Ransomware Gangs Adopt Off-the-Shelf Malware for Post-Exploitation Activities

Ransomware gangs are increasingly adopting a powerful off-the-shelf malware called Skitnet (also known as “Bossnet”) to carry out covert, post-exploitation activities on compromised systems, writes Bill Toulas on BleepingComputer.

Researchers from cybersecurity firm Prodaft report a surge in Skitnet’s use among threat actors since early 2025, noting its deployment by prominent ransomware groups, such as BlackBasta and Cactus.

The malware has been identified in Microsoft Teams phishing campaigns targeting enterprise networks, underscoring its increasing operational role in ransomware attacks.

Skitnet first emerged on underground forums in April 2024. Custom-built malware requires skilled developers and significant resources. It is ready-made, cost-effective, and harder to attribute, which makes it attractive to ransomware gangs, especially operators with limited capabilities.

Slitnet’s infection chain begins with a Rust-based loader that executes a ChaCha20-encrypted Nim binary and loads it into memory. The Nim component establishes a DNS-based reverse shell for command and control (C2) communications, enabling operators to remotely control infected machines without detection.

The malware’s capabilities include establishing persistence, capturing screenshots, silently installing remote access tools like AnyDesk and RUT-Serv, enumerating antivirus products, and executing custom PowerShell scripts.

Skitnet supports both DNS and HTTP-based communications, allowing operators to interact with infected devices through a C2 panel, making it a flexible yet dangerous tool for ransomware campaigns.

Attorneys should note that Skitnet’s stealth and accessibility raise the stakes for clients in industries where data security is critical. Legal teams must stay informed about emerging malware trends and advise clients on robust incident response and prevention strategies.

They should also evaluate their own vulnerability to post-exploitation tools, such as Skitnet, which are designed to bypass traditional security measures and enable long-term persistence within networks.