“`html
Ransomware perpetrators have increasingly resorted to a refined new malware instrument known as Skitnet, also referred to as “Bossnet,” to improve their post-exploitation capabilities and bypass conventional security protocols.
First surfacing on clandestine cybercrime forums in April 2024, this multi-layered malware has swiftly been embraced by notable ransomware collectives aiming to optimize their operations while retaining stealth during their assaults.
The malware marks a significant advancement in the ransomware landscape, especially as law enforcement initiatives like Operation Endgame in May 2024 disrupted major botnets such as QakBot and IcedID, creating a need for fresh tools to bridge the operational void.
WardenShield analysts observed that Skitnet’s cost-effectiveness, modular architecture, and sophisticated stealth attributes have made it an enticing choice for cybercriminals functioning in the increasingly cutthroat ransomware-as-a-service environment.
Crafted by a threat actor identified as LARVA306, Skitnet has been documented in ongoing campaigns by established ransomware factions including Black Basta and Cactus throughout 2025.
Black Basta has particularly utilized the malware in Microsoft Teams-themed phishing tactics aimed at corporate settings, whereas Cactus has applied it for comparable post-exploitation endeavors.
The malware’s presence on platforms like RAMP underscores the commercialization of cybercrime, where Malware-as-a-Service ecosystems broaden access to advanced tools for less experienced actors.
Skitnet’s influence goes beyond conventional malware functions, acting as a crucial element in double extortion strategies where ransomware collectives pilfer sensitive data prior to encrypting systems.
This tactic amplifies pressure on victims to remit ransoms by threatening the public exposure of confidential data.
The malware’s capability to sustain long-term persistence within breached networks allows assailants to perform reconnaissance, lateral movement, and strategic payload deployment while evading detection by conventional security solutions.
The technical intricacy of the malware lies in its multi-language framework and inventive communication techniques, signifying a new wave of threats specifically crafted to counter modern enterprise defenses and endpoint detection systems.
Enhanced Infection Techniques and Persistence Strategies
Skitnet utilizes a refined multi-stage infection methodology that initiates with a Rust-based loader crafted to outsmart traditional antivirus detection.
The initial executable decrypts a ChaCha20-encrypted Nim binary and loads it directly into memory using reflective code loading via the DInvoke-rs library.
This in-memory execution method avoids writing malicious code to disk, considerably diminishing the chance of detection by signature-based security applications.
The decrypted Nim payload establishes a link with command-and-control servers through an innovative DNS-based reverse shell, employing randomized DNS queries that merge seamlessly with legitimate network traffic.
The payload operates through three simultaneous threads: a heartbeat mechanism that transmits periodic DNS requests, an output tracking system for command exfiltration, and a command listener that retrieves encrypted directives via DNS responses.
Skitnet’s persistence techniques exhibit notable sophistication through its DLL hijacking approach.
When operators trigger the “startup” command, the malware downloads three critical files to the C:ProgramDatahuo directory: ISP.exe (a legitimate, digitally signed ASUS executable), SnxHidLib.DLL (a malicious library), and pas.ps1 (a PowerShell script that ensures C2 communication).
The malware creates a shortcut to ISP.exe in the Windows Startup folder, guaranteeing execution upon system reboot.
Once ISP.exe launches, it imports the malicious SnxHidLib.DLL, which subsequently executes the pas.ps1 script, forming a robust persistence loop that withstands system reboots and maintains ongoing communication with attacker infrastructure.
The post Sophisticated Skitnet Malware Actively Adopted by Ransomware Gangs to Streamline Operations appeared first on Cyber Security News.
“`