Several Redemption actors use malicious software called Dirt As part of its efforts after exploitation on the theft of sensitive data and establishing remote control over the violated hosts.
“Skitnet is sold in underground forums such as ramp since April 2024,” said the Swiss Cybersecurity campaign Prodaft The Hacker News. “However, since the beginning of 2025, we have observed several ransom operators that have been using it in real attacks.”
“For example, in April 2025, Black Basta used Skitnet in phishing campaigns with teams aimed at enterprises. With its stel-personal and flexible architecture, Skitnet is rapidly gaining a craving in the Ransomware Ecosystem.”
Dirtalso called BossThis is a multi-stage malicious software developed by an actor threatened by a company called Licer-306. A noticeable aspect of a malicious tool is that it uses programming languages such as rust and NIM to launch the backward shell over DNS and evasion.
It also includes persistence mechanisms, remote access tools, data expressors and even load binary forklifts, which can be used to maintain additional useful loads, making it a versatile threat.
It is first advertised on April 19, 2024, Skitnet is offered to potential customers as a “compact package” containing a server component and malicious software. The original executable file is a rusty binary, which is decoding and running the built -in useful load consisting of NIM.
“The main feature of this NIM Binary is to install a backward shell with a C2 server (Command and Control) through DNS resolution,” Prodaft – Note. “To avoid detection, it uses the Getprocaddress feature for the dynamic solution of API features rather than using traditional import tables.”
Next, the binary based NIM begins several streams to send DNS requests every 10 seconds, read DNS answers and finishing commands that will be performed on the host, and transfer the performance results back to the server. Teams are issued on the C2 panel used to control infected hosts.
Some of the supported PowerShell commands below –
- Startup that provides persistence by creating shortcuts in the victim’s launch directory
- A screen that fixes the screenshot of the sacrifice
- Anydesk/Rutserv, which deployed legitimate software for remote desktop like anydesk or distant utilities (“rutserv.exe”)
- Shell to run PowerShell scripts posted on a remote server, and send results back to C2 server
- AV that collects the list of installed security products
“Skitnet is a multi-stage malicious software that uses several programming and encryption methods,” Prodaft said. “Using rust to decipher the useful load and manual display, and then the NIM -based return shell, which reports on DNS, malicious software tries to avoid traditional security measures.”
The disclosure of information occurs when the Zscaler OPHERLABZ told in detail another forklift, malicious software called Transferloader, which is used to ensure deformation called Morpheus, oriented to the US law firm.
Active with at least February 2025, Transferloader includes three components, bootloaders, back and specialized forklifts for the back, allowing the threat to perform arbitrary commands in the impaired system.
While the bootloader is designed to obtain and execute a useful load from the C2 server and simultaneously launch the PDF Desay file, Backdoor is responsible for launching commands issued by the server, and update its own configuration.
‘Backdoor uses a decentralized interplanetary file system (Ipfs) Peer platform as a backup channel to update command server and control (C2) “Cybersecurity Company – Note. “Transferloader developers use the methods of hiding to make the back engineering process more tedious.”
