Ransomware gang members have been increasingly using a new malware called Skitnet (aka 'Bossnet') for stealthy post-exploitation activities on breached networks. This malware has been observed in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against enterprises and Cactus. Skitnet's infection begins with a Rust-based loader that decrypts a ChaCha20 encrypted Nim binary and loads it into memory. The malware establishes a DNS-based reverse shell for communication with the C2 server, initiating the session with randomized DNS queries. The malware starts three threads for heartbeat DNS requests, monitoring and exfiltrating shell output, and listening for commands. Skitnet's admin panel allows operators to see the target's IP, location, status, and issue commands for execution. The malware supports commands like 'startup', 'screen', 'anydesk', 'rutserv', 'shell', and 'av'.
TPRM report: https://scoringcyber.rankiteo.com/company/multi-solutions-enterprises
"id": "mul324051825",
"linkid": "multi-solutions-enterprises",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprises'}],
'attack_vector': ['Phishing', 'Malware'],
'data_breach': {'data_exfiltration': True},
'description': 'Ransomware gang members have been increasingly using a new '
"malware called Skitnet (aka 'Bossnet') for stealthy "
'post-exploitation activities on breached networks. This '
'malware has been observed in real-world attacks, including '
'BlackBasta in Microsoft Teams phishing attacks against '
"enterprises and Cactus. Skitnet's infection begins with a "
'Rust-based loader that decrypts a ChaCha20 encrypted Nim '
'binary and loads it into memory. The malware establishes a '
'DNS-based reverse shell for communication with the C2 server, '
'initiating the session with randomized DNS queries. The '
'malware starts three threads for heartbeat DNS requests, '
'monitoring and exfiltrating shell output, and listening for '
"commands. Skitnet's admin panel allows operators to see the "
"target's IP, location, status, and issue commands for "
"execution. The malware supports commands like 'startup', "
"'screen', 'anydesk', 'rutserv', 'shell', and 'av'.",
'impact': {'systems_affected': ['Microsoft Teams']},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Phishing'},
'motivation': 'Financial Gain',
'ransomware': {'data_exfiltration': True,
'ransomware_strain': 'Skitnet (Bossnet)'},
'threat_actor': ['BlackBasta', 'Cactus'],
'title': 'Skitnet (Bossnet) Ransomware Attack',
'type': 'Ransomware'}