Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The Skitnet infection begins with a Rust-based loader dropped and executed on the target system, which decrypts a ChaCha20 encrypted Nim binary and loads it into memory. Communication and commands to be executed are sent via HTTP or DNS, based on commands issued via the Skitnet C2 control panel. The malware starts three threads, one for sending heartbeat DNS requests, one for monitoring and exfiltrating shell output, and one for listening for and decrypting commands from DNS responses. Though ransomware groups often use custom tools tailored to specific operations and have low AV detection, these are costly to develop and require skilled developers who aren't always available, especially in lower-tier groups. Using an off-the-shelf malware like Skitnet is cheaper, quicker to deploy, and can make attribution harder, as many threat actors use it. Apart from the core command set, the operators may also leverage a separate capability involving a .NET loader, which allows them to execute PowerShell scripts in memory, for even deeper attack customization. The Nim payload establishes a DNS-based reverse shell for communication with the command and control (C2) server, initiating the session with randomized DNS queries. In the ransomware space, there's room for both approaches, even a mix of the two, but Skitnet's capabilities make it particularly enticing for hackers. Prodaft has published indicators of compromise (IoCs) associated with Skitnet on its GitHub repository.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 16 May 2025 14:35:08 +0000