The Gentlemen RaaS Claims Over 320 Victims as Affiliates Deploy SystemBC Proxy Malware
Check Point Research reveals that The Gentlemen ransomware-as-a-service operation has claimed over 320 victims, with affiliates deploying SystemBC proxy malware to establish covert tunnels in corporate networks.
Check Point Research has published a detailed DFIR report on The Gentlemen ransomware-as-a-service (RaaS) program, which has rapidly grown to claim over 320 victims since its emergence in mid-2025. The majority of these attacks—240—occurred in the first months of 2026, indicating a significant acceleration in affiliate activity. The RaaS operation provides a broad locker portfolio implemented in Go for Windows, Linux, NAS, and BSD, plus an additional locker written in C for ESXi, enabling affiliates to target the multi-platform environments common in corporate settings.
During an incident response engagement, Check Point observed an affiliate of The Gentlemen deploying SystemBC, a proxy malware frequently used in human-operated ransomware operations. SystemBC establishes SOCKS5 network tunnels within the victim's environment and communicates with its command-and-control server using a custom RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or injected directly into memory. Telemetry from the SystemBC C2 server revealed a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting.
The DFIR report provides a detailed timeline of the attack, beginning with the attacker gaining Domain Admin–level privileges on a Domain Controller. From that position, the attacker performed systematic credential validation and host accessibility testing across the environment. The attacker then deployed Cobalt Strike payloads to remote systems by writing executables to administrative shares and executing them via RPC. Early post-compromise actions included reconnaissance commands such as `systeminfo`, `whoami`, and directory enumeration, as well as accessing internal documentation that indicated use of environment-specific knowledge.
As execution expanded, the attacker attempted to establish additional command-and-control capabilities. On one compromised host, the tool `socks.exe`—identified as a variant of SystemBC—was executed and attempted to communicate with the IP address 45.86.230[.]112. The SystemBC C2 server's global access data shows victims primarily located in the United States, followed by the United Kingdom and Germany. Whether SystemBC is directly integrated into The Gentlemen ransomware ecosystem or is simply a tool leveraged by this particular affiliate for exfiltration and remote access remains unclear.
The Gentlemen RaaS operation advertises its services across multiple underground forums, promoting its ransomware platform and inviting penetration testers and other technically skilled actors to join as affiliates. The group grants verified partners access to EDR-killing tools and its own multi-chain pivot infrastructure. The operators maintain an onion site where they publish data stolen from victims who refuse to pay, though negotiations are conducted via the individual affiliate's Tox ID—a free, decentralized, peer-to-peer instant messaging protocol that provides end-to-end encrypted communication.
The group also maintains a Twitter/X account referenced in the ransomware note, through which operators publicly post about victims to increase pressure on them to pay. The rapid growth in victim count suggests that The Gentlemen RaaS program has managed to attract a significant number of affiliates over the last few months. This development highlights the ongoing evolution of the ransomware ecosystem, where RaaS programs continue to lower the barrier to entry for cybercriminals while expanding their technical capabilities to target diverse enterprise environments.