Cybersecurity researchers have uncovered new evidence connecting a large-scale botnet to the rapidly growing ransomware group known as The Gentlemen. The discovery reveals that attackers are leveraging the SystemBC proxy malware to strengthen their operations and expand their reach globally.
Large Botnet Discovered Through SystemBC Server
A recent investigation by cybersecurity firm Check Point exposed a command-and-control server associated with SystemBC, leading to the identification of more than 1,570 compromised systems. This proxy malware is designed to create secure SOCKS5 tunnels inside infected environments, allowing attackers to maintain covert communication with their infrastructure.
SystemBC uses a custom RC4-based encryption method to communicate with its servers. It also enables attackers to download additional malicious tools, either storing them on disk or executing them directly in memory, making detection more difficult.
The Gentlemen Ransomware Expands Rapidly
Since its appearance in mid-2025, The Gentlemen ransomware group has grown into one of the most active threats in the cybercrime landscape. The group has already listed over 320 victims on its leak platform.
Operating under a double-extortion model, attackers not only encrypt data but also threaten to release sensitive information. Their toolkit is highly adaptable, targeting multiple operating systems including Windows, Linux, NAS, and BSD. The group relies on a Go-based ransomware locker and often uses legitimate drivers along with custom malware to bypass security defenses.
Attack Techniques and Lateral Movement
Although the exact entry point remains uncertain, researchers believe attackers commonly exploit exposed online services or stolen credentials. Once inside, they conduct reconnaissance, move laterally across networks, and deploy various tools such as Cobalt Strike and SystemBC before launching the ransomware.
One notable tactic involves abusing Group Policy Objects (GPOs) to spread the attack across entire domains. During lateral movement, attackers attempt to disable security protections by executing PowerShell scripts that weaken Windows Defender, adjust system policies, and open pathways for further compromise.
Targeting Virtual Environments
The ransomware also includes a variant designed for VMware ESXi systems. While it has fewer features than the Windows version, it is capable of shutting down virtual machines, establishing persistence, and blocking recovery efforts before encryption begins.
Global Impact and Growing Threat
The botnet linked to SystemBC has affected organizations worldwide, including victims in the United States, United Kingdom, Germany, Australia, and Romania. Despite SystemBC being active in ransomware campaigns since 2020, its exact role within The Gentlemen ecosystem remains unclear, suggesting that affiliates may use it independently.
Experts warn that the actual scale of the operation is likely far greater than currently reported, as many compromised networks have not yet been publicly disclosed.
Emergence of Kyber Ransomware
In parallel, researchers have identified another ransomware strain named Kyber, which surfaced in late 2025. This threat targets both Windows and VMware environments using encryptors written in Rust and C++.
Kyber’s ESXi version focuses on encrypting data stores, shutting down virtual machines, and even altering management interfaces. Meanwhile, its Windows version includes experimental features for attacking Hyper-V systems, indicating a trend toward specialized attack development.
Rising Ransomware Activity in 2026
Data from ZeroFox shows that ransomware and digital extortion incidents reached over 2,000 cases in the first quarter of 2026 alone, with March accounting for a significant portion. Among the most active groups were Qilin, Akira, The Gentlemen, INC Ransom, and Cl0p.
Interestingly, The Gentlemen’s targeting patterns differ from typical ransomware groups, with a lower proportion of victims in North America compared to others.
Evolution of Ransomware Tactics
According to recent industry reports, ransomware operations are becoming more structured and business-oriented. Attackers are increasingly focusing on disabling security tools, exploiting vulnerable drivers, and targeting smaller organizations as well as operational technology environments.
Another concerning trend is the speed of attacks. Many ransomware campaigns now progress from initial access to full encryption within hours, often during nights or weekends to reduce the chances of detection.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
