Full Report
Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control over compromised hosts. "Skitnet has been sold on underground forums like RAMP since April 2024," Swiss cybersecurity company PRODAFT told The Hacker News. "However, since early 2025, we have observed multiple ransomware operators using it
Analysis Summary
# Tool/Technique: Skitnet (Bossnet)
## Overview
Skitnet, also known as Bossnet, is a multi-stage malware primarily used by ransomware operators for post-exploitation activities, including stealthy data theft and establishing remote access to compromised hosts. It is designed to evade detection using a combination of programming languages and communication protocols.
## Technical Details
- Type: Malware family
- Platform: Windows (Inferred from command usage like PowerShell)
- Capabilities: Reverse shell over DNS, encryption, persistence mechanisms, remote access deployment, data exfiltration, dynamic API resolution.
- First Seen: Advertised on underground forums since April 2024; observed in real-world attacks since early 2025.
## MITRE ATT&CK Mapping
The described capabilities map to several tactics and techniques:
- **Command and Control (TA0011)**
- **T1071 - Application Layer Protocol**
- **T1071.004 - DNS** (Reverse shell communication established via DNS resolution)
- **Execution (TA0002)**
- **T1059 - Command and Scripting Interpreter**
- **T1059.001 - PowerShell** (Used for running remote scripts and data gathering)
- **Defense Evasion (TA0005)**
- **T1027 - Obfuscated Files or Information** (Payload decryption, use of Rust/Nim)
- **T1083 - File and Directory Discovery/Enumeration** (Gathering security product details)
- **Persistence (TA0003)**
- **T1547 - Boot or Logon Autostart Execution**
- **T1547.001 - Registry Run Keys / Startup Folder** (Creating shortcuts in the Startup directory)
- **Credential Access (TA0006)** (Implied through data theft capabilities)
- **Collection (TA0009)**
- **T1115 - Clipboard Data** / **T1005 - Data from Local System** (Data exfiltration capabilities)
## Functionality
### Core Capabilities
- **Multi-Stage Execution:** Initial Rust binary decrypts and executes an embedded Nim payload.
- **Reverse Shell Implementation:** The Nim binary establishes a reverse shell connection to the C2 server using DNS resolution for transport.
- **Dynamic API Resolution:** Utilizes `GetProcAddress` to resolve API functions dynamically, bypassing traditional import tables for evasion.
### Advanced Features
- **Stealthy C2:** Communication via DNS requests/responses every 10 seconds, which aids in evading network filtering.
- **Remote Access:** Capability to deploy legitimate remote desktop software like AnyDesk or Remote Utilities (`rutserv.exe`).
- **Persistence:** Ability to create a shortcut in the victim's Startup directory.
- **Security Product Discovery:** Command (`AV`) to enumerate installed security products.
- **Remote Script Execution:** Ability to run PowerShell scripts hosted remotely and exfiltrate results back to the C2.
- **Payload Delivery:** Can download and execute a separate `.NET loader binary` for secondary payloads.
## Indicators of Compromise
*(Note: Specific IOCs were not detailed in the provided text, hence generalized placeholders based on functionality are used.)*
- File Hashes: [Not specified in text]
- File Names: `rutserv.exe` (For legitimate tool deployment), potentially Rust/Nim compiled binaries.
- Registry Keys: Keys associated with startup folder entries.
- Network Indicators: DNS traffic communicating with C2 infrastructure (Defanged example: `c2server[.]ext`, `ns1[.]maliciousdns[.]org`).
- Behavioral Indicators: Frequent DNS queries originating from a compromised host displaying command-and-control characteristics; the execution chain involving Rust followed by Nim; dynamic resolution of Windows APIs like `GetProcAddress`.
## Associated Threat Actors
- Multiple ransomware operators (Observed since early 2025).
- Specifically mentioned: **Black Basta** (leveraged Skitnet in April 2025 phishing campaigns).
- Developed by: Threat actor tracked as **LARVA-306**.
## Detection Methods
- Signature-based detection: Signatures targeting known Rust/Nim compiler artifacts or known Skitnet strings/structure.
- Behavioral detection: Monitoring for processes making frequent DNS requests structured for C2 communication; monitoring execution flows involving decryption of embedded payloads; detection of dynamic API resolution instead of static imports.
- YARA rules: Rules based on embedded strings or unique compilation characteristics of the Rust/Nim payloads.
## Mitigation Strategies
- **Network Segmentation & Egress Filtering:** Restrict outbound traffic, specifically monitoring or blocking unusual DNS query patterns that might indicate C2 activity.
- **Application Control:** Restrict execution of unsigned or non-standard binaries, especially those compiled from languages like Rust/Nim in sensitive environments.
- **Endpoint Detection and Response (EDR):** Focus on T1059.001 (PowerShell) usage initiated by unusual parent processes, dynamic API loading, and fileless persistence mechanisms.
- **Phishing Awareness:** Train users to recognize Teams-themed phishing emails, as this has been a noted initial vector.
- **Patch Management:** Ensure remote desktop software (like AnyDesk) is managed or restricted if not explicitly needed.
## Related Tools/Techniques
- TransferLoader (Mentioned in context as another malware loader seen in the wild targeting ransomware delivery).