A technical analysis from Check Point Research says a command-and-control server linked to SystemBC exposed a botnet of more than 1,570 victims, after investigators found the malware in use by threat actors tied to The Gentlemen ransomware operation.
KEY FACTS
- Victims The SystemBC server was tied to more than 1,570 compromised hosts.
- Scope Victims were identified in the U.S., the U.K., Germany, Australia and Romania.
- Ransomware group The Gentlemen has claimed more than 320 victims since emerging in July 2025.
- Technique SystemBC creates SOCKS5 tunnels and can download and run additional malware.
The report said an affiliate deployed SystemBC on a compromised host, while the linked server was used to manage hundreds of victims across multiple regions. The exact role of the proxy malware in the group’s operations remains unclear, including whether it is part of the standard playbook or used by a specific affiliate for access and data theft.
The malware uses a custom RC4-encrypted protocol to connect to its server and can stage payloads either on disk or directly in memory. The report also described activity that included discovery, lateral movement, payload staging and defense evasion before ransomware deployment.
On Windows systems, the attack chain can push a PowerShell script that disables real-time monitoring, adds exclusions, turns off the firewall, re-enables SMB1 and relaxes LSA anonymous access controls before the ransomware binary runs. The ESXi variant adds persistence through crontab, can shut down virtual machines and blocks recovery.
The disclosure said the group has targeted Windows, Linux, NAS and BSD systems and has used legitimate drivers and custom tools to blunt defenses. It also said the attackers have abused Group Policy Objects to widen compromise across domains.
WHY IT MATTERS
The findings show how ransomware crews can combine access, proxy malware and defense evasion to reach more systems before defenders respond. They also suggest the scale of one affiliate network may be larger than what is publicly visible.