Threat actors linked to the The Gentlemen ransomware operation are increasingly leveraging proxy malware to expand their reach, according to new Check Point’s research.
Affiliates of the group have been deploying SystemBC, a well-known malware tool used to establish covert communications and maintain persistence inside compromised networks. Researchers traced the malware’s command-and-control infrastructure to a botnet comprising more than 1,570 infected systems worldwide.
SystemBC enables attackers to create encrypted SOCKS5 tunnels, allowing them to route malicious traffic through victim environments while evading detection. It also supports the delivery of additional payloads, which can be executed either from disk or directly in memory.
First spotted in mid-2025, The Gentlemen has become one of the most active ransomware groups, claiming over 320 victims. It operates on a double-extortion model, encrypting data while also threatening to leak sensitive information. The group’s arsenal of tools includes cross-platform capabilities, targeting Windows, Linux, NAS, and BSD systems, and advanced techniques such as defense evasion using legitimate drivers.
It’s unclear how threat actors obtain initial access; researchers believe attackers exploit exposed internet services or compromised credentials. Once inside, they conduct reconnaissance, move laterally across networks, and deploy tools like Cobalt Strike and SystemBC before executing ransomware payloads. In some cases, attackers abused Group Policy Objects (GPOs) for domain-wide compromise.
The group’s victims span multiple countries, including the United States, United Kingdom, Germany, Australia, and Romania.
In a separate report, cybersecurity firm Rapid7 detailed another emerging ransomware strain known as Kyber ransomware, which targets both Windows and VMware ESXi environments. The malware includes features for encrypting virtual datastores and disrupting virtual machines.