Ransomware gang members have been increasingly using a new malware called Skitnet (aka 'Bossnet') for stealthy post-exploitation activities on breached networks. This malware has been observed in real-world attacks, including BlackBasta in Microsoft Teams phishing attacks against enterprises and Cactus. Skitnet's infection begins with a Rust-based loader that decrypts a ChaCha20 encrypted Nim binary and loads it into memory. The malware establishes a DNS-based reverse shell for communication with the C2 server, initiating the session with randomized DNS queries. The malware starts three threads for heartbeat DNS requests, monitoring and exfiltrating shell output, and listening for commands. Skitnet's admin panel allows operators to see the target's IP, location, status, and issue commands for execution. The malware supports commands like 'startup', 'screen', 'anydesk', 'rutserv', 'shell', and 'av'.
TPRM report: https://scoringcyber.rankiteo.com/company/multi-solutions-enterprises
"id": "mul324051825",
"linkid": "multi-solutions-enterprises",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"