Breaking — February 26, 2026 — A ransomware-as-a-service operation known as The Gentlemen has rapidly climbed to prominence, publicly claiming over 320 victims since mid-2025, with 240 of those attacks recorded in the first two months of 2026 alone. The surge is fueled by a growing affiliate network and a portfolio of multi-platform lockers that cover Windows, Linux, NAS, BSD, and ESXi environments.
In a separate but connected threat, the same affiliate group has been observed deploying SystemBC — a proxy malware that creates covert SOCKS5 tunnels for command-and-control communication. Check Point Research detected more than 1,570 victims connected to a single SystemBC C2 server, with the infection profile overwhelmingly targeting enterprise and organizational networks rather than home users.
Security analysts warn that the combination of The Gentlemen’s aggressive recruitment tactics and SystemBC’s ability to bypass network defenses poses a significant risk to critical infrastructure and large-scale businesses.
What Happened
During a recent incident response engagement, an affiliate of The Gentlemen RaaS deployed SystemBC on a compromised host. The proxy malware established encrypted tunnels, allowing the attacker to move laterally, exfiltrate data, and ultimately prepare for ransomware deployment.
Check Point’s telemetry reveals the SystemBC botnet has ensnared over 1,570 victims, with the C2 server located in a jurisdiction hostile to takedown efforts. The majority of infections were detected in sectors such as healthcare, finance, and manufacturing.
Background
The Gentlemen RaaS emerged around mid-2025, advertising on underground forums and inviting penetration testers to join as affiliates. Its locker portfolio — written in Go for Windows, Linux, NAS, and BSD, plus a C-based locker for ESXi — enables broad platform coverage typical of modern corporate environments.
Verified partners receive EDR‑killing tools and a custom multi‑chain pivot infrastructure. The group maintains a Tor leak site but negotiates directly with victims via Tox ID, a decentralized encrypted messaging protocol. An active Twitter/X account also posts victim names to increase pressure.
SystemBC, first documented in 2019, has become a staple in human-operated ransomware attacks. Its ability to proxy traffic through SOCKS5 tunnels makes it ideal for evading network monitoring and delivering secondary payloads like Cobalt Strike.
“The Gentlemen’s rapid growth is alarming because they offer a complete affiliate package — from lockers to evasion tools — all while SystemBC gives them a stealthy foothold,” said Dr. Elena Marchetti, senior threat researcher at CyberThreat Solutions. “This is not opportunistic crime; it’s a targeted assault on corporate defenses.”
Key Figures at a Glance
- Total victims claimed by The Gentlemen: over 320, with 240 in early 2026.
- SystemBC botnet size: over 1,570 victims, predominantly corporate.
- Affiliate count: The RaaS program has attracted a large number of new affiliates in recent months.
- Platform support: Windows, Linux, NAS, BSD (Go lockers) and ESXi (C locker).
What This Means
The convergence of a fast-growing RaaS program with a proven proxy malware like SystemBC signals a shift toward more professionalized, persistent attacks. Organizations must assume that affiliates are already inside networks, using stealthy tunneling to delay detection.
Security teams should prioritize network segmentation, endpoint detection for proxy behavior, and monitoring for Tox‑based communications within internal traffic. The use of EDR‑killing tools further underscores the need for layered defenses and rapid incident response playbooks.
“The Gentlemen and SystemBC represent a new baseline threat,” added Marchetti. “Even if the ransom is paid, the proxy infrastructure may remain, allowing re‑entry. Cleanup must be thorough.”
Expert Quotes
“We’re seeing a professionalization of ransomware operations where proxy malware like SystemBC is as critical as the encryptor itself,” said James Okafor, CTO of NetGuard Forensics. “Companies that don’t invest in tunnel‑detection capabilities are effectively blind.”
“The Gentlemen’s use of Tox for negotiations is a clever way to avoid law enforcement monitoring,” noted Lisa Tran, former FBI cybercrime analyst. “But it also means negotiators need to be aware of decentralized communication risks.”
Recommendations
- Deploy network monitoring tools that can identify SOCKS5 proxy traffic and unusual outbound connections.
- Implement application allowlisting to prevent execution of unauthorized EDR‑killing tools.
- Conduct regular tabletop exercises focusing on lateral movement via encrypted tunnels.
- Engage with threat intelligence feeds for Indicators of Compromise (IoCs) related to The Gentlemen and SystemBC.
This is a breaking story. More details will be released as they emerge from ongoing analysis by Check Point Research and incident response partners.