More than 1,570 compromised networks linked to a single SystemBC C2, Check Point finds
According to new research published by Check Point, the command-and-control (C2) server tied to the proxy malware SystemBC has revealed a botnet of more than 1,570 victims. Check Point reported that the C2 server "commandeered hundreds of victims across the globe, including the U.S., the U.K., Germany, Australia, and Romania," and that SystemBC "establishes SOCKS5 network tunnels within the victim’s environment and connects to its C&C server using a custom RC4‑encrypted protocol." The vendor also described SystemBC’s ability to download and execute additional malware, with payloads written to disk or injected directly into memory.
SystemBC in the wild and its connection to The Gentlemen RaaS
Check Point linked the SystemBC activity to an affiliate of The Gentlemen ransomware‑as‑a‑service (RaaS) operation. The Gentlemen surfaced in July 2025 and "has quickly established itself as one of the most prolific ransomware groups," claiming more than 320 victims on its data leak site. While SystemBC has been seen in ransomware campaigns as far back as 2020, Check Point cautioned that the precise nature of the relationship between SystemBC and The Gentlemen—whether a standard playbook component or a tool used by a particular affiliate for exfiltration and remote access—remains unclear.
The Gentlemen’s tradecraft: cross-platform targeting and tailored reconnaissance
Check Point and other vendors describe The Gentlemen as versatile and deliberate. The operation uses a double‑extortion model and has demonstrated capabilities against Windows, Linux, NAS, and BSD systems, including a Go‑based locker and the use of legitimate drivers alongside custom malicious tools. Trend Micro observed that the group has shown an "acute awareness of their targets' environments and a willingness to engage in in-depth reconnaissance and tool modification throughout the course of their operation," noting targeted adjustments against specific security vendors.
How attacks proceed: Windows defender‑blinding, GPO abuse, and ESXi differences
Check Point described a set of automated and deliberate steps used during lateral movement. "During lateral movement, the ransomware makes an attempt to blind Windows Defender on each reachable remote host by pushing a PowerShell script that disables real-time monitoring, adds broad exclusions for the drive, staging share, and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls, all before deploying and executing the ransomware binary on that host," the vendor said. The ESXi variant, while described as incorporating fewer functions than the Windows variant, is equipped to shut down virtual machines to increase impact, adds persistence via crontab, and inhibits recovery before the encryptor is deployed.
Scale and sector context: Q1 2026 and broader ransomware trends
The Check Point findings arrive amid broader reporting of accelerating and specialized ransomware activity. ZeroFox compiled data showing at least 2,059 separate ransomware and digital extortion incidents in Q1 2026, with March accounting for 747 incidents. ZeroFox listed The Gentlemen among the most active groups in that quarter (192 incidents) and reported that North America‑based victims made up approximately 13% of The Gentlemen's attacks in Q1 2026 (20% in Q3 2025 and 2% in Q4 2025), a pattern the company said contrasts with the typically North America‑heavy victim mix for many R&DE collectives.
Other firms framed this activity as part of an industry‑wide shift. Rapid7 detailed a different new family, Kyber, noting its Windows and VMware ESXi variants and specialized destructive capabilities, while Halcyon’s 2025 Ransomware Evolution Report observed that ransomware operations are becoming more disciplined, specialized, and fast‑moving — with dwell times collapsing from days to hours and a trend toward techniques that impair endpoint detection and response tools and reuse vulnerable drivers for escalation.
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect to see toolchains that combine remote‑access proxies like SystemBC with post‑exploitation scripts that alter Defender, firewall, SMB, and LSA settings, and watch for domain‑wide changes such as Group Policy Object (GPO) modifications cited in these incidents.
- Policymakers and regulators: The cross‑border footprint (U.S., U.K., Germany, Australia, Romania and others) and the finding that many compromised corporate networks "hadn't even made the news yet" raise questions about notification, international cooperation, and the visibility of large botnets to authorities and victims alike.
- Affected enterprises and procurement leaders: The Gentlemen’s model—marketing affiliate economics to attract operators, plus the use of legitimate drivers and custom tools—means buyers should reassess assumptions about how adversaries subvert defensive products and how supply‑side choices (drivers, management tools) can be abused in post‑compromise activity.
Eli Smadja, group manager at Check Point Research, summed the operational significance bluntly: "Most ransomware groups make noise when they launch and then disappear. The Gentlemen are different. They've cracked the affiliate recruitment problem by offering a better deal than anyone else in the criminal ecosystem. When we got inside one of their operator's servers, we found over 1,570 compromised corporate networks that hadn't even made the news yet. The real scale of this operation is significantly larger than what's publicly known, and it's still growing."
The Check Point discovery of a single SystemBC C2 exposing more than 1,570 victims reframes The Gentlemen not merely as another extortion brand but as an active, scalable affiliate ecosystem with tooling that spans platforms and aims to blind defenses before encryption. How quickly defenders, regulators, and corporate leaders adjust to that scale—and whether affiliates replicate this pattern elsewhere—will determine whether the operation’s next phase is containment or further growth.
