A large-scale botnet powered by SystemBC proxy malware, comprising more than 1,570 infected machines, has been uncovered during an investigation into a Gentlemen ransomware attack carried out by an affiliate of the group. Evidence suggests that the majority of affected systems belong to corporate environments.

The Gentlemen ransomware-as-a-service (RaaS) operation surfaced around mid-2025, offering attackers multiple encryption tools. Its toolkit includes a Go-based locker capable of targeting Windows, Linux, NAS, and BSD systems, as well as a C-based encryptor designed for ESXi hypervisors.

In December, the group successfully breached one of Romania’s biggest energy companies, the Oltenia Energy Complex. More recently, The Adaptavist Group revealed a separate incident that was also claimed by the ransomware gang on its leak portal. While the operators have publicly listed around 320 victims—most from this year—researchers at Check Point note that affiliates are increasingly enhancing their infrastructure and attack methods.

During an incident response investigation, experts observed that a ransomware affiliate attempted to deploy SystemBC malware to enable stealthy delivery of malicious payloads. “Check Point Research observed victim telemetry from the relevant SystemBC command-and-control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting,” the researchers say in a report today.

SystemBC, active since at least 2019, is commonly used for SOCKS5 proxy tunneling. Its ability to deliver additional malicious payloads has made it a preferred tool among ransomware operators. Even after a law enforcement disruption in 2024, the botnet has remained active. In fact, Black Lotus Labs reported last year that it was compromising approximately 1,500 commercial virtual private servers (VPS) daily to route harmful traffic.

According to Check Point, the majority of infections tied to Gentlemen’s use of SystemBC are concentrated in the United States, the United Kingdom, Germany, Australia, and Romania. "The specific Command and Control server that was used for the communication had infected a large number of victims across the globe. It is likely that the majority of those victims are companies and organizations, given that SystemBC is typically deployed as part of human-operated intrusion workflows rather than massive targeting," Check Point says.

Researchers have not yet determined exactly how SystemBC integrates into the Gentlemen ransomware ecosystem, nor whether multiple affiliates are using the malware simultaneously.

Although the initial entry point remains unclear, investigators found that attackers operated from a Domain Controller with Domain Admin privileges. They validated credentials, performed network reconnaissance, and deployed Cobalt Strike payloads across systems using Remote Procedure Call (RPC).

The attackers moved laterally by harvesting credentials with Mimikatz and executing commands remotely. The ransomware payload was staged on an internal server and distributed using built-in propagation techniques and Group Policy Objects (GPO), enabling near-simultaneous encryption across domain-connected machines.

The encryption process uses a hybrid cryptographic model combining X25519 (Diffie–Hellman) and XChaCha20, generating a unique ephemeral key pair for each file. Files smaller than 1 MB are fully encrypted, while larger files are partially encrypted in chunks ranging from approximately 1% to 9%.

Before initiating encryption, the ransomware terminates database services, backup tools, and virtualization processes, while also deleting Shadow Copies and logs. The ESXi variant additionally shuts down virtual machines to ensure disk-level encryption.

Although Gentlemen ransomware has maintained a relatively low profile, Check Point warns that it is rapidly evolving. The group is actively recruiting affiliates through underground forums and expanding its capabilities. Researchers believe that the integration of SystemBC, combined with tools like Cobalt Strike and a sizable botnet, indicates that the operation is advancing into a more sophisticated threat actor. "actively integrating into a broader toolchain of mature, post-exploitation frameworks and proxy infrastructure."

In addition to identifying indicators of compromise (IoCs), Check Point has released a YARA rule to assist organizations in detecting and mitigating similar threats.