In August 2025, cybersecurity experts identified a new botnet, NightshadeC2, adept at circumventing Windows Defender’s defenses. This malware utilizes payloads written in both C and Python to establish persistent remote access on infected systems.
Infection Vectors:
NightshadeC2 employs multiple strategies to infiltrate systems:
– ClickFix Landing Pages: Users are deceived into executing commands via the Windows Run prompt.
– Trojanized Installers: Malicious versions of popular utilities like Advanced IP Scanner, CCleaner, and various VPN clients serve as infection vectors.
Operational Mechanism:
Upon execution, NightshadeC2 swiftly escalates privileges, disables or excludes its components from Defender scans, and connects to a dynamic command and control (C2) infrastructure. A notable feature is its .NET-based loader, which continuously spawns PowerShell processes to add Defender exclusions for NightshadeC2 before executing the payload.
UAC Prompt Bombing Technique:
A distinctive evasion method termed UAC Prompt Bombing is central to NightshadeC2’s stealth:
– Persistent Elevation Requests: The loader repeatedly prompts for administrative privileges. If the user declines or Defender service checks fail, the prompts persist indefinitely.
– User Coercion: This relentless prompting can frustrate users, potentially leading them to grant the necessary permissions inadvertently.
Persistence and Communication:
After securing Defender exclusions, the loader ensures persistence by writing entries into registry locations such as Winlogon, RunOnce, and Active Setup, guaranteeing execution at system startup. It then downloads and decrypts the core C variant over TCP ports typically reserved for web traffic (80 and 443) or high-numbered ports (7777, 33336, 33337).
The malware collects system details via public geo-IP lookup services and registry queries to create a unique fingerprint. It then negotiates an RC4-encrypted session key with its C2, allowing operators to issue commands ranging from reverse shell initiation to payload downloads, screen captures, and automated keylogging.
Implications and Recommendations:
NightshadeC2’s innovative use of UAC Prompt Bombing underscores the evolving tactics of cyber threats. Organizations are advised to:
– Educate Users: Raise awareness about deceptive tactics like persistent elevation requests.
– Monitor System Behavior: Implement tools to detect unusual patterns, such as repeated UAC prompts.
– Regular Updates: Ensure all software, especially security tools, are up-to-date to counteract emerging threats.
By staying informed and proactive, organizations can bolster their defenses against sophisticated malware like NightshadeC2.
