ACCORDING to Check Point, threat actors linked to The Gentlemen ransomware‑as‑a‑service operation have been observed deploying SystemBC, a proxy malware, via a compromised host. The Check Point research identified a C2 server for SystemBC that has revealed a botnet of more than 1,570 victims across a global spread including the U.S., the U.K., Germany, Australia, and Romania.
SystemBC is described as establishing SOCKS5 network tunnels within victims’ environments and using a custom RC4‑encrypted protocol to connect to its C2 server, with the capability to download and execute additional payloads either on disk or in memory. The Gentlemen themselves are noted to claim more than 320 victims on their data leak site, and the operation employs a double‑extortion model with targets across Windows, Linux, NAS and BSD systems.
The report also highlights that affiliates have used internet-facing services or compromised credentials to gain initial access, followed by discovery, lateral movement, and deployment of ransomware and other tools, including Cobalt Strike and the SystemBC proxy. Furthermore, the analysis cites Group Policy Objects abuse to facilitate domain‑wide compromise and notes the scale of compromised networks uncovered during an operator’s server investigation.