Follow on X RSS Feed
Malware

Skitnet Malware C2 via DNS and Rust Loader Threatens Enterprise Networks

Cybersec Sentinel

4 min read
Skitnet Malware C2 via DNS and Rust Loader Threatens Enterprise Networks

Threat Group: - LARVA-306
Threat Type: - Post-Exploitation Malware / Remote Access Trojan (RAT)
Exploited Vulnerabilities: - Not tied to specific CVEs; deployed post-compromise
Malware Used: - Skitnet (Bossnet)
Threat Score: - πŸ”΄ High (8.3/10) – Due to its DNS C2, Rust/Nim modular design, stealthy persistence, and ransomware group integration
Last Threat Observation: - May 20, 2025

Overview

Skitnet (also known as Bossnet) is a post-exploitation malware developed by LARVA-306 and adopted by prominent ransomware groups such as BlackBasta and Cactus. It features a multi-stage architecture coded in Rust and Nim, relying on DNS tunneling for C2 communication and in-memory execution of encrypted payloads. It enables attackers to maintain persistent access, exfiltrate data, and deploy additional payloads including ransomware. Skitnet is delivered after initial compromise, making detection and mitigation dependent on early-stage prevention and advanced behavioral analysis.

Comprehensive Threat Profile

Introduction and Origin
First advertised on RAMP in April 2024, Skitnet uses a MaaS model that lowers entry barriers for threat actors. By early 2025, it was actively deployed in enterprise environments. The commoditization of advanced malware like Skitnet increases the range of threat actors capable of mounting sophisticated intrusions.

Technical Architecture and Modus Operandi

  • Stage 1: Rust-based loader decrypts an embedded payload
  • Stage 2: Nim-based binary (encrypted with ChaCha20) loads in memory
  • Optional: .NET loader for additional payloads or remote PowerShell execution
  • Execution: In-memory execution with dynamic API resolution using GetProcAddress
  • Goal: Stealthy persistence and modular post-exploitation control

Attack Vector and Delivery
Skitnet is deployed post-compromise. Initial access is gained via:

  • Phishing (e.g., Microsoft Teams-themed emails)
  • Exploiting unpatched software vulnerabilities

Core Capabilities

  • DNS-based reverse shell
  • Remote tool deployment (AnyDesk, Remote Utilities)
  • Screenshot capture (uploaded to Imgur)
  • AV enumeration via WMI
  • Remote PowerShell execution (Invoke-Expression)
  • Persistence via DLL hijacking (ISP.exe and pas.ps1)
CommandFunction
StartupPersistence via shortcut and DLL hijack (Asus ISP.exe > pas.ps1)
ScreenScreenshot uploaded to Imgur
AnydeskDeploys and hides legitimate AnyDesk or rutserv.exe tools
ShellExecutes remote PowerShell commands
AVEnumerates installed antivirus software via WMI

Command and Control (C2)

  • Primary: DNS tunneling (heartbeat every 10s, command reception, data exfil)
  • Secondary: Optional HTTP for fallback
  • Multi-threaded operation for responsive command handling

Obfuscation and Evasion

  • Dynamic API resolution
  • ChaCha20 payload encryption
  • In-memory loading
  • Uncommon languages (Rust, Nim)
  • AV detection and evasion

Persistence Techniques

  • .LNK shortcut to ISP.exe in Startup folder
  • DLL hijacking and PowerShell script execution (pas.ps1)

Indicators of Compromise (IoCs)

File-Based:

  • Legitimate: ISP.exe (Asus) used for hijacking
  • Malicious: pas.ps1 PowerShell script

Network-Based:

  • High-frequency DNS queries
  • Long or high-entropy subdomains
  • Unexpected DNS TXT record queries
  • Imgur.com outbound connections (for screenshots)

Behavioral (Host-Based):

  • Unusual PowerShell usage
  • Hidden remote desktop tools
  • Dynamic API calls in memory
  • ChaCha20 artifacts
  • .LNK shortcuts + DLL hijack behavior

C2 servers

  • 109[.]120[.]179[.]170
  • 178[.]236[.]247[.]7
  • 181[.]174[.]164[.]47
  • 181[.]174[.]164[.]41
  • 181[.]174[.]164[.]4
  • 181[.]174[.]164[.]240
  • 181[.]174[.]164[.]2
  • 181[.]174[.]164[.]180
  • 181[.]174[.]164[.]140
  • 181[.]174[.]164[.]107
  • 181[.]174[.]164[.]238

TOX Address

  • D013BF68BE0602F944F68779FB104A300D0C00C11E05008A63FB8F19AFC70F693DE0825D4198

File Hashes (SHA256)

  • a49fcd38da4a23acfe70c702fbe7b323eb5449fee15150cb0414b08c8a2cd8ee
  • d302598fcf6ea86b6b2d35ef74ceb01d78f3b635e30302d176ac153d6bbd0fb6
  • 7cb45b66b035849a0dc18a0bd2747cb175dd20ce27c0a4e5b44d67612c6a02c2
  • 3d13352d90d8f1f762aff869d52be18c999abdcd713a2c1a4dcfbfb0e77fb639
  • 2455feb8790635850f2637e1e980d3aa390eefd10fd7048c28f6a075ef0b50aa
  • ad2b6d73cb4425eb4c08532c17777f5d2d9e7bbc27ae4088851405c7fc869790
  • 3bb58d2b395290a4fa42c7b059736c3dcf8ef778fea05b7f2d66675257b888e6
  • e2456af0c63d290f548bd9fb845ed01572edfa0f04fb907897bc54a8e3a75baf
  • 37e4db74f8fed20689d35f4fc846cc8a73d594354336e4445338f9bd3e537076

Threat Actor and Campaign Context

LARVA-306: Malware vendor operating via RAMP. Offers Skitnet as MaaS.
BlackBasta: Uses Skitnet post-phishing for ransomware operations.
Cactus: Deploys Skitnet after VPN exploitations. Shares TTPs with BlackBasta.

Detection of Skitnet in an environment should be treated as a precursor to ransomware deployment.

Mitigation and Prevention

Network Defenses

  • Advanced DNS monitoring and anomaly detection
  • Block NRDs and known C2 domains
  • Egress filtering for DNS and Imgur
  • Network segmentation and IDS signature tuning

Endpoint Protection

  • EDR with behavioral rules for Rust/Nim executables, PowerShell abuse, and remote tool installs
  • PowerShell logging and constrained mode
  • Application allowlisting (e.g., prevent AnyDesk)
  • Memory analysis and UAC enforcement

Proactive Threat Hunting

  • DNS heartbeat pattern hunting (every 10s)
  • ISP.exe spawning PowerShell
  • Detect AnyDesk/rutserv GUI suppression
  • Use behavioral IoCs and hunt with updated threat intelligence

User Awareness

  • Train users on phishing and social engineering
  • Enforce reporting mechanisms for suspicious emails or apps

Risk Assessment

Skitnet poses a significant threat due to its post-exploitation deployment model and use by major ransomware operations. Its modular architecture, stealthy DNS C2 channel, in-memory execution, and reliance on uncommon programming languages increase the likelihood that it will bypass traditional security controls. Organizations that lack advanced endpoint detection, DNS monitoring, and proactive threat hunting capabilities are especially vulnerable to prolonged compromise.

The use of legitimate remote access tools, combined with living-off-the-land techniques, suggests Skitnet can persist in environments that rely heavily on behavioral analysis or heuristics without deep telemetry or visibility into command-line and script-level execution. Furthermore, the malware’s ability to detect and evade security products in real-time enables adversaries to tailor operations per target, further complicating detection and response.

Any confirmed Skitnet presence should trigger a full-scale incident response. There is a high probability that the malware is part of a larger ransomware operation and that data exfiltration or encryption could follow shortly. Delays in detection or containment can lead to data loss, system downtime, and reputational damage. It is imperative to treat Skitnet as a high-priority threat requiring immediate remediation and a thorough post-incident review.

Conclusion

Skitnet represents a new breed of modular post-exploitation malware that excels in stealth and operational flexibility. Organizations must adopt defense-in-depth strategies that include:

  • Behavioral EDR rules
  • DNS analysis
  • Threat hunting
  • Skilled personnel with memory forensics and detection engineering capabilities

Due to its popularity among ransomware groups and advanced evasion techniques, any detection of Skitnet should prompt immediate incident response procedures.

Sources

The Hacker News - Ransomware Gangs Use Skitnet Malware for Stealthy Data Theft and Remote Access
BleepingComputer - Ransomware gangs increasingly use Skitnet post-exploitation malware
PRODAFT GitHub - https://github.com/prodaft/malware-ioc/tree/master/Skitnet