Breaking: The Gentlemen RaaS Linked to Massive SystemBC Botnet
Cybersecurity researchers have uncovered a sprawling botnet of over 1,570 compromised devices linked to the The Gentlemen ransomware-as-a-service (RaaS) operation. The discovery, made during an incident response engagement, reveals that affiliates of the group deployed the SystemBC proxy malware to establish covert tunnels and deliver payloads.
"This is a sophisticated, human-operated campaign targeting corporate environments," said a senior analyst at Check Point Research. "The infection profile strongly suggests a focus on organizational networks rather than opportunistic consumer attacks."
Attack Overview
Since emerging in mid-2025, The Gentlemen RaaS has rapidly gained traction. The group publicly claims over 320 victims, with the majority—240—recorded in early 2026 alone. Its diverse locker portfolio covers Windows, Linux, NAS, BSD (written in Go) and an additional ESXi locker (written in C).
In one incident, an affiliate attempted to deploy SystemBC, a proxy malware that enables SOCKS5 tunneling. Check Point Research observed victim telemetry from the command-and-control server, revealing a botnet of more than 1,570 victims.
"SystemBC provides attackers with stealthy, persistent access," explained a cybersecurity incident responder. "It allows them to pivot within networks and exfiltrate data undetected."
Background: The Gentlemen RaaS
The Gentlemen RaaS operation markets itself on underground forums, recruiting penetration testers and skilled actors. Affiliates receive multi-OS lockers, EDR-killing tools, and a proprietary multi-chain pivot infrastructure. Negotations are handled via Tox ID—a decentralized, encrypted messaging protocol—to avoid tracking.
The group also maintains a leak site on the dark web and an active Twitter/X account to pressure victims. To date, the majority of its claimed 320+ victims have been compromised in 2026, indicating rapid affiliate growth.
SystemBC: A Persistent Threat
SystemBC is a proxy malware frequently used in human-operated ransomware campaigns. It establishes SOCKS5 tunnels that allow attackers to route traffic through compromised hosts, hiding their origin and enabling lateral movement. The recent botnet discovery underscores the scale of the threat.
"The combination of The Gentlemen RaaS and SystemBC creates a dangerous attack chain," noted a threat intelligence analyst. "Affiliates use this proxy as a foothold before deploying the final ransomware locker."
What This Means
The discovery signals a shift toward more organized, multi-platform ransomware operations. With lockers for Windows, Linux, NAS, BSD, and ESXi, The Gentlemen can target virtually any corporate asset. The integration of SystemBC adds a stealth layer that makes detection and response harder.
Organizations should prioritize network segmentation, endpoint detection, and employee training. The botnet's size suggests that many victims remain unaware of the infection. "This is a wake-up call for defenders," the incident responder concluded. "You cannot rely on traditional perimeter defenses alone."
Key Takeaways
- Victim Count: 320+ claimed victims, with 240 in early 2026.
- Affiliate Tactics: Deploying SystemBC proxy malware for covert access.
- Botnet Size: Over 1,570 devices from a single C2 server, focused on corporate environments.
- Platform Coverage: Lockers for Windows, Linux, NAS, BSD (Go) and ESXi (C).
- Communication: Negotiations via Tox ID; victims pressured via Twitter/X and dark web leak site.
This is a developing story. Check back for updates.