Researchers at Prodaft are warning of growing adoption of a new stealthy malware dubbed Skitnet, also known as "Bossnet," among ransomware gangs to maintain covert access and control in compromised enterprise networks.
First advertised on underground forums like RAMP in April 2024, Skitnet has surged in popularity among ransomware groups in early 2025. Notably, the malware has been used in real-world attacks by operations including BlackBasta, which reportedly deployed it during Microsoft Teams phishing campaigns, and Cactus.
The attack chain begins with a Rust-based loader dropped onto the victim’s system. This loader decrypts and executes a ChaCha20-encrypted Nim payload, which establishes a DNS-based reverse shell for command-and-control (C2) communications. The shell initiates contact with randomized DNS queries, evading conventional network detection.
Once active, Skitnet spawns three threads to manage communication, one of which sends heartbeat DNS requests, another monitors and exfiltrates shell output, and a third listens for incoming commands via DNS and decrypts them.
Skitnet’s C2 panel offers attackers a real-time view of infected systems, including IP addresses, geolocation, and system status. Operators can issue commands through either HTTP or DNS channels, depending on operational needs.
Beyond the core functionality, Skitnet supports .NET-based in-memory PowerShell execution, allowing attackers to tailor post-exploitation actions and extend lateral movement or data theft.
Indicators of compromise (IoCs) for Skitnet are available in Prodaft’s GitHub repository.
