Some ransomware actors use malware called dirt As part of a post-mining effort to steal sensitive data and establish remote control for compromised hosts.
“Skitnet has been on sale at underground forums like Ramp since April 2024,” Swiss Cybersecurity Company Prodaft told The Hacker News. “But since early 2025, we’ve seen multiple ransomware operators using it in real attacks.”
“For example, in April 2025, Blackbusta leveraged skitnet in a team-themed phishing campaign aimed at enterprise environments. Its stealth capabilities and flexible architecture make it seem that Skitnet is gaining rapid traction within the ransomware ecosystem.”
dirtcalled Boss Netmulti-stage malware developed by a threat actor tracked by the company under the name Larva-306. A notable aspect of malicious tools is that they use programming languages like Rust and NIM to launch reverse shells over DNS to avoid detection.
It is also embedded in the versatile threats, including persistence mechanisms, remote access tools, data removal commands, and even downloading .NET loader binaries that can be used to provide additional payloads.
First promoted on April 19, 2024, SkitNet will be offered to potential customers as a “compact package” that contains server components and malware. The first executable is a Rust binary that decrypts and executes an embedded payload compiled with NIM.
“The main feature of this NIM binary is to establish an inverse shell connection with a C2 (Command and Control) server through DNS resolution,” Prodaft said. “To avoid detection, use the GetProcAddress function to dynamically resolve API function addresses rather than using traditional import tables.”
The NIM-based binaries also launch multiple threads, send DNS requests every 10 seconds, read DNS responses, extract commands to run on the host, and return the command execution results back to the server. The command is issued through the C2 panel, which is used to manage infected hosts.
Some of the supported PowerShell commands are listed below –
- Startup guarantees persistence by creating shortcuts in the startup directory of the victim’s device
- Screen captures screenshots of victim’s desktop
- anydesk/rutserv deploys legitimate remote desktop software such as anydesk and remote utilities (“rutserv.exe”)
- Shell runs a PowerShell script hosted on a remote server and sends the result back to the C2 server
- AV collects a list of installed security products
“Skitnet is multi-stage malware that utilizes multiple programming languages and encryption technologies,” Prodaft said. “Malware tries to circumvent traditional security measures by using Rust for payload decryption and manual mapping, followed by a NIM-based inverse shell that communicates over DNS.”
This disclosure is because Zscaler ThreatLabz details another malware loader called another malware loader used to provide ransomware strains called Morpheus, which target American law firms.
Active since at least February 2025, Transferloader incorporates three components for backdoors, a downloader, a backdoor, and a special loader, allowing threat actors to execute arbitrary commands on the compromised system.
The downloader is designed to retrieve and run the payload from the C2 server, and run the PDF decoy file at the same time, but the backdoor is responsible for running the server-issued commands and updating its own configuration.
“Backdoor utilizes a distributed interplanetary file system (IPFS) peer-to-peer platform as a fallback channel for updating command and control (C2) servers,” the cybersecurity company said. “Transferloader developers use obfuscation methods to make the reverse engineering process even more boring.”
