New Botnet Emerges from the Shadows: NightshadeC2
A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.
AI Analysis
Technical Summary
NightshadeC2 is a newly identified botnet campaign exhibiting advanced evasion and persistence techniques that significantly complicate detection and mitigation efforts. It employs sophisticated sandbox evasion methods, including the novel 'UAC Prompt Bombing' technique, which attempts to bypass Windows User Account Control (UAC) prompts to escalate privileges without user consent. The botnet is implemented in both C and Python variants, indicating modularity and adaptability across different environments. Its capabilities are extensive, including establishing reverse shells for remote command execution, executing arbitrary files, self-deletion to cover tracks, remote control functionalities, screen capture, hidden web browser instances, and keylogging to harvest sensitive user input. Distribution vectors include ClickFix attacks—likely leveraging social engineering or malicious redirects—and trojanized legitimate software, which increases the likelihood of successful infection by exploiting user trust in known applications. Communication with the command and control (C2) servers is encrypted, enhancing stealth and complicating network-based detection. NightshadeC2 also collects victim system information to tailor its operations and employs multiple persistence mechanisms to maintain footholds on infected systems. The botnet’s ability to bypass Windows Defender and evade sandbox environments highlights its advanced design aimed at long-term undetected presence. This threat underscores the evolving sophistication of malware campaigns, emphasizing the need for enhanced detection capabilities beyond traditional antivirus and sandboxing solutions.
Potential Impact
For European organizations, NightshadeC2 poses a multifaceted threat. The botnet’s capabilities enable attackers to gain persistent remote access, exfiltrate sensitive data via keylogging and screen capture, and execute arbitrary commands that could disrupt business operations or facilitate further lateral movement within networks. The use of trojanized legitimate software as a distribution vector increases the risk of infection in enterprises relying on third-party applications, common in European markets. The encrypted C2 communications and sandbox evasion techniques reduce the effectiveness of conventional detection tools, potentially allowing prolonged undetected compromise. This can lead to data breaches, intellectual property theft, espionage, and operational disruptions. Given the botnet’s ability to bypass Windows Defender, organizations relying solely on native Windows security features are particularly vulnerable. The threat also raises concerns for critical infrastructure sectors and government entities in Europe, where persistent remote control and data exfiltration could have national security implications. Additionally, the botnet’s modular design and multi-language implementation suggest adaptability to diverse environments, increasing the scope of potential impact across various industries and organizational sizes within Europe.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to counter NightshadeC2’s advanced techniques. Specific recommendations include: 1) Deploy endpoint detection and response (EDR) solutions capable of behavioral analysis to detect anomalous activities such as UAC prompt bombing and unauthorized persistence mechanisms. 2) Enforce strict application whitelisting and integrity verification to prevent execution of trojanized software, including regular audits of third-party software sources. 3) Enhance network monitoring with deep packet inspection and SSL/TLS interception to identify encrypted C2 traffic patterns, supplemented by threat intelligence feeds to recognize NightshadeC2 indicators. 4) Implement user training focused on recognizing social engineering tactics related to ClickFix attacks and suspicious software installations. 5) Harden Windows environments by configuring UAC policies to require explicit user consent and restricting privilege escalation paths. 6) Regularly update and patch all software and operating systems to minimize exploitation surfaces, even though no specific patches are currently available for NightshadeC2. 7) Conduct frequent threat hunting exercises focusing on persistence artifacts and unusual process behaviors associated with this botnet. 8) Utilize sandbox environments with enhanced detection capabilities that can identify evasion techniques employed by NightshadeC2. 9) Establish incident response plans that include rapid isolation and forensic analysis to contain infections promptly. These targeted measures go beyond generic advice and address the specific tactics, techniques, and procedures (TTPs) employed by NightshadeC2.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- ip: 185.149.146.118
- ip: 185.149.146.1
- hash: 03935f58d2d3efb35c1ddaafb6d90b98
- hash: 185fcf0307266e4852432ca35aee0d9a
- hash: 4b139d1e079eb10ffd2543e22ea438dd
- hash: 66b2d356076a39300abc31abfe8cfea8
- hash: 67deffe47d3cd06280a8ed4c45732ad8
- hash: 8193d8266f7e1c6b9224ac9da2fbf990
- hash: 82c7d087f69e5594489ea1be1755e829
- hash: 87f7c07fec9cf5396e09b19b56f9be2c
- hash: a1652546e05709972a040dcf2f452b82
- hash: aa6c3ddf1ca9fccc6e9518a9b004f4ee
- hash: ac77ab1a3f5a3691e23265bc495e84e8
- hash: b8ddd22670522a352a7586303c785d62
- hash: c16d822930acf6e2f788e98966a69d80
- hash: cf4958e8024e9071b540eacee8b3e424
- hash: f8fae59f47f269cb4ee50e701fddc76c
- hash: 02fb82b08fddb0e648c57750a3502b74475f3035
- hash: 1a1fd402595c59e311a265ebe63a30b69361180f
- hash: 29bac75338fd0c4767db87473920677ded49ae5f
- hash: 33c1f41da4df460b8c0b3d5624f9635d3f6f5f9f
- hash: 3f94d8fbe3478cafe5b14db43810ce1f508528ee
- hash: 50c4a056ceff2ab24a0d1756f116e3a5de8c8b2b
- hash: 562e9907f6f6b4ebfc929bf7378e0348ddde1029
- hash: 593b0e04cdfdba94d3cb78f113d8a971fe1deb21
- hash: 861fa0a2edec4b773852029abea4b03ba17f181d
- hash: 8e8a76205809bdbf17b0760a001a5aa1a2ac9e74
- hash: ae1a8e192b8416b72da711dbd8b32eaf80d788e3
- hash: bcaca5c44f6f95aa6ef9c8af59d8d25902bb92cd
- hash: bef2555eaff165cae5f67f9191d7431a14a04180
- hash: ce76704011fa860b129a9a23deffa8c0e129e0c9
- hash: fdda195f3570dcd412db8dc74fb2f804259b331a
- hash: 04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c
- hash: 05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f
- hash: 05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc
- hash: 0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4
- hash: 0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4
- hash: 0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6
- hash: 1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8
- hash: 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75
- hash: 21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e
- hash: 24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5
- hash: 26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490
- hash: 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207
- hash: 2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4
- hash: 375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e
- hash: 39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f
- hash: 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063
- hash: 420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc
- hash: 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df
- hash: 58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b
- hash: 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318
- hash: 6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c
- hash: 7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5
- hash: 85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e
- hash: 8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94
- hash: 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a
- hash: a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4
- hash: c4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588
- hash: cbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c
- hash: ce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971
- hash: cf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd
- hash: e77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503
- hash: f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be
- ip: 102.135.95.102
- ip: 104.225.129.171
- ip: 178.17.57.102
- ip: 180.178.122.131
- ip: 180.178.189.17
- ip: 185.208.158.250
- ip: 45.11.180.174
- ip: 45.61.136.81
- ip: 64.52.80.82
- ip: 79.132.130.142
- ip: 91.202.233.132
- ip: 91.202.233.250
- ip: 91.202.233.251
- ip: 94.141.122.164
- domain: bikbal.com
- domain: bilaskf.com
- domain: bioakw.com
- domain: bioomx.com
- domain: biosefjk.com
- domain: bkkil.com
- domain: bliokdf.com
- domain: boiksal.com
- domain: programsbookss.com
- domain: tdbfvgwe456yt.com
- hash: 7f3ad607b3701d2c4cfdad04269f0d5e390ab5c2
- hash: 9868b16a166cba78cfb604c04b0b4287bebaed26
- hash: a89d26131172c095f31830ff2e26372bced81dde
- domain: exclusionandautorun.payloadexecutor.run
New Botnet Emerges from the Shadows: NightshadeC2
Description
A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.
AI-Powered Analysis
Technical Analysis
NightshadeC2 is a newly identified botnet campaign exhibiting advanced evasion and persistence techniques that significantly complicate detection and mitigation efforts. It employs sophisticated sandbox evasion methods, including the novel 'UAC Prompt Bombing' technique, which attempts to bypass Windows User Account Control (UAC) prompts to escalate privileges without user consent. The botnet is implemented in both C and Python variants, indicating modularity and adaptability across different environments. Its capabilities are extensive, including establishing reverse shells for remote command execution, executing arbitrary files, self-deletion to cover tracks, remote control functionalities, screen capture, hidden web browser instances, and keylogging to harvest sensitive user input. Distribution vectors include ClickFix attacks—likely leveraging social engineering or malicious redirects—and trojanized legitimate software, which increases the likelihood of successful infection by exploiting user trust in known applications. Communication with the command and control (C2) servers is encrypted, enhancing stealth and complicating network-based detection. NightshadeC2 also collects victim system information to tailor its operations and employs multiple persistence mechanisms to maintain footholds on infected systems. The botnet’s ability to bypass Windows Defender and evade sandbox environments highlights its advanced design aimed at long-term undetected presence. This threat underscores the evolving sophistication of malware campaigns, emphasizing the need for enhanced detection capabilities beyond traditional antivirus and sandboxing solutions.
Potential Impact
For European organizations, NightshadeC2 poses a multifaceted threat. The botnet’s capabilities enable attackers to gain persistent remote access, exfiltrate sensitive data via keylogging and screen capture, and execute arbitrary commands that could disrupt business operations or facilitate further lateral movement within networks. The use of trojanized legitimate software as a distribution vector increases the risk of infection in enterprises relying on third-party applications, common in European markets. The encrypted C2 communications and sandbox evasion techniques reduce the effectiveness of conventional detection tools, potentially allowing prolonged undetected compromise. This can lead to data breaches, intellectual property theft, espionage, and operational disruptions. Given the botnet’s ability to bypass Windows Defender, organizations relying solely on native Windows security features are particularly vulnerable. The threat also raises concerns for critical infrastructure sectors and government entities in Europe, where persistent remote control and data exfiltration could have national security implications. Additionally, the botnet’s modular design and multi-language implementation suggest adaptability to diverse environments, increasing the scope of potential impact across various industries and organizational sizes within Europe.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to counter NightshadeC2’s advanced techniques. Specific recommendations include: 1) Deploy endpoint detection and response (EDR) solutions capable of behavioral analysis to detect anomalous activities such as UAC prompt bombing and unauthorized persistence mechanisms. 2) Enforce strict application whitelisting and integrity verification to prevent execution of trojanized software, including regular audits of third-party software sources. 3) Enhance network monitoring with deep packet inspection and SSL/TLS interception to identify encrypted C2 traffic patterns, supplemented by threat intelligence feeds to recognize NightshadeC2 indicators. 4) Implement user training focused on recognizing social engineering tactics related to ClickFix attacks and suspicious software installations. 5) Harden Windows environments by configuring UAC policies to require explicit user consent and restricting privilege escalation paths. 6) Regularly update and patch all software and operating systems to minimize exploitation surfaces, even though no specific patches are currently available for NightshadeC2. 7) Conduct frequent threat hunting exercises focusing on persistence artifacts and unusual process behaviors associated with this botnet. 8) Utilize sandbox environments with enhanced detection capabilities that can identify evasion techniques employed by NightshadeC2. 9) Establish incident response plans that include rapid isolation and forensic analysis to contain infections promptly. These targeted measures go beyond generic advice and address the specific tactics, techniques, and procedures (TTPs) employed by NightshadeC2.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2"]
- Adversary
- null
- Pulse Id
- 68babf81ce8dc0a40f7d42f5
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.149.146.118 | — | |
ip185.149.146.1 | — | |
ip102.135.95.102 | — | |
ip104.225.129.171 | — | |
ip178.17.57.102 | — | |
ip180.178.122.131 | — | |
ip180.178.189.17 | — | |
ip185.208.158.250 | — | |
ip45.11.180.174 | — | |
ip45.61.136.81 | — | |
ip64.52.80.82 | — | |
ip79.132.130.142 | — | |
ip91.202.233.132 | — | |
ip91.202.233.250 | — | |
ip91.202.233.251 | — | |
ip94.141.122.164 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash03935f58d2d3efb35c1ddaafb6d90b98 | — | |
hash185fcf0307266e4852432ca35aee0d9a | — | |
hash4b139d1e079eb10ffd2543e22ea438dd | — | |
hash66b2d356076a39300abc31abfe8cfea8 | — | |
hash67deffe47d3cd06280a8ed4c45732ad8 | — | |
hash8193d8266f7e1c6b9224ac9da2fbf990 | — | |
hash82c7d087f69e5594489ea1be1755e829 | — | |
hash87f7c07fec9cf5396e09b19b56f9be2c | — | |
hasha1652546e05709972a040dcf2f452b82 | — | |
hashaa6c3ddf1ca9fccc6e9518a9b004f4ee | — | |
hashac77ab1a3f5a3691e23265bc495e84e8 | — | |
hashb8ddd22670522a352a7586303c785d62 | — | |
hashc16d822930acf6e2f788e98966a69d80 | — | |
hashcf4958e8024e9071b540eacee8b3e424 | — | |
hashf8fae59f47f269cb4ee50e701fddc76c | — | |
hash02fb82b08fddb0e648c57750a3502b74475f3035 | — | |
hash1a1fd402595c59e311a265ebe63a30b69361180f | — | |
hash29bac75338fd0c4767db87473920677ded49ae5f | — | |
hash33c1f41da4df460b8c0b3d5624f9635d3f6f5f9f | — | |
hash3f94d8fbe3478cafe5b14db43810ce1f508528ee | — | |
hash50c4a056ceff2ab24a0d1756f116e3a5de8c8b2b | — | |
hash562e9907f6f6b4ebfc929bf7378e0348ddde1029 | — | |
hash593b0e04cdfdba94d3cb78f113d8a971fe1deb21 | — | |
hash861fa0a2edec4b773852029abea4b03ba17f181d | — | |
hash8e8a76205809bdbf17b0760a001a5aa1a2ac9e74 | — | |
hashae1a8e192b8416b72da711dbd8b32eaf80d788e3 | — | |
hashbcaca5c44f6f95aa6ef9c8af59d8d25902bb92cd | — | |
hashbef2555eaff165cae5f67f9191d7431a14a04180 | — | |
hashce76704011fa860b129a9a23deffa8c0e129e0c9 | — | |
hashfdda195f3570dcd412db8dc74fb2f804259b331a | — | |
hash04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c | — | |
hash05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f | — | |
hash05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc | — | |
hash0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4 | — | |
hash0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4 | — | |
hash0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6 | — | |
hash1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8 | — | |
hash1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75 | — | |
hash21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e | — | |
hash24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5 | — | |
hash26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490 | — | |
hash282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207 | — | |
hash2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4 | — | |
hash375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e | — | |
hash39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f | — | |
hash3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063 | — | |
hash420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc | — | |
hash53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df | — | |
hash58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b | — | |
hash5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318 | — | |
hash6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c | — | |
hash7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5 | — | |
hash85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e | — | |
hash8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94 | — | |
hash94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a | — | |
hasha2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4 | — | |
hashc4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588 | — | |
hashcbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c | — | |
hashce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971 | — | |
hashcf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd | — | |
hashe77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503 | — | |
hashf2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be | — | |
hash7f3ad607b3701d2c4cfdad04269f0d5e390ab5c2 | — | |
hash9868b16a166cba78cfb604c04b0b4287bebaed26 | — | |
hasha89d26131172c095f31830ff2e26372bced81dde | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbikbal.com | — | |
domainbilaskf.com | — | |
domainbioakw.com | — | |
domainbioomx.com | — | |
domainbiosefjk.com | — | |
domainbkkil.com | — | |
domainbliokdf.com | — | |
domainboiksal.com | — | |
domainprogramsbookss.com | — | |
domaintdbfvgwe456yt.com | — | |
domainexclusionandautorun.payloadexecutor.run | — |
Threat ID: 68baf67a04f80bd19b650c68
Added to database: 9/5/2025, 2:40:58 PM
Last enriched: 9/5/2025, 2:41:50 PM
Last updated: 9/5/2025, 8:02:30 PM
Views: 2
Related Threats
Massive IPTV Piracy Network Uncovered
MediumOperation BarrelFire: Targeting Kazakhstan Oil & Gas
MediumThe GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
MediumFrom Compromised Keys to Phishing Campaigns: Inside a Cloud Email Service Takeover
MediumAn Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.