The SystemBC proxy malware botnet with more than 1,570 hosts, believed to be corporate targets, was discovered following an investigation into the Gentlemen ransomware attack by the gang.
The Gentlemen ransomware-as-a-service (RaaS) functionality appeared in mid-2025 and offers a Go-based locker that can encrypt Windows, Linux, NAS, and BSD systems, as well as a C-based locker for ESXi hypervisors.
Last December, it compromised one of Romania’s largest energy suppliers, the Oltenia Energy Complex. Earlier this month, the Adaptavist Group disclosed the Gentlemen ransomware breach listed on its data breach site.
Although the RaaS operation publicly claimed about 320 victims, most of the attacks that took place this year, Check Point researchers found that the participants of the Gentlemen ransomware are expanding their attack tool and infrastructure.
During the involvement of the incident response, researchers discovered that the company affiliated with the ransomware attempted to use proxy malware to send encrypted payloads.
“Check Point Research observed victim telemetry from the appropriate SystemBC command and control, revealing a botnet of more than 1,570 victims, with an infection profile strongly suggesting a focus on the business and organizational environment rather than a focus on opportunistic consumers,” the researchers said in a report today.
SystemBC has been around since at least 2019 and is used for the SOCKS5 tunnel. Because of its ability to deliver malicious payloads, it was quickly adopted as well as sending malicious payloads. Its ability to deliver payloads to infected systems was quickly adopted by ransomware hackers.
Despite enforcement work that hit it in 2024, the botnet is still active, and last year Black Lotus Labs reported that it was infecting 1,500 commercial private servers (VPS) every day to blast malicious traffic.
According to Check Point, most of the victims linked to SystemBC’s Gentlemen deployment are located in the United States, the United Kingdom, Germany, Australia and Romania.
Source: Check Point
“A specific Command and Control server used to communicate had infected a large number of victims worldwide. Most of those victims are likely to be companies and organizations, given that SystemBC is typically used as part of a person’s workflow rather than a major target,” Check Point said.
Researchers aren’t sure how SystemBC entered the Gentlemen ransomware ecosystem and couldn’t determine whether the malware is being used by multiple affiliates.
Chain of infection and encryption scheme
Although Check Point was unable to determine the initial access vector for the observed attack, researchers say that the Gentlemen threat actor operated on a Domain Controller with domain management privileges.
From there, the attacker checked which credentials were valid and checked again before sending Cobalt Strike payloads to remote systems via RPC.
Lateral movement was supported by confirmation harvesting using Mimikatz and remote execution. The attackers staged the ransomware from an internal server and advanced built-in distribution and Group Policy (GPO) to enable simultaneous execution of the encryptor on all domain-joined systems.
Source: Check Point
According to the researchers, the malware uses a hybrid system based on X25519 (Diffie-Hellman) and XChaCha20, with random ephemeral key pairs generated for each file.
Files under 1 MB are fully encrypted, while for larger files only about 9%, 3%, or 1% of data pieces are encrypted.
Before encrypting, Gentlemen ransomware terminates databases, backup software, and virtualization processes, and removes Shadow copies and logs. The ESXi variant also shuts down the VMs to ensure that the disks cannot be encrypted.
Source: Check Point
Gentlemen ransomware doesn’t make headlines often but Check Point warns that RaaS is growing rapidly, advertising to recruit new ransomware agents through underground platforms.
Researchers believe that using SystemBC with Cobalt Strike and a botnet of 1,570 hosts may indicate that the Gentlemen ransomware gang is now operating at a higher level, “actively integrating a wide range of mature framework tools, exploits and proxy infrastructure.”
In addition to the indicators of consensus (IoCs) collected from the investigated incident, Checkpoint also provides signature-based detection in the form of the YARA protocol to help defenders protect against such attacks.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
