Redazione RHC : 9 September 2025 07:35
eSentire has reported the discovery of a new botnet called NightshadeC2, which uses unconventional methods to bypass protection and sandboxes. The malware is distributed via counterfeit versions of legitimate programs such as CCleaner, Express VPN, Advanced IP Scanner, and Everything, as well as via the ClickFix scheme, in which the victim is prompted to enter a command in a Run window after completing a fake captcha.
The main feature of NightshadeC2 is a technique experts call “UAC Prompt Bombing.” The downloader runs a PowerShell script that attempts to add the malware to the Windows Defender exclusion list. If the user refuses to confirm the action via the UAC system prompt, the window appears repeatedly, preventing the user from using the computer until they agree.
This method also effectively prevents malware from running in sandboxes: if the Defender service is disabled, the script gets stuck in a loop and the payload is not executed. This allows it to bypass analysis environments like Any.Run, CAPEv2, and Joe Sandbox.
NightshadeC2’s main payload is written in C, but simplified Python versions have also been detected, presumably generated using artificial intelligence. The C variant uses ports 7777, 33336, 33337, and 443, while Python uses port 80. The infected file, disguised as updater.exe, gathers system IP and external IP information when executed, uses RC4 encryption to communicate with the command server, and establishes persistence on the system via the Winlogon, RunOnce, and Active Setup registry keys.
NightshadeC2 offers a wide range of features that allow attackers to take full control of the infected system. The malware provides remote access via reverse shell, launching hidden sessions of PowerShell or command line, it can download and execute additional files in DLL or EXE format and, if necessary, remove itself from the device.
NightshadeC2 supports full remote control, including screenshots and emulation of user actions, and can also run hidden browsers (Chrome, Edge, Firefox, and Brave) on a separate desktop. Additionally, NightshadeC2 records keystrokes and clipboard changes and can extract passwords and cookies from installed browsers that use the Chromium and Gecko engines.
User data is saved in hidden files, whose names depend on the rights level (for example, JohniiDepp and LuchiiSvet). The keylogger uses a hidden window and standard WinAPI hooks to capture keystrokes and clipboard contents. Attackers can control the infected system by copying and pasting text, emulating input, and launching browsers or system windows on the hidden desktop. Some NightshadeC2 variants receive the control server address directly from the Steam profile, allowing modification of C2 without updating the malware itself.
Two methods for bypassing User Account Control (UAC) have also been identified. One exploits an old vulnerability in the RPC server, the other is integrated into the bootloader and activates on systems prior to Windows 11. The second exploits a combination of reg and schtasks, which launches the malware with elevated privileges without user intervention and adds it to Windows Defender’s exceptions.
To protect against this issue, experts recommend disabling the Run window via GPO (Start menu and taskbar section), training employees to recognize phishing and social engineering, and using modern EDR or NGAV solutions that can detect non-standard malware behavior.
According to the researchers, NightshadeC2 is a versatile tool with backdoor, spying, and stealth capabilities, and the UAC bomb technique it uses is a simple yet effective way to bypass both user protection and automated analysis.
Redazione