Ransomware gang members more and more use a brand new malware referred to as Skitnet (“Bossnet”) to carry out stealthy post-exploitation actions on breached networks.
The malware has been provided on the market on underground boards like RAMP since April 2024, however in response to Prodaft researchersit began gaining vital traction amongst ransomware gangs since early 2025.
Prodaft instructed BleepingComputer they’ve noticed a number of ransomware operations deploying Skitnet in real-world assaults, together with BlackBasta in Microsoft Groups phishing assaults towards the enterprise, and Cactus.
.jpg)
The malware promoted on underground boards
Supply: Prodaft
Stealthy and highly effective backdoor
The Skitnet an infection begins with a Rust-based loader dropped and executed on the goal system, which decrypts a ChaCha20 encrypted Nim binary and hundreds it into reminiscence.
The Nim payload establishes a DNS-based reverse shell for communication with the command and management (C2) server, initiating the session with randomized DNS queries.
The malware begins three threads, one for sending heartbeat DNS requests, one for monitoring and exfiltrating shell output, and one for listening for and decrypting instructions from DNS responses.
Communication and instructions to be executed are despatched by way of HTTP or DNS, primarily based on instructions issued by way of the Skitnet C2 management panel. The C2 panel permits the operator to see the goal’s IP, location, standing, and concern instructions for execution.
.jpg)
Dirtnet’s admin panel
Supply: Prodaft
The supported instructions are:
startup – Establishes persistence by downloading three information (together with a malicious DLL) and making a shortcut to a reputable Asus executable (ISP.exe) within the Startup folder. This triggers a DLL hijack that executes a PowerShell script (pas.ps1) for ongoing C2 communication.
Display – Captures a screenshot of the sufferer’s desktop utilizing PowerShell, uploads it to Imgur, and sends the picture URL again to the C2 server.
Anydesk – Downloads and silently installs AnyDesk, a reputable distant entry device, whereas hiding the window and notification tray icon.
Rutserv – Downloads and silently installs RUT-Serv, one other reputable distant entry device.
Shell – Begins a PowerShell command loop. Sends an preliminary “Shell began..” message, then repeatedly polls (?m) the server each 5 seconds for brand spanking new instructions which it executes utilizing Invoke-Expression, and sends outcomes again.
Av – Enumerates put in antivirus and safety software program by querying WMI (SELECT * FROM AntiVirusProduct within the rootSecurityCenter2 namespace). Sends outcomes to the C2 server.
Other than the core command set, the operators might also leverage a separate functionality involving a .NET loader, which permits them to execute PowerShell scripts in reminiscence, for even deeper assault customization.
Dirtnet’s .internet loader
Supply: Prodaft
Although ransomware teams typically use customized instruments tailor-made to particular operations and have low AV detection, these are pricey to develop and require expert builders who aren’t at all times out there, particularly in lower-tier teams.
Utilizing an off-the-shelf malware like Skitnet is cheaper, faster to deploy, and may make attribution more durable, as many menace actors use it.
Within the ransomware house, there’s room for each approaches, even a mixture of the 2, however Skitnet’s capabilities make it notably attractive for hackers.
Prodaft has revealed indicators of compromise (IoCs) related to Skitnet on its GitHub repository.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and find out how to defend towards them.
