{"id":1140,"date":"2025-05-16T17:00:00","date_gmt":"2025-05-16T14:00:00","guid":{"rendered":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/"},"modified":"2025-05-17T12:49:47","modified_gmt":"2025-05-17T09:49:47","slug":"ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware","status":"publish","type":"post","link":"https:\/\/trustcrypt.com\/ar\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/","title":{"rendered":"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware"},"content":{"rendered":"<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.jpg\" alt=\"Ransomware\" width=\"1600\" height=\"900\" \/><\/p>\n<p>Ransomware groups are increasingly leveraging a sophisticated malware known as Skitnet, also referred to as &#8220;Bossnet,&#8221; to conduct stealthy post-exploitation operations within compromised networks.<\/p>\n<p>This malware has been available for purchase on underground forums since April 2024. However, according to research conducted by Prodaft, it has gained notable traction among ransomware operations starting in early 2025.<\/p>\n<p>Prodaft has reported observing numerous ransomware campaigns deploying Skitnet in actual attacks, including those conducted by BlackBasta utilizing Microsoft Teams phishing methods and other groups such as Cactus.<\/p>\n<div style=\"text-align: center;\">\n<figure class=\"image\" style=\"display: inline-block;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware-1.jpg\" alt=\"The malware promoted on underground forums\" width=\"1111\" height=\"600\" \/><figcaption><strong>The malware promoted on underground forums<\/strong><br \/>\n<em>Source: Prodaft<\/em><\/figcaption><\/figure>\n<\/div>\n<h2>Characteristics of Skitnet<\/h2>\n<p>The infection process initiated by Skitnet involves a Rust-based loader that is executed on the target system, decrypting a ChaCha20 encrypted binary written in Nim, which is subsequently loaded into memory.<\/p>\n<p>This Nim payload creates a DNS-based reverse shell for communication with its command and control (C2) server, initiating sessions with randomized DNS queries.<\/p>\n<p>The malware operates by launching three threads: one for sending heartbeat DNS requests, another for monitoring and exfiltrating shell output, and a third for receiving and decrypting commands from DNS responses.<\/p>\n<p>Commands are relayed via HTTP or DNS, depending on the directives provided through the Skitnet C2 control panel. This interface allows operators to monitor the target&#8217;s IP address, geographical location, and operational status, as well as to issue commands for execution.<\/p>\n<div style=\"text-align: center;\">\n<figure class=\"image\" style=\"display: inline-block;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware-2.jpg\" alt=\"Skitnet's admin panel\" width=\"1287\" height=\"600\" \/><figcaption><strong>Skitnet&#8217;s admin panel<\/strong><br \/>\n<em>Source: Prodaft<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The Skitnet C2 supports a range of commands that include:<\/p>\n<ul style=\"list-style-type: square;\">\n<li><strong>startup<\/strong> &#8211; This command establishes persistence by downloading three files, including a malicious DLL, and creating a shortcut to a legitimate Asus executable (ISP.exe) in the Startup folder. This initiates a DLL hijack that executes a PowerShell script (pas.ps1) for continuous C2 communication.<\/li>\n<li><strong>Screen<\/strong> \u2013 It captures a screenshot of the victim&#8217;s desktop using PowerShell, uploads it to Imgur, and returns the image URL to the C2 server.<\/li>\n<li><strong>Anydesk<\/strong> \u2013 Facilitates the silent download and installation of AnyDesk, a legitimate remote access tool, while concealing the window and notification tray icon.<\/li>\n<li><strong>Rutserv<\/strong> \u2013 Enables the silent download and installation of RUT-Serv, another legitimate remote access tool.<\/li>\n<li><strong>Shell<\/strong> \u2013 Starts a PowerShell command loop, initially sending a &#8220;Shell started&#8230;&#8221; notification, and then polling the server every five seconds for new commands to execute through Invoke-Expression, returning the results back.<\/li>\n<li><strong>Av<\/strong> \u2013 Gathers information on installed antivirus and security software by querying WMI (SELECT * FROM AntiVirusProduct in the rootSecurityCenter2 namespace), sending this data to the C2 server.<\/li>\n<\/ul>\n<p>Beyond the primary commands, operators can utilize a separate function involving a .NET loader to execute PowerShell scripts in memory, providing an even deeper level of customization for their attacks.<\/p>\n<div style=\"text-align: center;\">\n<figure class=\"image\" style=\"display: inline-block;\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-1145\" style=\"width: 726px; height: 493px;\" src=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/netloader-300x204.webp\" alt=\"\" width=\"300\" height=\"204\" srcset=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/netloader-300x204.webp 300w, https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/netloader-768x523.webp 768w, https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/netloader-220x150.webp 220w, https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/netloader.webp 835w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><figcaption><strong>Skitnet&#8217;s .NET loader<\/strong><br \/>\n<em>Source: Prodaft<\/em><\/figcaption><\/figure>\n<\/div>\n<p>While ransomware groups often develop custom tools specific to their operations, which tend to have low detection rates by antivirus solutions, the development of such tools can be resource-intensive and requires skilled developers who may not always be accessible, especially in smaller groups.<\/p>\n<p>Employing off-the-shelf malware like Skitnet offers a cost-effective and swift deployment option while complicating attribution, as it is utilized by a diverse range of threat actors.<\/p>\n<p>Within the ransomware landscape, both custom tools and off-the-shelf solutions coexist. However, the features offered by Skitnet render it particularly attractive to malicious actors.<\/p>\n<p>Prodaft has released a set of indicators of compromise (IoCs) associated with Skitnet for public awareness. These can be found in their GitHub repository.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ransomware groups are increasingly leveraging a sophisticated malware known as Skitnet, also referred to as &#8220;Bossnet,&#8221; to conduct stealthy post-exploitation&#8230;<\/p>\n","protected":false},"author":1,"featured_media":1141,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[28],"tags":[423,54,265],"class_list":["post-1140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-dns","tag-malware","tag-powershell"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware - Trustcrypt<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/trustcrypt.com\/ar\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/\" \/>\n<meta property=\"og:locale\" content=\"ar_AR\" \/>\n<meta property=\"og:locale:alternate\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware\" \/>\n<meta property=\"og:description\" content=\"Ransomware groups are increasingly leveraging a sophisticated malware known as Skitnet, also referred to as &#8220;Bossnet,&#8221; to conduct stealthy post-exploitation...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/trustcrypt.com\/ar\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Trustcrypt\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-16T14:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-17T09:49:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp\" \/>\n\t<meta property=\"og:image:width\" content=\"1792\" \/>\n\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/webp\" \/>\n<meta name=\"author\" content=\"Trustscrypt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629\" \/>\n\t<meta name=\"twitter:data1\" content=\"Trustscrypt\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 \u062f\u0642\u0627\u0626\u0642\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/\",\"url\":\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/\",\"name\":\"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware\",\"isPartOf\":{\"@id\":\"https:\/\/trustcrypt.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp\",\"datePublished\":\"2025-05-16T14:00:00+00:00\",\"dateModified\":\"2025-05-17T09:49:47+00:00\",\"author\":{\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\"},\"inLanguage\":\"ar\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage\",\"url\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp\",\"contentUrl\":\"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp\",\"width\":1792,\"height\":1024,\"caption\":\"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/trustcrypt.com\/#website\",\"url\":\"https:\/\/trustcrypt.com\/\",\"name\":\"Trustcrypt\",\"description\":\"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/trustcrypt.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"ar\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f\",\"name\":\"Trustscrypt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"ar\",\"@id\":\"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g\",\"caption\":\"Trustscrypt\"},\"sameAs\":[\"http:\/\/trustcrypt.com\"],\"url\":\"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware - Trustcrypt","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/trustcrypt.com\/ar\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/","og_locale":"ar_AR","og_type":"article","og_title":"[:en]Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware[:] - Trustcrypt","og_description":"Ransomware groups are increasingly leveraging a sophisticated malware known as Skitnet, also referred to as &#8220;Bossnet,&#8221; to conduct stealthy post-exploitation...","og_url":"https:\/\/trustcrypt.com\/ar\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/","og_site_name":"Trustcrypt","article_published_time":"2025-05-16T14:00:00+00:00","article_modified_time":"2025-05-17T09:49:47+00:00","og_image":[{"width":1792,"height":1024,"url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp","type":"image\/webp"}],"author":"Trustscrypt","twitter_card":"summary_large_image","twitter_misc":{"\u0643\u064f\u062a\u0628 \u0628\u0648\u0627\u0633\u0637\u0629":"Trustscrypt","\u0648\u0642\u062a \u0627\u0644\u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0645\u064f\u0642\u062f\u0651\u0631":"4 \u062f\u0642\u0627\u0626\u0642"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/","url":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/","name":"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware","isPartOf":{"@id":"https:\/\/trustcrypt.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage"},"image":{"@id":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp","datePublished":"2025-05-16T14:00:00+00:00","dateModified":"2025-05-17T09:49:47+00:00","author":{"@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f"},"inLanguage":"ar","potentialAction":[{"@type":"ReadAction","target":["https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/"]}]},{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware\/#primaryimage","url":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp","contentUrl":"https:\/\/trustcrypt.com\/wp-content\/uploads\/2025\/05\/ransomware-groups-are-intensifying-their-use-of-skitnet-post-exploitation-malware.webp","width":1792,"height":1024,"caption":"Ransomware Groups Are Intensifying Their Use of Skitnet Post-Exploitation Malware"},{"@type":"WebSite","@id":"https:\/\/trustcrypt.com\/#website","url":"https:\/\/trustcrypt.com\/","name":"Trustcrypt","description":"\u0627\u0644\u0623\u0645\u0646 \u0647\u0648 \u0627\u0633\u0645\u0646\u0627 \u0627\u0644\u062b\u0627\u0646\u064a","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/trustcrypt.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ar"},{"@type":"Person","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/469b1cf97b9f7ea4e4d7fa31689dfa9f","name":"Trustscrypt","image":{"@type":"ImageObject","inLanguage":"ar","@id":"https:\/\/trustcrypt.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4c36ff3376565a0f4981e9397667feb08d5e09acacce32a52ea4a3f628e03692?s=96&d=mm&r=g","caption":"Trustscrypt"},"sameAs":["http:\/\/trustcrypt.com"],"url":"https:\/\/trustcrypt.com\/ar\/author\/trustscrypt\/"}]}},"_links":{"self":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/comments?post=1140"}],"version-history":[{"count":2,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1140\/revisions"}],"predecessor-version":[{"id":1147,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/posts\/1140\/revisions\/1147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media\/1141"}],"wp:attachment":[{"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/media?parent=1140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/categories?post=1140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trustcrypt.com\/ar\/wp-json\/wp\/v2\/tags?post=1140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}