Skitnet Rises: New Rust-Nim Ransomware Tool Emerges as Top Threat, Fueling Black Basta & Cactus Attacks
Do Son 
In the spring of 2024, an obscure tool known as Skitnet—also appearing under the alias “Bossnet”—surfaced on underground hacker forums. Within mere months, it ascended to prominence in the arsenals of ransomware collectives, gradually displacing traditional tools disrupted by international crackdowns, such as Operation Endgame. That campaign, launched in May 2024, dealt a severe blow to infrastructures like QakBot and IcedID, leaving cybercriminals bereft of familiar malware delivery channels.
Seizing this void with remarkable speed, Skitnet emerged—a multi-stage malicious toolkit crafted by a threat actor operating under the pseudonym LARVA306. It has since been adopted by several notorious groups, including Black Basta and Cactus.
According to analysts at WardenShield, the appeal of Skitnet lies not only in its technological sophistication but also in its accessibility. It is inexpensive, modular, and masterfully evasive—qualities that make it particularly attractive amid escalating competition in the Ransomware-as-a-Service (RaaS) landscape.
Skitnet has proven especially potent in double extortion campaigns. Threat actors first exfiltrate confidential data, then encrypt the victim’s infrastructure, intensifying the pressure with threats of public disclosure. While this tactic is far from new, Skitnet deepens its impact with resilient and stealthy post-exploitation capabilities.
A hallmark of this malware is its intricate architecture. Built using a hybrid of Rust and Nim, it complicates both analysis and detection. Infection begins with a Rust-based loader that injects a Nim binary into memory, encrypted via the ChaCha20 algorithm. This loader leverages the DInvoke-rs library to execute code directly from memory—bypassing the filesystem entirely, thereby evading signature-based antivirus defenses.
Communication with the command-and-control server is achieved through a non-traditional channel: a DNS reverse shell. This mechanism disguises command-and-control traffic as innocuous DNS requests, blending seamlessly into normal network activity. Three concurrently running threads within the Nim binary handle heartbeat signals, command reception, and output transmission—circumventing standard network filtering systems entirely.
Equally notable is how Skitnet achieves persistence. Upon receiving the “startup” command, it creates a new directory, C:\ProgramData\huo, on the infected machine, where it downloads three components. One of them is a legitimate executable from ASUS titled ISP.exe, digitally signed to avoid suspicion. Accompanying it are a malicious DLL named SnxHidLib.DLL and a PowerShell script, pas.ps1, which establishes communication with the attackers’ infrastructure.
Skitnet then places a shortcut to ISP.exe in the Windows Startup folder. Upon system reboot, the signed executable launches, which in turn loads the rogue DLL. The DLL initiates the PowerShell script, reestablishing the link to the command center and securing long-term foothold in the system.
Of particular interest is the infrastructure chosen for distribution: Skitnet is being sold on the infamous RAMP marketplace, a hub for cybercriminal services. This underscores the increasing industrialization of the cybercriminal underground, where even novice threat actors can acquire advanced tools at a relatively modest cost.
Thus, Skitnet is not merely another piece of malware—it is emblematic of a broader shift: widespread accessibility, advanced engineering, and a strategic focus on post-exploitation are positioning it as a persistent and formidable threat in the ransomware landscape.
Donate