In recent developments, cybersecurity experts have identified a concerning trend: multiple ransomware groups are incorporating a sophisticated malware known as Skitnet into their operations. This tool enhances their ability to steal sensitive data and maintain remote control over compromised systems, posing significant challenges for organizations worldwide.
Emergence and Adoption of Skitnet
Skitnet, also referred to as Bossnet, first appeared on underground forums like RAMP in April 2024. Developed by a threat actor identified as LARVA-306, this malware has rapidly gained traction among cybercriminals. By early 2025, several ransomware operators had integrated Skitnet into their attack strategies. Notably, in April 2025, the Black Basta ransomware group utilized Skitnet in phishing campaigns that mimicked Microsoft Teams notifications, specifically targeting enterprise environments. The malware’s stealth capabilities and adaptable architecture have made it an attractive asset within the ransomware ecosystem.
Technical Composition and Functionality
Skitnet is a multi-stage malware that employs multiple programming languages and encryption techniques to evade detection. The initial executable is a Rust binary that decrypts and runs an embedded payload compiled in Nim. This Nim-based payload establishes a reverse shell connection with the command-and-control (C2) server via DNS resolution, allowing attackers to execute commands on the infected host. To evade detection, it employs the GetProcAddress function to dynamically resolve API function addresses rather than using traditional import tables.
The malware’s design includes several threads that perform specific functions:
– DNS Communication: Skitnet sends DNS requests every 10 seconds to maintain communication with the C2 server.
– Command Execution: It reads DNS responses to extract commands issued by the attackers and executes them on the compromised system.
– Data Transmission: The results of executed commands are sent back to the C2 server, facilitating continuous control and data exfiltration.
The C2 panel used by attackers offers a range of PowerShell commands, including:
– Startup: Ensures persistence by creating shortcuts in the Startup directory of the victim’s device.
– Screen: Captures screenshots of the victim’s desktop.
– Anydesk/Rutserv: Deploys legitimate remote desktop software like AnyDesk or Remote Utilities (rutserv.exe) to maintain access.
– Shell: Executes PowerShell scripts hosted on remote servers and sends the results back to the C2 server.
– AV: Gathers a list of installed security products to assess and potentially disable defenses.
Implications for Cybersecurity
The integration of Skitnet into ransomware operations signifies a strategic evolution in cybercriminal tactics. By leveraging advanced programming languages like Rust and Nim, and utilizing DNS for command-and-control communications, attackers can effectively bypass traditional security measures. This approach not only enhances the stealth of their operations but also complicates detection and mitigation efforts.
The use of legitimate tools for malicious purposes is not unprecedented. For instance, the HRSword tool, part of a security software suite developed by China-based Huorong Network Technology, has been repurposed by ransomware crews to disable endpoint protection systems. Because it’s a legitimate product, it’s less likely to be detected and blocked by antivirus and security systems that organizations use to protect their computers. In one 2024 case during which Talos responded to a GlobeImposter ransomware infection, the intruders gained admin-level access and executed HRSword to disable the victim’s EDR system early on in the attack. They then deployed a series of other legitimate tools repurposed for remote access and control, allowing them to move through the network and search for sensitive data to steal. After HRSword was deployed, we also saw Netsupport RAT, Smbexec, Wmiexec, and all these other tools to facilitate lateral movement, McKay said. In another incident tied to a Phobos ransomware attack, the miscreants again started with HRSword. We also saw a second tool deployed from the same protection suite HRSword belongs to, McKay said, adding that it was likely used to sideload malicious DLLs. They were going after those out-of-the-box products that had not been configured specifically for that organization. When we talk about threat actor tooling and other patterns, [they are] wanting to hide in plain sight, McKay said. Using HRSword is a way to do that because it’s a legitimate tool, and it should be occurring legitimately on many systems. With threat actors using that to kick off their operations, it’s much more likely to go undetected. ([theregister.com](https://www.theregister.com/AMP/2025/03/31/ransomware_crews_edr_killers/?utm_source=openai))
Broader Trends in Ransomware Tactics
The adoption of Skitnet reflects a broader trend in the ransomware landscape, where groups are increasingly professionalizing their operations. The rise of Ransomware-as-a-Service (RaaS) models has democratized access to sophisticated attack tools, enabling even less technically skilled actors to launch effective ransomware campaigns. This model involves separate malware coders, access finders (using separate access brokers), finance operators, and marketers. These combine to offer ransomware services to affiliates, either selling or leasing out the complete ransomware package. It has several effects: it helps keep the real criminals at arm’s length from researchers and law enforcement, and it allows a far greater number of lesser-skilled criminals to deliver potentially devastating ransomware attacks. It has been dubbed the ‘democratization’ of ransomware. ([securityweek.com](https://www.securityweek.com/cyber-insights-2024-ransomware/amp/?utm_source=openai))
Additionally, ransomware groups are evolving in new and dangerous ways. The rise of cross-platform programming languages, such as Rust and Golang, has enabled attackers to damage as many systems as possible with the same malware by writing code that can be executed on several operating systems at once. For example, a leading group that is an ever-present name in the ransomware space, Conti, has managed to design a variant that is spread via certain affiliates in order to target Linux-based systems. BlackCat, labeled as a next-generation malware gang, was mentioned as another group — one that has apparently attacked more than 60 organizations since December 2021. Rust was its language of choice for developing malware strains. Elsewhere, a group known as DeadBolt relied on Golang instead for its ransomware endeavors. This cyber gang is notorious for its attacks on QNAP (network-based storage devices from a Taiwanese company). ([digitaltrends.com](https://www.digitaltrends.com/computing/ransomware-gangs-are-evolving-in-new-and-dangerous-ways/?utm_source=openai))
Conclusion
The deployment of Skitnet by ransomware gangs underscores the continuous evolution of cyber threats. Organizations must remain vigilant, adopting comprehensive security measures that include advanced threat detection, regular system updates, and employee training to recognize phishing attempts and other common attack vectors. As cybercriminals refine their tactics, a proactive and informed defense strategy becomes increasingly essential to safeguard sensitive data and maintain operational integrity.
