The Future Crime Research Foundation (FCRF) has issued a critical warning in its latest “Top 10 Cybercrime Brief,” underscoring the alarming rise in ransomware gangs’ adoption of Skitnet malware, also known as Bossnet. This sophisticated multi-stage malware is rapidly becoming a go-to tool for cybercriminals, significantly enhancing their ability to conduct stealthy data theft and maintain persistent remote access to compromised systems.
First appearing on underground forums in April 2024, Skitnet has witnessed a surge in real-world attacks since early 2025. Cybersecurity researchers, including those from PRODAFT, have observed prominent groups like Black Basta and Cactus integrating Skitnet into their operations. A notable instance in April 2025 saw the Black Basta gang deploy Skitnet through Microsoft Teams-themed phishing campaigns, targeting unsuspecting enterprise environments.
What makes Skitnet so dangerous is its advanced design and modular capabilities. Developed by a threat actor identified as LARVA-306, Skitnet leverages modern programming languages like Rust and Nim, which contribute to its low detection rates. The infection chain typically begins with a Rust-based loader that decrypts and executes an embedded Nim payload. This Nim component then establishes a covert reverse shell over DNS, enabling command-and-control (C2) communication that bypasses traditional security alerts.
Skitnet’s functionalities extend beyond initial access and data exfiltration. It can establish persistence by adding shortcuts to a system’s Startup folder, take screenshots of victims’ desktops, and silently install legitimate remote desktop tools like AnyDesk or Remote Utilities for manual access. Furthermore, it possesses the ability to enumerate installed antivirus products and execute custom PowerShell scripts, giving attackers significant control over the compromised network.
The FCRF’s brief highlights that the increasing popularity of “off-the-shelf” malware like Skitnet signifies a shift in the cybercrime landscape. These ready-made, cost-effective tools allow even less skilled actors to launch sophisticated attacks, making the threat more widespread and difficult to contain. The availability of Skitnet as a “compact package,” complete with server-side control panels, further lowers the barrier to entry for aspiring cybercriminals.
Organizations are urged to bolster their defenses by implementing robust cybersecurity measures, including enhanced DNS traffic monitoring, advanced Endpoint Detection and Response (EDR) solutions to identify Rust and Nim-based payloads, and stringent restrictions on PowerShell execution. The FCRF emphasizes that understanding the tactics, techniques, and procedures (TTPs) of adversaries, rather than solely focusing on Indicators of Compromise (IoCs), is crucial for effective defense against evolving threats like Skitnet.
