A new malware is gaining traction among ransomware actors for post-exploitation activities. Threat actors are using a malware called Skitnet to siphon off sensitive data and maintain remote access over the victim machines.
The malware, also dubbed Bossnet, came into the limelight in early 2025 when ransomware operators like Black Basta began using it in their phishing campaigns, especially the ones disguised as Microsoft Teams messages, even though it was initially advertised on the underground forums in April 2024.
Developed by threat actor LARVA-306 using multiple programming languages like Rust and Nim, Skitnet is a sophisticated multi-stage malware with striking features, including a reverse shell over DNS that allows attackers to evade detection and maintain remote access.
The malware decrypts and runs a Nim-based payload that establishes a channel with a command-and-control (C2) server via DNS queries. It avoids traditional security detections by dynamically resolving API functions.
The malware continuously sends DNS requests to extract and execute attacker commands while transmitting the results back. The other notable features of Skitnet include persistence mechanisms, data exfiltration, remote access tools, and the deployment of additional malware via a .NET loader. It also supports PowerShell commands like taking screenshots, gathering antivirus information, executing remote scripts, and installing remote desktop tools like AnyDesk or Remote Utilities.
Meanwhile, Zscaler ThreatLabz reported a new malware loader, TransferLoader, used to deploy the Morpheus ransomware, which recently targeted an American law firm. Suspected to be active at least since February 2025, TransferLoader includes a downloader, a backdoor, and a specialized loader. It uses PFS (InterPlanetary File System) as a fallback C2 channel and employs obfuscation techniques, making the reverse engineering process more challenging.
The emerging use of Skitnet and TransferLoader highlights how malicious actors are trying to bypass security systems by adopting stealthy, modular tools that use non-traditional communication channels and multi-language architectures.
