News & Commentary

Ransomware groups turn to Skitnet for stealthy post-exploitation 🎯

Ransomware gangs like Black Basta are now wielding a stealthy post-exploitation tool called Skitnet (aka Bossnet), developed by threat actor LARVA-306. First seen on underground forums in 2024, it’s now being used in the wild—often through phishing lures mimicking Microsoft Teams. (Because of course it’s Microsoft Teams. 😅)

What makes Skitnet particularly nasty is its hybrid use of Rust and Nim to evade detection, and its DNS-based C2 communication, which slips past many traditional defenses.

Skitnet doesn’t do initial access—it’s built for persistence and control after the breach. It plants itself in the startup folder, installs legit tools like AnyDesk for remote control, and lets attackers run PowerShell payloads or scrape system info and screenshots. It’s modular, sneaky, and tailor-made for long-haul exploitation.

Sounds like it’s time for all of us to look closer at our DNS logs, tighten EDR detection for post-exploitation behavior, and double down on phishing awareness training. These newer, more obscure tools like Skitnet show how threat actors keep evolving—so our detection strategy needs to evolve, too.

RVTools compromised to deliver Bumblebee malware 🐝

In a classic supply chain twist, the official site for RVTools—a well-known VMware utility—got compromised and started dishing out trojanized installers. Instead of just giving you a handy VM inventory tool, the infected package sideloads a rogue version.dll to drop Bumblebee, a backdoor loader that ransomware crews have been known to love.

The malware activates when the legit RVTools binary loads the tampered DLL—standard DLL sideloading technique, and still super effective when bundled with a trusted app. Props to security researcher Aidan Leon for spotting this in the wild.

Both robware.net and rvtools.com are now offline while the devs regroup. If you grabbed RVTools recently, you’ll want to double-check those hashes and inspect for shady DLL behavior.

This is another reminder: Even tools we trust can get turned against us. Supply chain attacks don’t care how helpful your app is—they care that people install it.

LockBit gets a taste of its own medicine 🪞

In a twist that feels straight out of a cyber-thriller, the infamous LockBit ransomware group just got hacked themselves a few weeks ago. One of their dark web leak sites was defaced with the message: "Don't do crime CRIME IS BAD xoxo from Prague," and linked to a dump of internal chats that show how the group pressures even small businesses for ransoms.

Security folks have confirmed the leaked data looks legit—and that data includes some pretty convincing evidence of LockBit’s tactics. This comes after previous hits to their operations, including that big international takedown last year, but this one hits just a smidge closer to the ego. 😅

The lesson here? No one’s untouchable. And while it's rare we see the bad actors get their just deserts, it’s a good reminder that offensive pressure—whether legal or vigilante 😅—can shake even the most “resilient” crimeware syndicates.

Sponsor

Here’s why you should ditch custom scripts for a low-code platform

More security teams are moving away from custom scripts like Python, PowerShell, and Bash in favor of low-code platforms. Why? Tines’ new guide breaks it down.

Inside, you'll find:

• Potential pitfalls of building automation with custom code

• A side-by-side comparison of a low-code platform like Tines vs Python across HTTP requests, webhooks, data manipulation, and more

• A case study of automating a Slack news feed for threat intel, built in both custom code and low-code

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-012.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
May Announcements

Full OSINT Path Available Now!

The third course completing Mishaal Khan’s OSINT saga is here! 🥳 

Master advanced tools and investigator job skills with 4.5+ hours of video instruction and your own hands-on lab in Next Level OSINT for only $160 with launch discount! The launch discount expires May 31 at midnight ET.

All JHT Bundles:

• The “Mishaal” Bundle: All of Mishaal Khan’s Training (4 courses and 2 Hack-Alongs) for only $345 (25% off)—heavily discounted from his in-person course price

• Mastering Active Directory Security (MADS) 1–3: 20% off

• Windows Malware Dev (WMD) 1–3: 20% off

• 4 CTF Bundle: 50% off

Additional Releases This Month:

• CTF – Cyberjutsu Con 2023

• Free UC – Satellite Security by Hannah Schmitz

• Free UC - Shellcode by Dahvid Schloss

• Free UC - SysMon by Anton Ovrutsky

• Free UC - Threat Hunt Reports by Jennifer Funk

Coming Soon!

• Phishing: A Technical Course for Hackers by Cori Macy

• ConDef Lite by Anton Ovrutsky

• Monthly CTFs!

• Lots of Hack-Alongs and Free Upskill Challenges

With new content released twice a month throughout 2025, bi-monthly livestreams with our experts and even some “Name Your Price” options, JHT provides "Focused Technical Training for All Levels" to advance your career regardless of experience level or budget.

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

HackSpaceCon 2025 was so super cool. 🤩 I partnered with a few friends (Don and Lily) from Just Hacking Training and IoT Village to run a hands-on lab…and to take the neatest photo ever.

I was also honored to be interviewed by InfoSec Pat, an IT/infosec educator. It was a ton of fun. (And thanks for chatting with me, Pat!)

And then, I was off to BSides Tampa, where I gave a keynote…

…and got this ridiculously cool trophy thing for doing so.

A few other favorite photos…

Thanks for having me!

We’re 10 11 12 issues into this newsletter, and I’d love to check in with you: Is this thing helpful? Mildly entertaining? Awkward?

I can’t promise to make it less awkward, but I would love your ideas on how to make it more entertaining and helpful as a resource.

Please reply to this email and let me know what you’re loving — and what you’d like to see in this thing.

Thank you!