> Back to All Posts

Skitnet Malware Fuels Ransomware Attacks

skitnet malware

Ransomware gangs are evolving fast, and their newest weapon, Skitnet malware, proves it. Known alternately as “Bossnet,” this emerging post-exploitation malware is gaining traction among threat actors like BlackBasta and Cactus. Designed for stealth, Skitnet leverages in-memory execution, DNS-based command and control, and anti-forensics to maintain a low profile while enabling persistent remote access. As its use spreads in phishing campaigns, even via platforms like Microsoft Teams, it’s becoming clear that traditional security measures may no longer be enough.

What Is Skitnet (a.k.a. Bossnet)?

Skitnet is a sophisticated post-exploitation malware toolkit that first gained attention in early 2025. It combines a Rust-based loader with a Nim binary payload, highlighting a trend toward using less common programming languages to evade detection by traditional antivirus tools. Unlike typical malware that writes persistent files to disk, Skitnet is designed to operate entirely in memory, significantly reducing its forensic footprint.

Its multi-stage architecture begins with the Rust loader decrypting the Nim payload and executing it directly in memory. This execution method, paired with its use of DNS tunneling for communication, makes Skitnet incredibly elusive and difficult to track.

Technical Capabilities

  1. DNS-Based Communication: Skitnet sets up a reverse shell over DNS, using randomized domain queries to communicate with its command-and-control (C2) server. This stealthy technique bypasses many firewalls and intrusion detection systems.
  2. Multi-Threaded Operations: The malware spawns multiple threads to handle various tasks, such as maintaining the shell session, decrypting incoming commands, and sending heartbeat signals to its C2 server.
  3. Anti-Forensics Measures: Skitnet actively wipes traces of its activity, including SSH logs, IP addresses, shell command histories, and system caches. This makes incident response and forensic investigations significantly more challenging.
  4. No Disk Persistence: By avoiding writing files to disk, Skitnet minimizes the risk of detection by conventional endpoint protection systems.

Who’s Using It?

Skitnet has been increasingly adopted by major ransomware gangs, notably BlackBasta and Cactus. These groups have incorporated Skitnet into their post-exploitation toolkits to maintain access to compromised systems and exfiltrate data without raising alarms. A notable use case involves phishing campaigns delivered via Microsoft Teams, where attackers gain initial access and then deploy Skitnet to deepen their control over infected systems.

The malware’s stealthy nature makes it ideal for ransomware operations, where maintaining undetected access is critical to identifying high-value targets, stealing data, and preparing systems for encryption.

Skitnet Represents a Growing Threat

Skitnet exemplifies the next generation of post-exploitation tools designed for persistence, stealth, and adaptability. Its use of less familiar programming languages (Rust and Nim) and DNS tunneling techniques makes it particularly difficult to detect and analyze. Furthermore, the malware’s modular, in-memory execution ensures that even sophisticated cybersecurity tools may struggle to pick up on its presence.

The adoption of Skitnet by high-profile ransomware operators also suggests a trend toward integrating more advanced malware into ransomware playbooks, increasing the threat level for organizations across all sectors.

Mitigation and Defense Strategies

To counter the growing threat posed by Skitnet and similar malware, organizations should adopt a multi-layered security approach:

  • DNS Traffic Monitoring: Implement DNS anomaly detection tools to identify unusual patterns, such as excessive or randomized DNS queries that may indicate covert communication.
  • Advanced Endpoint Detection (EDR): Use EDR solutions capable of detecting in-memory execution and abnormal process behavior. Behavioral analysis is key, as signature-based detection may fail.
  • Regular Security Audits: Conduct routine log reviews and audits to identify anomalies. Since Skitnet erases traces, any unexpected gaps in logs or system behavior should be closely investigated.
  • Employee Training: Educate staff on recognizing social engineering tactics, especially phishing attempts through internal communication tools like Microsoft Teams.

Final Thoughts

As cybercriminals become more inventive, so too must defenders. Skitnet is not just another malware strain, it’s a symbol of how quickly and intelligently ransomware actors are adapting. With its stealthy in-memory architecture, DNS-based communication, and anti-forensic measures, Skitnet raises the bar for what post-exploitation malware can achieve. Organizations must stay vigilant, adopt modern defensive tools, and foster a culture of security awareness to keep pace with this evolving threat landscape.

 

Janet Andersen

Janet is an experienced content creator with a strong focus on cybersecurity and online privacy. With extensive experience in the field, she’s passionate about crafting in-depth reviews and guides that help readers make informed decisions about digital security tools. When she’s not managing the site, she loves staying on top of the latest trends in the digital world.