Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access

May 19, 2025Ravie LakshmananRansomware / Malware

Several ransomware actors are using a malware called Skitnet as part of their post-exploitation efforts to steal sensitive data and establish remote control over compromised hosts.

“Skitnet has been sold on underground forums like RAMP since April 2024,” Swiss cybersecurity company PRODAFT told The Hacker News. “However, since early 2025, we have observed multiple ransomware operators using it in real-world attacks.”

“For example, in April 2025, Black Basta leveraged Skitnet in Teams-themed phishing campaigns targeting enterprise environments. With its stealth features and flexible architecture, Skitnet appears to be gaining traction rapidly within the ransomware ecosystem.”

Skitnet, also called Bossnet, is a multi-stage malware developed by a threat actor tracked by the company under the name LARVA-306. A notable aspect of the malicious tool is that it uses programming languages like Rust and Nim to launch a reverse shell over DNS and evade detection.

It also incorporates persistence mechanisms, remote access tools, commands for data exfiltration, and even download a .NET loader binary that can be used to serve additional payloads, making it a versatile threat.

First advertised on April 19, 2024, Skitnet is offered to potential customers as a “compact package” comprising a server component and malware. The initial executable is a Rust binary that decrypts and runs an embedded payload that’s compiled in Nim.

“The primary function of this Nim binary is to establish a reverse shell connection with the C2 [command-and-control] server via DNS resolution,” PRODAFT said. “To evade detection, it employs the GetProcAddress function to dynamically resolve API function addresses rather than using traditional import tables.”

The Nim-based binary further starts multiple threads to send DNS requests every 10 seconds, read DNS responses and extract commands to be executed on the host, and transmit the results of the execution of the command back to the server. The commands are issued via a C2 panel that’s used to manage the infected hosts.

Some of the supported PowerShell commands are listed below –

• Startup, which ensures persistence by creating shortcuts in the Startup directory of the victim’s device
• Screen, which captures a screenshot of the victim’s desktop
• Anydesk/Rutserv, which deploys a legitimate remote desktop software like AnyDesk or Remote Utilities (“rutserv.exe”)
• Shell, to run PowerShell scripts hosted on a remote server and send the results back to the C2 server
• AV, which gathers a list of installed security products

“Skitnet is a multi-stage malware that leverages multiple programming languages, and encryption techniques,” PRODAFT said. “By using Rust for payload decryption and manual mapping, followed by a Nim-based reverse shell communicating over DNS, the malware tries to evade traditional security measures.”

The disclosure comes as Zscaler ThreatLabz detailed another malware loader dubbed TransferLoader that’s being used to deliver a ransomware strain called Morpheus targeting an American law firm.

Active since at least February 2025, TransferLoader incorporates three components, a downloader, a backdoor, and a specialized loader for the backdoor, enabling the threat actors to execute arbitrary commands on the compromised system.

While the downloader is designed to fetch and execute a payload from a C2 server and simultaneously run a PDF decoy file, the backdoor is responsible for running commands issued by the server, as well as updating its own configuration.

“The backdoor utilizes the decentralized InterPlanetary File System (IPFS) peer-to-peer platform as a fallback channel for updating the command-and-control (C2) server,” the cybersecurity company said. “The developers of TransferLoader use obfuscation methods to make the reverse engineering process more tedious.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!