A sophisticated new botnet called NightshadeC2 that employs an innovative “UAC Prompt Bombing” technique to evade Windows Defender and compromise endpoint security systems.
In August 2025, eSentire’s Threat Response Unit (TRU) identified this emerging threat, which represents a significant evolution in malware evasion tactics.
The botnet demonstrates advanced capabilities including reverse shell access, credential theft, keylogging, and remote system control, making it a substantial concern for enterprise security teams worldwide.
The most striking feature of NightshadeC2 is its novel “UAC Prompt Bombing” technique, which forces users to approve User Account Control prompts repeatedly until they comply.
The malware’s .NET-based loader implements a continuous loop that executes PowerShell commands to add Windows Defender exclusions for the final payload.
If users decline the UAC prompt, the system becomes increasingly unusable as prompts continue appearing indefinitely.
This approach proves particularly effective against malware analysis sandboxes. Systems with disabled Windows Defender services generate non-zero exit codes, trapping automated analysis environments in execution loops and preventing payload delivery.
TRU researchers confirmed successful bypass of multiple sandbox solutions including Joe Sandbox, CAPEv2, Hatching Triage, and Any.Run using this relatively simple technique.
Multi-Variant Architecture
NightshadeC2 operates through both C and Python-based variants, each communicating with unidentified Command and Control frameworks.
The C variant primarily utilizes TCP ports 7777, 33336, 33337, and 443, while Python variants predominantly connect through TCP port 80. This diversified communication strategy enhances the botnet’s resilience against network-based detection systems.
The C variant offers comprehensive functionality including reverse shell capabilities through Command Prompt and PowerShell, DLL and executable download/execution, self-deletion mechanisms, remote control features, screen capture, hidden web browser deployment, and extensive keylogging with clipboard content harvesting.
The C2 then responds with the RC4 encrypted passphrase in acknowledgement of the correct key, and the client sends the fingerprint information for the victim device.
Additionally, certain variants possess credential theft capabilities targeting both Gecko and Chromium-based browsers.
The Python variant, which researchers believe may have been converted using Large Language Models, maintains reduced functionality limited to self-deletion, download/execute operations, and reverse shell capabilities.
This streamlined approach likely serves as an evasion mechanism, as VirusTotal analysis shows fewer security vendors successfully identify Python-based variants.
Distribution and Initial Access Methods
NightshadeC2 primarily spreads through two distinct vectors. The first employs ClickFix social engineering tactics, presenting victims with fake CAPTCHA verification pages themed around legitimate services like booking.com.
Users receive instructions to execute malicious commands through the Windows Run Prompt, initiating the infection chain.
The second distribution method involves trojanized versions of legitimate software applications.
TRU researchers have identified compromised versions of Advanced IP Scanner, Express VPN, HyperSecure VPN, CCleaner, and Everything search utility. This approach exploits user trust in familiar software brands to achieve initial system compromise.
![booking[.]com themed ClickFix attack.](https://gbhackers.com/wp-content/uploads/2025/09/New-Botnet-Emerges-from-the-Shadows-Figure-1-1024x546.png "NightshadeC2 Botnet Exploits ‘UAC Prompt Bombing’ to Evade Windows Defender 3")
Upon successful installation, NightshadeC2 establishes persistence through multiple Windows registry mechanisms including Winlogon, RunOnce, and Active Setup entries.
The malware performs initial reconnaissance by querying ip-api.com to gather victim geolocation data and VPN status information, likely to avoid security researcher environments and analysis sandboxes.
The botnet keylogging and clipboard harvesting capabilities operate through hidden windows created with specific class names like “IsabellaWine.”
The malware registers clipboard format listeners and installs low-level keyboard hooks to capture user input across all applications.
Harvested data is stored in hidden log files with variable names such as “JohniiDepp” for elevated processes and “LuchiiSvet” (Russian for “RaysLight”) for standard user contexts.
NightshadeC2 implements an extensive command set supporting various malicious operations.
These include keep-alive mechanisms, reverse shell establishment, file upload/download capabilities, C2 server migration, self-deletion, hidden desktop creation, screen capture functionality, and remote control features enabling copy/paste operations and simulated keyboard/mouse input.
UAC Bypass Techniques
Beyond UAC Prompt Bombing, TRU researchers identified two additional UAC bypass methods employed by NightshadeC2 campaigns.
The first utilizes a 2019 vulnerability that exploits RPC server behavior implementing UAC features.
The second technique, targeting systems older than Windows 11, manipulates the DiskCleanup scheduled task through registry modifications and LOLBin (Living Off The Land Binary) processes to escalate privileges without user interaction.
eSentire has developed comprehensive YARA rules for detecting both C and Python variants of NightshadeC2.
The security firm recommends organizations implement several defensive measures including disabling the Windows Run prompt through Group Policy Objects, deploying Next-Generation Antivirus solutions with Endpoint Detection and Response capabilities, and establishing comprehensive Phishing and Security Awareness Training programs.
The discovery of NightshadeC2 highlights the evolving sophistication of modern malware campaigns and the critical importance of multi-layered security approaches.
Organizations must remain vigilant against social engineering tactics while maintaining robust endpoint protection and user education programs to defend against these advanced persistent threats.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
