Ransomware groups are not lagging behind. They are perfecting their methods more and more, and lately there is a tool that is gaining popularity among them: Skitnet, also known as “Bossnet”. This malware does not appear at the beginning of the attack, but is activated after the network has already been compromised, functioning as a kind of master key that allows them to move inside the system, stay hidden and prepare even more damaging attacks. It is a silent, effective tool designed to operate without arousing suspicion.
Since it began being sold on underground forums in April 2024, Skitnet has been rapidly gaining ground, especially since early 2025. Cybersecurity researchers have detected its use in actual attacks by groups such as BlackBasta and Cactus, including in phishing campaigns targeting businesses through Microsoft Teams.
If you work with sensitive information or are in charge of a corporate network, understanding what Skitnet does and why it is becoming a favorite tool of cybercriminals is not something you can put off until later, it is an urgent priority.
Malware promoted in forums (Source: Prodaft)
Skitnet doesn't get in quietly. It all starts with a small program written in Rust that runs on the victim computer. This program, which acts as a “loader”, decrypts a more advanced file written in Nim, using the ChaCha20 cipher, and loads it directly into system memory - leaving no trace on the hard drive.
Once up and running, this second part of the malware creates a reverse connection to the attacker, using something rather unusual: DNS queries. Instead of connecting directly to a server, as many malwares do, Skitnet communicates via seemingly normal DNS requests, allowing it to go unnoticed by many security systems.
In the background, the malware launches three threads of work: one sends periodic signals (like a system heartbeat) to say “I'm still here”, another is in charge of checking what is going on inside the system and filtering the output of commands, and the third is dedicated to receiving instructions from the attacker through those same DNS responses, decrypting them and executing them.
All this communication (either via DNS or HTTP) is managed from a remote control panel (C2) that allows the attacker to see the IP, location and status of the infected device, and send commands to execute whatever he wants. In short: it is a very well-made backdoor, designed to spy, control and execute commands undetected.
Skitnet administration panel
Read more: Operating Systems Preferred by Hackers: Beyond Windows
Once Skitnet manages to break into a system, it has at its disposal a set of commands that allow the attacker to take full control of the machine and do pretty much whatever he wants, all silently. Here we explain what it can do:
Start: This command establishes persistence, that is, it makes sure that Skitnet keeps running even if you restart the computer. To achieve this, it downloads three files (including a malicious DLL) and creates a shortcut that looks harmless (it uses a legitimate Asus executable (ISP.exe) that is in the startup folder. But behind that is a trick: it triggers a “DLL hijacking” that runs a script in PowerShell to maintain the connection to the attacker's server.
Screenshot: It captures an image of the victim's desktop using PowerShell, uploads it to Imgur (yes, the public image site) and then sends the attacker the direct link to that image. This way he can see exactly what you are doing without you even realizing it.
Anydesk: It stealthily installs the AnyDesk application, a legitimate remote control tool. But it does it silently, without showing windows or icons, so that the user doesn't notice anything unusual.
Rutserv: It does the same, but with RUT-Serv, another legitimate remote access app. Basically, the attacker installs his own “trusted remote access” without the need to exploit vulnerabilities.
Shell: This command launches a PowerShell console in looping mode. It first displays the message “Shell started...” and then starts checking every 5 seconds for new commands from the server. If there are, it automatically executes them and sends back the results.
Av: Checks what security or antivirus software is installed, using a query via WMI. Thus, the attacker knows what defenses are on the machine and can decide how to bypass or disable them.
And that's not all. In addition to these commands, Skitnet can also take advantage of a loader made in .NET that allows you to run PowerShell scripts directly in system memory. This makes its actions even harder to detect and gives the attacker a lot of flexibility to customize each attack according to the target.
Skitnet .NET Loader (Source: Prodaft)
While many ransomware groups prefer to use custom-made tools for their attacks (harder to detect and tailored to what they need), developing such software costs money, time and people with technical skills. And the truth is that not all groups, especially smaller or newer ones, have those resources.
That's where something like Skitnet comes in: ready-made malware that is cheaper, easier to use and quicker to set up. Also, because it is used by several different groups, it makes it harder to know who is behind an attack, which complicates attribution.
In this world of ransomware there is room for everything: from super-customized tools to combos that mix homebrew solutions with options like Skitnet. But what is clear is that the features offered by this tool are making it very attractive to many hackers, even the most organized ones.