Do Son 
Several ransomware groups have begun actively deploying a strain of malware known as Skitnet during the post-exploitation phase of their operations. The goal: to establish remote control over compromised systems and exfiltrate sensitive data. According to PRODAFT, this malware first surfaced on underground forums such as RAMP in April 2024, but interest in it has surged markedly since the beginning of 2025.
One notable example includes the use of Skitnet by the Black Basta group in phishing campaigns disguised as Microsoft Teams interfaces. These attacks, which occurred in April 2025, specifically targeted corporate users. Experts point out that Skitnet’s modular architecture and stealth capabilities are making it increasingly popular among cybercriminals.
The creator of Skitnet—also known by the alias Bossnet—is believed to be a threat actor operating under the pseudonym LARVA-306. The malware is written in Rust and Nim, a combination that allows it to evade detection with high efficiency and initiate reverse shell connections via DNS. This technological fusion significantly complicates detection by traditional antivirus software and defense systems.
The infection chain begins with the execution of a Rust-based binary, which decrypts and activates an embedded payload written in Nim. This payload then initiates a reverse connection to the command-and-control (C2) server, using DNS resolution techniques and dynamic API function linking through GetProcAddress rather than standard import tables.
To maintain communication with the C2 server and execute commands, the malware employs multithreading and cycles DNS queries every ten seconds. Commands retrieved from the server are executed on the victim’s device, with the results relayed back to the attacker’s control panel.
Supported functionalities include antivirus enumeration, screenshot capture, deployment of legitimate remote access tools such as AnyDesk and rutserv, execution of remote PowerShell scripts, and persistence through the addition of shortcuts in the system’s startup directory.
Analysts note that Skitnet’s layered architecture, dual-language composition, and use of DNS as a communication channel render it particularly challenging to detect and analyze. These attributes enable threat actors to maintain long-term access to infected systems while remaining largely undetected.
In the wake of this disclosure, researchers from Zscaler ThreatLabz reported the emergence of a new malware loader dubbed TransferLoader, used to deliver the Morpheus ransomware, which has notably targeted a U.S.-based law firm. The campaign has been tracked since February 2025.
TransferLoader consists of three components: a loader, a backdoor, and a specialized module responsible for launching the backdoor. The loader fetches the payload from a C2 server while simultaneously opening a decoy PDF document to divert the victim’s attention. The backdoor receives commands from the control server and can update its configuration through IPFS, a decentralized platform used as a fallback communication channel. Developers employ obfuscation techniques to hinder reverse engineering efforts.
The growing adoption of sophisticated tools like Skitnet and TransferLoader underscores the escalating complexity of malicious infrastructure and the ransomware operators’ relentless pursuit of stealth and control within targeted networks.
Donate