Security teams began observing a novel botnet strain slipping beneath the radar of standard Windows Defender defenses in early August 2025.
Dubbed NightshadeC2, this malware family leverages both C and Python-based payloads to establish persistent, remote-control access on compromised hosts.
Initial infection chains often start with customized “ClickFix” landing pages that trick users into executing commands via the Windows Run prompt, while secondary campaigns employ trojanized installers of popular utilities such as Advanced IP Scanner, CCleaner, and various VPN clients.
Once executed, NightshadeC2 rapidly escalates privileges, disables or excludes its components from Defender scans, and calls home to a dynamic command and control infrastructure.
As the campaign unfolded, eSentire analysts identified a distinctive loader component responsible for delivering the final payload.
This .NET-based loader executes in a tight loop, spawning PowerShell processes designed to add Defender exclusions for NightshadeC2 before allowing the payload to run.
Should Defender service checks fail or the user decline elevation, the loader repeats its prompts ad nauseam—a technique the researchers have termed “UAC Prompt Bombing.”
.webp "New NightshadeC2 Botnet Uses 'UAC Prompt Bombing' to Bypass Windows Defender Protections 3")
The relentless barrage of elevation requests not only frustrates malware sandbox environments but also coerces real users into granting the necessary permissions to proceed.
Upon securing Defender exclusions, the loader writes persistence entries into three separate registry locations—Winlogon, RunOnce, and Active Setup—to guarantee execution at system startup.
It then downloads and decrypts the core C variant over TCP ports typically reserved for web traffic (80 and 443) or high-numbered ports (7777, 33336, 33337).
The malware immediately collects victim system details via public geo-IP lookup services and registry queries to form a unique fingerprint, before negotiating an RC4-encrypted session key with its C2.
Through this clandestine channel, operators can issue an array of commands—ranging from reverse shell initiation to payload downloads, screen captures, and automated keylogging.
UAC Prompt Bombing: Bypassing Defender via Relentless Elevation Loops
Central to NightshadeC2’s stealth is its UAC Prompt Bombing routine. After loading the .NET module, the loader constructs a PowerShell command to add its as-yet-unwritten payload to Defender’s exclusion list:
while ($exitCode -ne 0) {
Start-Process powershell -ArgumentList '-Command "Add-MpPreference -ExclusionPath C:WindowsTemppayload.exe"' -Wait
$exitCode = $LastExitCode
}The Second stage PowerShell loader illustrates how the loader concatenates the exclusion command.
.webp "New NightshadeC2 Botnet Uses 'UAC Prompt Bombing' to Bypass Windows Defender Protections 4")
When Defender is disabled or non-responsive, the exit code remains nonzero, trapping sandbox analyses in an infinite loop.
This forced repetition of UAC dialogs effectively breaks automated defenses, the Evasion loop in malware sandbox.
.webp "New NightshadeC2 Botnet Uses 'UAC Prompt Bombing' to Bypass Windows Defender Protections 5")
Once a user finally approves the elevation or the service status changes, the loop breaks, and the final payload is delivered.
By leveraging this simple yet powerful mechanism, NightshadeC2 evades both automated and manual inspection, allowing its operators to perform credential theft from major browsers, establish hidden web browsers on victim desktops, and maintain long-term persistence across targeted networks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
