Cybercriminals continue to evolve, and Skitnet malware is the latest weapon reshaping ransomware tactics. This advanced post-exploitation tool is being deployed by major threat actors including Cactus and BlackBasta. Skitnet, also referred to as “Bossnet,” offers stealth, persistence, and in-memory execution that bypasses many traditional defenses.
As phishing campaigns become more creative—often using platforms like Microsoft Teams—Skitnet is increasingly used to establish deep, undetectable system access.
Inside Skitnet: Advanced In-Memory Malware
Skitnet emerged in early 2025 as a hybrid malware framework with an unusual structure. It uses a Rust-based loader to inject a Nim-compiled payload directly into system memory. This choice of languages helps it evade traditional antivirus detection, which often struggles with less common code bases.
Its architecture avoids file persistence, relying instead on memory-only operations. The malware uses DNS tunneling for covert command-and-control communication. This evasion technique can bypass standard firewalls and monitoring tools.
Key Capabilities of Skitnet Malware
DNS Tunneling for Communication
Skitnet creates a covert shell via randomized DNS requests. It communicates with remote servers through standard DNS queries, avoiding detection.
Threaded Execution
The malware operates on multiple threads to decrypt commands, maintain access, and send heartbeat signals. This increases efficiency and reliability.
Anti-Forensics Behavior
It scrubs logs, deletes command histories, and clears caches. These actions make incident response much harder.
Diskless Operation
Skitnet doesn’t write files to disk. This eliminates common detection opportunities and complicates forensic analysis.
Used by Ransomware Groups Like Cactus and BlackBasta
Both Cactus and BlackBasta ransomware gangs have adopted Skitnet to strengthen their attacks. Once inside a system—often via phishing—the malware is deployed to maintain long-term access.
This access enables data exfiltration, network mapping, and ransomware staging without triggering alerts. The stealth and adaptability of Skitnet make it ideal for targeted enterprise attacks.
Growing Threat: Why Skitnet Stands Out
Skitnet represents a new category of post-exploitation malware that prioritizes stealth and agility. The use of Rust and Nim is intentional, bypassing many detection systems. Combined with DNS-based control and in-memory execution, Skitnet is extremely difficult to analyze.
Its modular design allows attackers to customize functionality on the fly. This makes it ideal for prolonged campaigns, especially those targeting critical infrastructure and enterprise networks.
How to Defend Against Skitnet Malware
Monitor DNS Traffic
Deploy tools that analyze DNS behavior and detect suspicious domain queries. Skitnet often uses random patterns.
Upgrade Endpoint Detection
Use modern EDR platforms that detect abnormal behavior in memory, rather than relying on signatures alone.
Conduct Frequent Audits
Regularly check logs and system integrity. Missing logs or strange gaps may indicate tampering.
Train Employees
Teach staff to recognize phishing threats across platforms, including internal tools like Microsoft Teams.
Conclusion: Eye World’s Take on Skitnet
Skitnet signals a turning point in how malware operates. Its stealthy architecture and advanced features mark a new phase in ransomware evolution. Eye World urges organizations to adopt next-generation cybersecurity tools and build stronger awareness across all levels.
To stay secure, organizations must modernize defenses and remain alert to evolving post-exploitation threats like Skitnet.
