10 Key Insights into The Gentlemen RaaS and SystemBC Proxy Malware

In the ever-evolving landscape of cyber threats, the partnership between ransomware-as-a-service (RaaS) operations and proxy malware is becoming a potent combination. One such alliance has emerged between The Gentlemen RaaS and SystemBC, a proxy tool used for covert communications. This listicle unpacks the critical details from a recent incident response report, shedding light on how these threats operate, their infrastructure, and what defenders need to watch for. From multi-platform lockers to underground forum marketing, here are the top 10 takeaways you must know.

1. The Gentlemen RaaS: A Rising Star in the Underground

The Gentlemen ransomware-as-a-service operation first surfaced around mid-2025 and has quickly gained traction. The group actively promotes its platform on multiple underground forums, recruiting affiliates who are penetration testers or other technically skilled actors. This recruitment strategy has proven effective, as the service claims over 320 victims, with the bulk of infections occurring in early 2026. Unlike opportunistic consumer-focused attacks, The Gentlemen targets corporate environments, maximizing the potential for large ransom payments. Their public presence on forums and social media amplifies pressure on victims, making this RaaS a notable player in the current threat landscape.

2. Multi-Platform Locker Portfolio for Maximum Impact

One of the key selling points for The Gentlemen RaaS is its broad locker portfolio. Affiliates receive encryptors written in Go for Windows, Linux, NAS, and BSD systems, plus a separate C-based locker for ESXi hypervisors. This multi-platform coverage is critical because corporate environments often mix operating systems and virtualization platforms. By offering lockers for all common targets, The Gentlemen ensures that affiliates can compromise almost any victim network, whether it uses Windows servers, Linux workstations, or VMware ESXi hosts. The Go-based lockers also provide cross-compilation ease and potential evasion benefits.

3. SystemBC Proxy Malware: The Covert Tunnel Enabler

During an incident response engagement, an affiliate of The Gentlemen deployed SystemBC, a well-known proxy malware, on the compromised host. SystemBC is not new—it has been used in human-operated ransomware operations for years—but its integration with The Gentlemen workflow highlights a growing trend: using proxy tools to establish SOCKS5 tunnels into the victim's network. These tunnels allow attackers to relay commands and exfiltrate data while masking their true command-and-control (C2) infrastructure. The result is a stealthy communication channel that complicates detection and response efforts for defenders.

4. Botnet of Over 1,570 Victims Observed via C2 Telemetry

Check Point Research gained visibility into the SystemBC botnet by analyzing telemetry from the proxy malware's C2 server. The data revealed a network of more than 1,570 victims, with infection patterns strongly indicating a focus on corporate and organizational targets rather than random consumers. This botnet size underscores the scale at which SystemBC operates—and how it serves as a shared resource for multiple ransomware affiliates. The large victim pool also suggests that SystemBC is a favored tool for initial access and persistence before ransomware deployment.

5. Multichain Pivot Infrastructure for Advanced Operations

The Gentlemen RaaS doesn't just provide encryptors; it also equips its verified affiliates with EDR-killing tools and a proprietary multichain pivot infrastructure. This includes both server and client components designed to help attackers move laterally within a network and evade endpoint detection. The pivot infrastructure allows chaining multiple compromised machines, making it harder for security tools to trace the attacker's path. For organizations, this means that a single systemBC infection could be just the first domino in a larger, more sophisticated ransomware deployment.

6. Negotiations via Tox ID, Not Leak Portal

Unlike some ransomware groups that centralize negotiations through a dedicated leak site, The Gentlemen handles ransom talks using Tox IDs assigned to individual affiliates. Tox is a free, decentralized, peer-to-peer instant messaging protocol with end-to-end encryption for voice, video, and text. This approach gives affiliates autonomy and reduces the group's operational security risk—if one affiliate's Tox account is compromised, the entire operation isn't exposed. The leak portal (onion site) only publishes stolen data for victims who refuse to pay, while the actual haggling occurs off-platform, adding a layer of complexity for law enforcement.

7. Twitter/X Account Used for Public Victim Shaming

The Gentlemen maintains an active presence on Twitter/X, referenced directly in the ransomware note left on victims' systems. Through this account, the operators publicly post about new victims, often including screenshots or press releases to increase pressure. This public shaming tactic is designed to force compliance by highlighting the breach to customers, partners, and regulators. It also serves as a marketing tool for the RaaS—showing potential affiliates that The Gentlemen can successfully extort victims and gain media attention, thereby attracting more skilled operators to the program.

8. Underground Forum Marketing Drives Affiliate Growth

The group's rise in popularity can be attributed to aggressive marketing on underground forums. They target penetration testers and technically adept criminals, offering a turnkey solution that includes not just lockers but also EDR bypass tools and pivot infrastructure. The forums serve as a recruitment hub where The Gentlemen posts feature detailed capability descriptions and victim counts. This strategy has paid off, with victim numbers climbing rapidly in early 2026. The RaaS model allows low-skill actors to execute high-impact attacks simply by subscribing, which exponentially increases the threat to organizations worldwide.

9. Incident Response Case Shows Affiliate Behavior

A specific incident response case revealed how a The Gentlemen affiliate used SystemBC as a post-exploitation tool. After initial compromise, the affiliate deployed the proxy malware to establish persistent, covert access. This allowed them to recon the network, move laterally, and eventually deploy the ransomware locker. The case illustrates a common affiliate workflow: gain access, install SystemBC for tunneling, then execute the encryptor. For defenders, detecting SystemBC early—through network traffic analysis or endpoint behavioral monitoring—can be a critical opportunity to stop a ransomware attack before it locks critical systems.

10. Corporate Environments Are the Primary Target

Both the SystemBC botnet data and The Gentlemen's victim profile point to a clear focus on corporate and organizational environments. Over 1,570 SystemBC victims were observed, and the RaaS claims hundreds of victims, many in 2026. The multi-platform locker support (Windows, Linux, NAS, BSD, ESXi) is tailored for enterprise environments, while the use of EDR-killing tools and pivot infrastructure suggests attackers expect defenses. This threat is not about random home users; it's about businesses, hospitals, and government entities. Understanding this targeting is crucial for prioritizing security investments and incident response planning.

The combination of The Gentlemen RaaS and SystemBC proxy malware represents a significant and growing threat to organizations. By understanding these 10 key insights—from the group's marketing tactics to the technical details of its operations—security teams can better prepare for, detect, and respond to these sophisticated attacks. Start at the beginning to review the full picture, or jump to any specific insight using the internal links above. Staying informed is the first line of defense.