A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate. The Gentlemen ransomware-as-a-service (RaaS) operation emerged around mid-2025 and provides a Go-based locker that can encrypt Windows, Linux, NAS, and BSD systems, and a C-based locker for ESXi hypervisors. Last December, it compromised one of Romania’s largest energy providers, the Oltenia Energy Complex. Earlier this month, The Adaptavist Group disclosed a breach that Gentlemen ransomware listed on its data leak site. Although the RaaS operation has publicly claimed around 320 victims, most of the attacks occurring this year, Check Point researchers discovered that the Gentlemen ransomware affiliates are expanding their attack toolkit and infrastructure. During an incident response engagement, the researchers found that an affiliate for the ransomware operation tried to deploy the proxy malware for covert payload delivery. “Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting,” the researchers say in a report today. SystemBC has been around since at least 2019 and is used for SOCKS5 tunneling. Due to its capability to deliver malicious payloads, it was quickly adopted and also to send malicious payloads. It capability to introduce payloads onto infected systems was quickly adopted by ransomware gangs. Despite a law enforcement operation that affected it in 2024, the botnet remains active, and last year Black Lotus Labs reported that it was infecting 1,500 commercial virtual private servers (VPS) every day to funnel malicious traffic.