Article Details
Scrape Timestamp (UTC): 2025-05-16 14:08:30.635
Original Article Text
Click to Toggle View
Ransomware gangs increasingly use Skitnet post-exploitation malware. Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus. Stealthy and powerful backdoor The Skitnet infection begins with a Rust-based loader dropped and executed on the target system, which decrypts a ChaCha20 encrypted Nim binary and loads it into memory. The Nim payload establishes a DNS-based reverse shell for communication with the command and control (C2) server, initiating the session with randomized DNS queries. The malware starts three threads, one for sending heartbeat DNS requests, one for monitoring and exfiltrating shell output, and one for listening for and decrypting commands from DNS responses. Communication and commands to be executed are sent via HTTP or DNS, based on commands issued via the Skitnet C2 control panel. The C2 panel allows the operator to see the target's IP, location, status, and issue commands for execution. The supported commands are: Apart from the core command set, the operators may also leverage a separate capability involving a .NET loader, which allows them to execute PowerShell scripts in memory, for even deeper attack customization. Though ransomware groups often use custom tools tailored to specific operations and have low AV detection, these are costly to develop and require skilled developers who aren't always available, especially in lower-tier groups. Using an off-the-shelf malware like Skitnet is cheaper, quicker to deploy, and can make attribution harder, as many threat actors use it. In the ransomware space, there's room for both approaches, even a mix of the two, but Skitnet's capabilities make it particularly enticing for hackers. Prodaft has published indicators of compromise (IoCs) associated with Skitnet on its GitHub repository. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Skitnet malware, also known as "Bossnet," is being increasingly adopted by ransomware gangs for post-exploitation activities in network breaches.
Initially offered on the RAMP underground forum since April 2024, Skitnet's popularity among criminals has surged notably by early 2025.
Prodaft researchers have observed its deployment in real-world attacks by notable ransomware groups like BlackBasta during Microsoft Teams phishing campaigns and others like Cactus.
Skitnet features a Rust-based loader that decrypts and executes a Nim binary which then sets up a DNS-based reverse shell for robust C2 communication.
The malware is capable of managing communication and command execution via HTTP or DNS, enhancing its stealth and effectiveness.
Additional capabilities include executing PowerShell scripts in memory using a .NET loader, enabling deeper and more customizable attacks.
The use of ready-made tools like Skitnet is preferred by some criminal groups due to their cost-effectiveness, rapid deployment, and the difficulty in attributing attacks to specific actors.
Prodaft has released indicators of compromise (IoCs) related to Skitnet on its GitHub page to assist in defense against these threats.