Surge in Skitnet Usage Highlights Evolving Ransomware Tactics
Today’s cyber threat landscape is rapidly evolving, making it increasingly difficult for adversaries to tell the difference between traditional malware families, as adversaries combine their capabilities to maximise their impact. Skitnet, an advanced multistage post-exploitation toolkit, is one of the best examples of this convergence, as it emerged as an evolution of the legacy Skimer malware, a sophisticated multi-stage post-exploitation toolkit.
Skitnet, which was once used as a tool for skimming card information from ATMs, has been repurposed as one of the strongest weapons in the arsenal of advanced ransomware groups, notably Black Basta. In the last few months, it has appeared again as part of a larger tactical shift aimed at focusing on stealth, persistent access, data exfiltration, and support for double extortion ransomware campaigns that move away from singular objectives like financial theft.
Since April 2024, Skitnet, which is also known as Bossnet in some underground circles, has been actively traded on darknet forums like RAMP, with a noticeable uptake noticed among cybercriminals by early 2025. This version has an enterprise-scale modular architecture, unlike its predecessor, which allows it to operate at an enterprise scale.
There is no need to worry about fileless execution, DNS-based communication for command-and-control (C2), system persistence, or seamless integration with legitimate remote management tools like PowerShell or AnyDesk to use it. Through this flexibility, attackers can continue to remain covert inside targeted environments for extended periods of time without being noticed.
In addition to being a threat to enterprises, Skitnet has also been deployed through sophisticated phishing campaigns that attempt to duplicate trusted enterprise platforms such as Microsoft Teams, thus allowing threat actors to use social engineering as a primary vector for gaining access to networks and systems.
Moreover, this evolution demonstrates the growing commoditization of post-exploitation toolkits on underground markets, which offers a leading indicator of how ransomware groups are utilising increasingly advanced malware to refine their tactics and enhance the overall efficiency of their operations.
According to recent threat intelligence findings, multiple ransomware groups are now actively integrating Skitnet into their post-exploitation toolkits in order to facilitate data theft, maintain persistent remote access to compromised enterprise systems, and reinforce control over compromised enterprise systems as well as facilitate after-exploitation data theft.
Skitnet began circulating in underground forums like RAMP as early as April 2024, but its popularity skyrocketed by early 2025, when several prominent ransomware actors began leveraging its use in active campaigns to target consumers.
Several experts believe that Skitnet will end up being a major ransomware threat to the public shortly.
The ransomware group Black Basta, for instance, was seen using Skitnet as part of phishing campaigns mimicking Microsoft Teams communications in April of 2025, an increasingly common technique that exploits the trust of employees towards workplace collaboration tools.
The Skitnet campaign targets enterprise environments, where its stealth capabilities and modular design make it possible for the attacker to deep infiltrate and stay active for a long time.
PRODAFT is tracking Skitnet as LARVA-306, the threat actor designated by the organisation. Skitnet, also known in underground circles by Bossnet, is a multi-stage malware platform designed to be versatile and evasive in nature.
A unique feature of this malware is its use of Rust and Nim, two emerging programming languages in the malware development community, to craft payloads that are highly resistant to detection.
By initiating a reverse shell via the DNS, the malware bypasses traditional security monitoring and allows attackers to remain in communication with the command-and-control infrastructure and maintain covert communications.
Further increasing Skitnet's threat potential are its robust persistence mechanisms, the ability to integrate with legitimate remote access tools, and the ability to exfiltrate data built into its software.
The .NET loader binary can also be retrieved and executed by the server, which serves as a mechanism to deliver additional payloads to the machine, thus increasing its operational flexibility.
As described on dark web forums, Skitnet is a “compact package” comprised of a server component as well as a malware payload that is easy to deploy. As a result of Skitnet's technical sophistication and ease of deployment, it continues to be a popular choice among cybercriminals looking for scalable, stealthy, and effective post-exploitation tools.
There is a modular architecture built into Skitnet, with a PowerShell-based dropper that decodes and executes the core loader in a centralised manner. Using HTTP POST requests with AES-encrypted payloads, the loader retrieves task-specific plugins from hardcoded command-and-control servers that are hardcoded. One of its components is skitnel.dll, which makes it possible to execute in memory while maintaining the persistence of the system through built-in mechanisms.
Researchers have stated that Skitnet's plugin ecosystem includes modules that are dedicated to the harvesting of credentials, escalation of privileges, and lateral movement of ransomware, which allow threat actors to tailor their attacks to meet the strategic objectives and targets of their attacks. It is clear from the infection chain that Skitnet is a technical advancement in the post-exploitation process, beginning with the execution of a Rust-based loader on compromised hosts.
With this loader, a Nim binary that is encrypted with ChaCha20 is decrypted and then loaded directly into memory, allowing the binary to be executed stealthily, without the need for traditional detection mechanisms. The Nim-based payload establishes a reverse shell through a DNS-based DNS request, utilising randomised DNS queries to initiate covert communications with the command-and-control (C2) infrastructure as soon as it is activated.
To carry out its core functions, the malware then launches three different threads to manage its core functions: one thread takes care of periodic heartbeat signals, another thread monitors and extracts shell output, and yet another thread monitors and decrypts responses received over DNS, and the third thread listens for incoming instructions.
Based on the attacker's preferences set within the Skitnet C2 control panel, command execution and C2 communication are dynamically managed, using either HTTP or DNS protocols.
Through the web-based interface, operators can view infected endpoints in real-time, view their IP address, their location, and their system status, as well as remotely execute command-line commands with precision, in real time.
As a result of Skitnet's level of control, it has become a very important tool in modern ransomware campaigns as a highly adaptable and covert post-exploitation tool.
As opposed to custom-built malware created just for specific campaigns, Skitnet is openly traded on underground forums, offering a powerful post-exploitation solution to cyber criminals of all sorts.
The stealth characteristics of this product, as well as minimal detection rates and ease of deployment, make it an attractive choice for threat actors looking to maximise performance and maintain operational covertness. With this ready accessibility, the technical barrier to executing sophisticated attacks is dramatically reduced.
Real-World Deployments by Ransomware Groups
There is no doubt in my mind that Skitnet is not just a theoretical concept. Security researchers have determined that it has been used in actual operations conducted by ransomware groups such as Black Basta and Cactus, as well as in other real-life situations.
As part of their phishing campaigns, actors have impersonated Microsoft Teams to gain access to enterprise environments. In these attacks, Skitnet has successfully been deployed, highlighting its growing importance among ransomware threats.
Defensive Measures Against Skitnet
Skitnet poses a significant risk to organisations. Organisations need to adopt a proactive and layered security approach to mitigate these risks. Key recommendations are as follows:
DNS Traffic Monitoring: Identify and block unusual or covert DNS queries that might be indicative of an activity like command and control.
Endpoint Detection and Response (EDR)
Use advanced EDR tools to detect and investigate suspicious behaviour associated with Rust and Nim-based payloads. Often, old antivirus solutions are unable to detect these threats.
PowerShell Execution Restrictions: PowerShell should be limited to only be used in situations that prevent unauthorised script execution and minimise the risk of a fileless malware attack.
Regular Security Audits
Continually assess and manage vulnerabilities to prevent malware like Skitnet from entering the network and exploiting them, as well as administer patches as needed.
The Growing Threat of Commodity Malware
In the context of ransomware operations, Skitnet represents the evolution of commodity malware into a strategic weapon. As its presence in cybercrime continues to grow, organisations are required to stay informed, agile, and ready to fight back. To defend against this rapidly evolving threat, it is crucial to develop resilience through threat intelligence, technical controls, and user awareness.
Often times, elite ransomware groups invest in creating custom post-exploitation toolsets, but they take a considerable amount of time, energy, and resources to develop them—factors that can restrict operational agility. Skitnet, on the other hand, is a cost-effective, prepackaged alternative that is not only easy to deploy but also difficult to attribute, as it is actively distributed among a wide range of threat actors.
A broad distribution of incidents further blurs attribution lines, making it more difficult to identify threat actors and respond to incidents. The cybersecurity firm Prodaft has published on GitHub associated Indicators of Compromise (IoCs) related to incident response. As a result of Skitnet's plug-and-play architecture and high-impact capabilities, it is particularly appealing to groups that wish to achieve strategic goals with minimal operational overhead in terms of performance and operational efficiency.
According to Prodaft in its analysis, Skitnet is particularly attractive for groups that are trying to maximise impact with the lowest overhead. However, in spite of the development of antivirus evasion techniques for custom-made malware, the affordability, modularity, and stealth features of Skitnet continue to drive its adoption in the marketplace.
Despite the fact that it is a high-functioning off-the-shelf tool, its popularity in the ransomware ecosystem illustrates a growing trend that often outweighs bespoke development when attempting to achieve disruptive outcomes. As ransomware tactics continue to evolve at an explosive rate, the advent and widespread adoption of versatile toolkits like Skitnet are a stark reminder of how threat actors have been continually refining their methods in order to outpace traditional security measures.
A holistic and proactive cybersecurity posture is vital for organisations to adopt to protect themselves from cyber threats and evade detection, one that extends far beyond basic perimeter defences and incorporates advanced threat detection, continuous monitoring, and rapid incident response capabilities. To detect subtle indicators of compromise that commodity malware like Skitnet exploits to maintain persistence and evade detection, organisations should prioritise integrating behavioural analytics and threat intelligence.
It is also vital to foster an awareness of cybersecurity risks among employees, particularly when it comes to the risks associated with phishing and social engineering, to close the gap in human intelligence that is often the first attack vector employed by cybercriminals. Organisations must be able to protect themselves from sophisticated post-exploitation tools through multilayered defence strategies combining technology, processes, and people, enabling them to not only detect and mitigate the current threats but also adapt to emerging cyber risks in an ever-changing digital environment with rapidity.
