Ransomware gangs increasingly use Skitnet post-exploitation malware

Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Prodaft told BleepingComputer they have observed multiple ransomware operations deploying Skitnet in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against the enterprise, and Cactus. The malware promoted on underground forums Source: Prodaft Stealthy and powerful backdoor The Skitnet infection begins with a Rust-based loader dropped and executed on the target system, which decrypts a ChaCha20 encrypted Nim binary and loads it into memory. The Nim payload establishes a DNS-based reverse shell for communication with the command and control (C2) server, initiating the session with randomized DNS qu ... Read full article.