Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol," Check Point said. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory. Since its emergence in July 2025, The Gentlemen has quickly established itself as one of the most prolific ransomware groups, claiming more than 320 victims on its data leak site. Operating under a classic double-extortion model, the group is versatile as it's sophisticated, exhibiting capabilities to target Windows, Linux, NAS, and BSD systems with a Go-based locker as well as employing legitimate drivers and custom malicious tools to subvert defenses. Exactly how the threat actors obtain initial access is unclear, although evidence suggests that internet-facing services or compromised credentials are being abused to establish an initial foothold, followed by engaging in discovery, lateral movement, payload staging (i.e., Cobalt Strike, SystemBC, and the encryptor), defense evasion, and ransomware deployment. A notable aspect of the attacks is the abuse of Group Policy Objects (GPOs) to facilitate domain-wide compromise. "By tailoring their tactics against specific security vendors, The Gentlemen have demonstrated an acute awareness of their targets' environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation," security vendor Trend Micro noted in an analysis of the group's tradecraft in September 2025. The latest findings from Check Point show that an affiliate of The Gentlemen RaaS deployed SystemBC on a compromised host, with the C2 server linked to the proxy malware commandeering hundreds of victims across the globe, including the U.S., the U.K., Germany, Australia, and Romania. While SystemBC has been used in ransomware operations as far back as 2020, the exact nature of the connection between the malware and The Gentlemen e-crime scheme remains unclear, such as whether it's part of the attack playbook or if it's something deployed by a specific affilia