By Daksh Dhruva, 63SATS Cybertech News Desk
As ransomware tactics evolve, the lines between traditional malware and advanced persistent threats are increasingly blurred.
One of the latest examples fuelling this shift is Skitnet. As reported by The Hacker News a stealthy multi-stage malware being actively adopted by ransomware gangs to support post-exploitation activities like data theft and remote access.
Originally spotted on underground forums in early 2024, Skitnet has quickly transitioned from the dark corners of the cybercrime market to real-world enterprise environments — and its capabilities are raising serious concerns.
First observed in active campaigns by early 2025, Skitnet is believed to be the work of a sophisticated threat actor tracked under the alias LARVA-306.
The malware’s architecture reflects an evolution in attacker playbooks — combining obfuscation, modularity, and resilience. Written in Rust and Nim, two languages gaining popularity in cybercrime circles due to their low detection rates, Skitnet is optimized to bypass traditional endpoint protection and network monitoring systems.
By initiating a reverse shell over DNS, the malware communicates covertly with its command-and-control (C2) infrastructure while evading perimeter detection mechanisms.
But what makes Skitnet especially dangerous is its operational versatility.
Once deployed, it initiates multiple background threads that issue DNS queries every few seconds — fetching commands from its C2 panel and executing them in real time. These commands include launching PowerShell scripts, capturing screenshots, deploying remote desktop tools like AnyDesk or Remote Utilities, and identifying installed security products.
Persistence is achieved via a simple yet effective method: placing shortcuts in the victim’s startup folder to ensure the malware reloads after reboot.
The Larger Trend
Beyond its technical execution, the rise of Skitnet underscores a larger trend: the industrialization of cybercrime.
Malware-as-a-service (MaaS) ecosystems like RAMP allow lesser-skilled actors to adopt highly sophisticated tools without needing deep technical knowledge. The availability of Skitnet as a “compact package” — complete with server-side control panels — means more threat actors can now deliver precision attacks at scale.
For CISOs and cybersecurity teams, this threat landscape requires a shift in posture. It’s no longer enough to rely on legacy antivirus or static rules.
Defending against multi-stage, DNS-based threats like Skitnet demands a layered security strategy that incorporates threat intelligence, behavioural analytics, and proactive threat hunting. Indicators of compromise (IOCs) are fleeting; real protection comes from understanding the tactics, techniques, and procedures (TTPs) adversaries use.
At 63SATS Cybertech, we continuously monitor emerging malware like Skitnet through our threat intelligence capabilities and integrated cyber defense solutions.
Our mission is to help organizations not just detect — but prevent — advanced threats before they lead to data loss, ransomware deployment, or reputational damage.
As ransomware gangs grow more resourceful, defenders must move faster and think smarter. Skitnet is a wake-up call. It’s time to go beyond reactive defense and embrace intelligence-led security strategies that put your organization one step ahead.
