Ransomware Operations Leverage Skitnet Malware for Covert Data Exfiltration and Remote Access Capabilities

Several ransomware groups are actively deploying a malware known as Skitnet as part of their post-exploitation tactics aimed at exfiltrating sensitive data and establishing remote access to compromised systems. 

Since its introduction on underground forums such as RAMP in April 2024, Skitnet has garnered attention. Reports indicate that by early 2025, various ransomware operators had begun utilizing it in live attacks, including a notable instance where the Black Basta group employed Skitnet in Teams-themed phishing schemes targeting corporate environments. Thanks to its stealth capabilities and adaptable architecture, Skitnet is rapidly solidifying its presence in the ransomware landscape.

Skitnet, also referred to as Bossnet, is a multi-stage malware developed by a threat actor designated as LARVA-306. The malware leverages modern programming languages such as Rust and Nim to create a reverse shell that operates over DNS, enhancing its evasion tactics against detection mechanisms. Its architecture features persistence mechanisms, remote access capabilities, and commands facilitating data exfiltration, along with the ability to download a .NET loader binary for further payload delivery, making it a multifaceted threat.

Initially marketed on April 19, 2024, Skitnet is presented as a “compact package” that includes both a server component and the malware itself. The primary executable is a Rust binary which decrypts and launches an embedded payload compiled in Nim. The Nim binary’s main function is to initiate a reverse shell connection to a command-and-control (C2) server via DNS resolution. To minimize the risk of detection, it employs the GetProcAddress function to dynamically resolve API addresses instead of relying on conventional import tables.

The Nim component operates by launching multiple threads that generate DNS requests every 10 seconds, processes DNS responses to extract executable commands, and sends the results back to the C2 server for management of infected hosts. Noteworthy PowerShell commands supported by Skitnet include:

– Startup: Ensures persistence by creating shortcuts in the Startup directory of the infected device.
– Screen: Captures screenshots of the victim’s desktop.
– Anydesk/Rutserv: Deploys legitimate remote desktop software like AnyDesk or Remote Utilities (“rutserv.exe”).
– Shell: Executes PowerShell scripts hosted on remote servers and returns the results to the C2 server.
– AV: Collects a list of installed security software.

According to cybersecurity specialists, Skitnet is a sophisticated form of malware that incorporates multiple programming languages and encryption methods. By employing Rust for payload decryption and manual mapping, alongside a Nim-based reverse shell communicating over DNS, it effectively circumvents traditional security protocols.

The emergence of Skitnet coincides with reports from Zscaler ThreatLabz regarding another malware loader called TransferLoader, which is being utilized to facilitate a ransomware variant known as Morpheus, specifically targeting an American law firm. Since its identification in February 2025, TransferLoader has shown a complex structure comprising a downloader, a backdoor, and a specific loader for the backdoor itself, granting attackers the capability to execute arbitrary commands on compromised systems.

The downloader is tasked with retrieving and executing a payload from a C2 server while also launching a PDF decoy file. Meanwhile, the backdoor is responsible for executing commands from the server and updating its configuration as required. Furthermore, the backdoor utilizes the decentralized InterPlanetary File System (IPFS) as a backup channel for command-and-control (C2) server updates, while obfuscation techniques utilized by TransferLoader’s developers complicate the reverse engineering of the malware’s mechanisms.