Skip to content
Tech News
← Back to articles

The Gentlemen ransomware now uses SystemBC for bot-powered attacks

2026-04-20 | original
read original get SystemBC Botnet Malware → more articles
Why This Matters

The integration of SystemBC malware with the Gentlemen ransomware underscores a growing trend of sophisticated, botnet-powered attacks targeting corporate and organizational systems. This development highlights the increasing complexity of ransomware operations and the persistent threat they pose to critical infrastructure and enterprise security. For consumers and businesses alike, it emphasizes the need for robust cybersecurity measures to defend against evolving malware tactics.

Key Takeaways

A SystemBC proxy malware botnet of more than 1,570 hosts, believed to be corporate victims, has been discovered following an investigation into a Gentlemen ransomware attack carried out by a gang affiliate.

The Gentlemen ransomware-as-a-service (RaaS) operation emerged around mid-2025 and provides a Go-based locker that can encrypt Windows, Linux, NAS, and BSD systems, and a C-based locker for ESXi hypervisors.

Last December, it compromised one of Romania’s largest energy providers, the Oltenia Energy Complex. Earlier this month, The Adaptavist Group disclosed a breach that Gentlemen ransomware listed on its data leak site.

Although the RaaS operation has publicly claimed around 320 victims, most of the attacks occurring this year, Check Point researchers discovered that the Gentlemen ransomware affiliates are expanding their attack toolkit and infrastructure.

During an incident response engagement, the researchers found that an affiliate for the ransomware operation tried to deploy the proxy malware for covert payload delivery.

“Check Point Research observed victim telemetry from the relevant SystemBC command‑and‑control server, revealing a botnet of over 1,570 victims, with the infection profile strongly suggesting a focus on corporate and organizational environments rather than opportunistic consumer targeting,” the researchers say in a report today.

SystemBC has been around since at least 2019 and is used for SOCKS5 tunneling. Due to its capability to deliver malicious payloads, it was quickly adopted and also to send malicious payloads. It capability to introduce payloads onto infected systems was quickly adopted by ransomware gangs.

Despite a law enforcement operation that affected it in 2024, the botnet remains active, and last year Black Lotus Labs reported that it was infecting 1,500 commercial virtual private servers (VPS) every day to funnel malicious traffic.

According to Check Point, most of the victims linked to Gentlemen’s deployment of SystemBC are located in the United States, the United Kingdom, Germany, Australia, and Romania.

Location of infected organizations

... continue reading

Explore topics: gentlemen ransomware systembc ransomware-as-a-service oltenia energy complex check point
Related:
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
AI platforms can be abused for stealthy malware communication
New Amaranth Dragon cyberespionage group exploits WinRAR flaw
Konni hackers target blockchain engineers with AI-built malware
VoidLink cloud malware shows clear signs of being AI-generated

© 2026 GoKawiil

About | Editorial Policy | Contact