Introduction
In the evolving cyber threat landscape, advanced malware is becoming a critical enabler for ransomware operators. One such emerging threat is Skitnet, a sophisticated multi-stage malware observed in several real-world ransomware campaigns since early 2025. Cybersecurity researchers have flagged its increasing adoption by threat actors for tasks such as data exfiltration and persistent remote access. This article provides an in-depth overview of Skitnet's capabilities, techniques used to avoid detection, and its broader implications within the ransomware ecosystem.
Emergence and Distribution of Skitnet
Skitnet—also known as Bossnet—first appeared in underground cybercrime forums such as RAMP in April 2024. It has since been actively marketed as a compact and highly adaptable malware toolkit, consisting of both server components and an executable payload.
According to cybersecurity firm PRODAFT, multiple ransomware operators began deploying Skitnet in real-world attacks by early 2025. A notable instance occurred in April 2025, when the Black Basta group utilized the malware in phishing campaigns disguised as Microsoft Teams communications, specifically targeting corporate environments.
The malware's architecture and evasion techniques are believed to be contributing factors to its growing popularity among cybercriminals.
Technical Characteristics and Capabilities
Skitnet stands out due to its use of modern programming languages such as Rust and Nim, which enhance both its performance and obfuscation capabilities. It is developed by a threat actor identified by PRODAFT as LARVA-306.
The malware initiates infection with a Rust-based binary that decrypts and launches an embedded Nim payload. The primary objective of this Nim component is to establish a reverse shell with a command-and-control (C2) server using DNS-based communication, an advanced technique that helps bypass conventional network defenses.
To further evade detection, Skitnet avoids standard API imports by dynamically resolving function addresses using the GetProcAddress method. The malware runs background threads to:
-
Transmit DNS queries at regular intervals (every 10 seconds)
-
Interpret DNS responses containing execution commands
-
Send execution results back to the C2 server
The embedded C2 panel enables remote operators to manage infected hosts efficiently.
Command Support and Persistence Techniques
Skitnet includes an array of PowerShell-based commands that allow attackers to perform a wide range of actions on compromised machines:
-
Startup: Achieves persistence by creating a shortcut in the system’s Startup directory
-
Screen: Captures screenshots of the desktop for surveillance or intelligence gathering
-
Anydesk/Rutserv: Installs legitimate remote desktop applications (e.g., AnyDesk, Remote Utilities) for persistent access
-
Shell: Executes PowerShell scripts hosted remotely and transmits output to the C2 server
-
AV: Collects information on installed antivirus or security products
The combination of these capabilities makes Skitnet a versatile and resilient threat.
Broader Context and Related Threats
Skitnet's rise is part of a larger trend involving the use of custom loaders and backdoors in ransomware attacks. A related case was recently uncovered by Zscaler ThreatLabz, involving a malware loader known as TransferLoader.
Active since February 2025, TransferLoader has been used to deploy Morpheus ransomware against targets such as a U.S.-based law firm. It consists of three components—a downloader, a backdoor, and a specialized loader. Notably, the backdoor can update its configuration via the decentralized InterPlanetary File System (IPFS), serving as a redundant channel for maintaining command-and-control links.
This trend reflects how cybercriminals are increasingly blending stealth, redundancy, and modularity to create persistent and difficult-to-detect threats.
Conclusion
The emergence of Skitnet underscores the rapid evolution of cyber threats, where malware is engineered not just for infection but also for evasion, persistence, and remote command execution. By leveraging modern programming languages and DNS-based communication, Skitnet represents a significant advancement in malware design, offering attackers a stealthy and potent tool for conducting ransomware operations.
As threat actors continue to innovate, organizations must adopt proactive defense mechanisms, including behavioral analytics, threat hunting, and real-time monitoring, to detect and mitigate such advanced threats. Awareness and collaboration between cybersecurity experts, vendors, and enterprises are crucial in countering the growing menace posed by tools like Skitnet.
0 Comments