Several ransomware actors have used malware called SkitNet as part of their post-explosion efforts to steal sensitive data and establish remote control over compromised hosts.
“Skitnet has been on sale at underground forums like Ramp since April 2024,” Swiss Cybersecurity Company Prodaft told Hacker News. “But since early 2025, we’ve seen multiple ransomware operators using it in real attacks.”
“For example, in April 2025, Blackbusta leveraged skitnet in a team-themed phishing campaign aimed at enterprise environments. Its stealth capabilities and flexible architecture make it seem that Skitnet is gaining rapid traction within the ransomware ecosystem.”
SkitNet, also known as BossNet, is a multi-stage malware developed by a threat actor tracked by the company under the name Larva-306. A notable aspect of malicious tools is that they use programming languages like Rust and NIM to launch reverse shells over DNS to avoid detection.
It is also embedded in the versatile threats, including persistence mechanisms, remote access tools, data removal commands, and even downloading .NET loader binaries that can be used to provide additional payloads.
First promoted on April 19, 2024, SkitNet will be offered to potential customers as a “compact package” that contains server components and malware. The first executable is a Rust binary that decrypts and executes an embedded payload compiled with NIM.
“The main function of this NIM binary is to establish an inverse shell connection with C2 [command-and-control] Through DNS resolution, the server stated that “use the getProcAddress function to dynamically resolve API function addresses rather than using traditional import tables to avoid detection.”
The NIM-based binaries also launch multiple threads, send DNS requests every 10 seconds, read DNS responses, extract commands to run on the host, and return the command execution results back to the server. The command is issued through the C2 panel, which is used to manage infected hosts.
Some of the supported PowerShell commands are listed below –
Startup guarantees persistence by creating shortcuts in the startup directory on the victim’s device screen. This captures a screenshot of the victim’s desktop AnyDesk/Rutserv. Installed security products
“Skitnet is multi-stage malware that utilizes multiple programming languages and encryption technologies,” Prodaft said. “Malware tries to circumvent traditional security measures by using Rust for payload decryption and manual mapping, followed by a NIM-based inverse shell that communicates over DNS.”
This disclosure is because Zscaler ThreatLabz details another malware loader called another malware loader used to provide ransomware strains called Morpheus, which target American law firms.
Active since at least February 2025, Transferloader incorporates three components for backdoors, a downloader, a backdoor, and a special loader, allowing threat actors to execute arbitrary commands on the compromised system.
The downloader is designed to retrieve and run the payload from the C2 server, and run the PDF decoy file at the same time, but the backdoor is responsible for running the server-issued commands and updating its own configuration.
“Backdoor utilizes a distributed interplanetary file system (IPFS) peer-to-peer platform as a fallback channel for updating command and control (C2) servers,” the cybersecurity company said. “Transferloader developers use obfuscation methods to make the reverse engineering process even more boring.”
Source link
