accounting for 747 such incidents. Within this timeframe, the Gentlemen emerged as one of the most active groups, having conducted 192 attacks, a testament to their operational scale and ongoing threat.
The trend of ransomware is shifting toward a more disciplined, business-oriented criminal enterprise. Reports indicate that attacks have increasingly targeted the automotive sector, more than, doubling in frequency in 2025. The report underscores the need for organizations to bolster their defenses against a fast-evolving landscape. With threat actors rapidly adapting and improving their tactics, organizations must be vigilant and proactive in their cybersecurity measures to combat these increasingly sophisticated criminal enterprises.