Ransomware operators are increasingly using a sophisticated new malware tool that has been named Skitnet, also known as “Bossnet.” This powerful tool enhances post-exploitation capabilities for attackers and helps them to evade traditional cybersecurity measures that are currently in place. First emerging on underground cybercrime forums in April 2024, this multi-stage malware has now rapidly gained significant widespread traction. It is being actively used by prominent ransomware groups that are seeking to streamline their operations while maintaining stealth throughout their attacks. Developed by a threat actor who is tracked as LARVA306, Skitnet has been observed in many active campaigns by established ransomware groups. These groups include the notorious Black Basta and also the Cactus ransomware gangs.
Prominent ransomware groups including Black Basta and Cactus have been actively using this new Skitnet malware throughout the year 2025.
Black Basta has notably deployed the malware in various Microsoft Teams-themed phishing campaigns that are targeting many corporate enterprise environments. Skitnet now serves as a critical component in double extortion schemes where ransomware gangs first steal very sensitive company and customer data. After stealing the important data, they then proceed to encrypt the victim’s systems, adding significant pressure on them to pay. Its ability to maintain long-term persistence in compromised networks allows attackers to conduct detailed reconnaissance and also extensive lateral movement.
This malware represents a new generation of threats designed to counter modern enterprise defenses.
Skitnet employs a very sophisticated multi-stage infection process that begins with a unique Rust-based loader to evade antivirus detection. This initial executable decrypts a ChaCha20-encrypted Nim binary and then carefully loads it directly into the computer system’s memory. This advanced in-memory execution strategy successfully avoids writing any malicious code to the disk, which significantly reduces the likelihood of detection. The decrypted Nim payload then establishes its communication with command-and-control servers through an innovative DNS-based reverse shell using randomized queries. This malware’s persistence mechanisms also demonstrate particular sophistication through a very clever and effective DLL side-loading hijacking technique implemented by its developers. A legitimate ASUS executable is used.
This legitimate executable is cleverly used by the malware to load a malicious DLL file named SnxHidLib.DLL from a system directory. This malicious DLL subsequently executes a PowerShell script, which creates a resilient and also a very stealthy persistence loop for attackers. This specific loop can successfully survive system restarts and maintains continuous communication with the attacker’s command-and-control infrastructure for long periods. Skitnet’s known affordability, its modular design, and its advanced stealth features have made it an attractive option for many cybercriminals. Its availability on platforms like the RAMP forum clearly highlights the ongoing industrialization of cybercrime, which continues to be a major problem.
Reference:
