Sophisticated Skitnet Malware Actively Adopted by Ransomware Gangs to Streamline Operations

Sophisticated Skitnet Malware Actively Adopted by Ransomware Gangs to Streamline Operations

Ransomware operators have increasingly turned to a sophisticated new malware tool called Skitnet, also known as “Bossnet,” to enhance their post-exploitation capabilities and evade traditional security measures.

First emerging on underground cybercrime forums in April 2024, this multi-stage malware has rapidly gained traction among prominent ransomware groups seeking to streamline their operations while maintaining stealth throughout their attacks.

The malware represents a significant evolution in the ransomware ecosystem, particularly as law enforcement actions like Operation Endgame in May 2024 disrupted major botnets including QakBot and IcedID, creating demand for new tools to fill the operational gap.

Google News

WardenShield analysts noted that Skitnet’s affordability, modular design, and advanced stealth features have made it an attractive option for cybercriminals operating in the increasingly competitive ransomware-as-a-service landscape.

Developed by a threat actor tracked as LARVA306, Skitnet has been observed in active campaigns by established ransomware groups including Black Basta and Cactus throughout 2025.

Black Basta has notably deployed the malware in Microsoft Teams-themed phishing campaigns targeting enterprise environments, while Cactus has leveraged it for similar post-exploitation activities.

The malware’s availability on platforms like RAMP highlights the industrialization of cybercrime, where Malware-as-a-Service ecosystems democratize access to sophisticated tools for less-skilled actors.

Skitnet’s impact extends beyond traditional malware capabilities, serving as a critical component in double extortion schemes where ransomware gangs steal sensitive data before encrypting systems.

This approach increases pressure on victims to pay ransoms by threatening public disclosure of confidential information.

The malware’s ability to maintain long-term persistence in compromised networks enables attackers to conduct reconnaissance, lateral movement, and strategic payload deployment while avoiding detection by traditional security measures.

The malware’s technical sophistication lies in its multi-language architecture and innovative communication methods, representing a new generation of threats designed specifically to counter modern enterprise defenses and endpoint detection systems.

Advanced Infection Mechanisms and Persistence Tactics

Skitnet employs a sophisticated multi-stage infection process that begins with a Rust-based loader designed to evade traditional antivirus detection.

The initial executable decrypts a ChaCha20-encrypted Nim binary and loads it directly into memory using reflective code loading via the DInvoke-rs library.

This in-memory execution strategy avoids writing malicious code to disk, significantly reducing the likelihood of detection by signature-based security tools.

The decrypted Nim payload establishes communication with command-and-control servers through an innovative DNS-based reverse shell, utilizing randomized DNS queries that blend seamlessly with legitimate network traffic.

The payload operates through three concurrent threads: a heartbeat mechanism that sends periodic DNS requests, an output tracking system for command exfiltration, and a command listener that receives encrypted instructions via DNS responses.

Skitnet’s persistence mechanisms demonstrate particular sophistication through its DLL hijacking technique.

When operators execute the “startup” command, the malware downloads three critical files to the C:ProgramDatahuo directory: ISP.exe (a legitimate, digitally signed ASUS executable), SnxHidLib.DLL (a malicious library), and pas.ps1 (a PowerShell script maintaining C2 communication).

The malware places a shortcut to ISP.exe in the Windows Startup folder, ensuring execution upon system reboot.

When ISP.exe loads, it imports the malicious SnxHidLib.DLL, which subsequently executes the pas.ps1 script, creating a resilient persistence loop that survives system restarts and maintains continuous communication with attacker infrastructure.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests



Source link