Ransomware Gangs Deploy Skitnet for Silent Spying

Several ransomware groups have begun integrating a malware strain known as Skitnet into their post-exploitation toolkits, aiming to exfiltrate sensitive data and gain remote access to infected systems, according to Swiss cybersecurity firm PRODAFT. The malware has been available for purchase on underground forums such as RAMP since April 2024, but its use has grown more prominent among ransomware operators in early 2025.

Skitnet enables attackers to maintain persistent access to compromised networks, providing stealthy control that aids in data theft and broader exploitation efforts. Its rise in usage signals a shift in tactics by threat actors, who are increasingly leveraging off-the-shelf tools to streamline operations and reduce development time.

The trend underscores the evolving ransomware landscape, where readily available malware is repurposed to support complex attacks. PRODAFT’s findings suggest that Skitnet’s adoption may continue to grow as cybercriminals seek efficient methods for post-breach reconnaissance and control.