New Botnet Emerges from the Shadows: NightshadeC2
A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.
AI Analysis
Technical Summary
NightshadeC2 is a newly identified botnet campaign characterized by advanced evasion and persistence techniques, targeting Windows environments. It employs sophisticated methods to bypass malware analysis sandboxes and evade detection by Windows Defender, notably using a 'UAC Prompt Bombing' technique to escalate privileges or bypass User Account Control prompts. The botnet is implemented in both C and Python variants, indicating modularity and adaptability. Its capabilities include establishing reverse shells for remote command execution, executing arbitrary files, self-deletion to cover tracks, remote control of infected hosts, screen capture, launching hidden web browsers, and keylogging to harvest sensitive user input. Distribution vectors include ClickFix attacks—likely involving malicious links or payloads delivered via social engineering—and trojanized legitimate software, which increases the likelihood of successful infection by masquerading as trusted applications. Communication with command and control (C2) servers is encrypted, complicating network detection and analysis. NightshadeC2 also gathers victim system information to tailor its operations and employs multiple persistence mechanisms to maintain foothold on compromised machines. The botnet’s sandbox evasion techniques and use of encryption highlight its advanced design aimed at avoiding automated detection and analysis tools. The presence of numerous MITRE ATT&CK technique tags (e.g., T1113, T1056.001, T1547.009) underscores the breadth of tactics used, including credential access, persistence, defense evasion, and command execution. Although no known exploits in the wild are reported, the botnet’s capabilities and stealth features represent a significant threat to targeted environments.
Potential Impact
For European organizations, NightshadeC2 poses a multifaceted threat. Its ability to bypass Windows Defender and sandbox environments means traditional endpoint protection may be insufficient, increasing the risk of undetected compromise. The botnet’s keylogging and screen capture capabilities threaten confidentiality by potentially exposing sensitive corporate data, credentials, and intellectual property. Remote control and reverse shell access enable attackers to manipulate infected systems, potentially disrupting operations or facilitating lateral movement within networks, impacting integrity and availability. The use of trojanized legitimate software as a delivery vector is particularly concerning for European enterprises relying on software supply chains, as it can lead to widespread infections before detection. The encrypted C2 communication complicates network monitoring efforts, reducing the effectiveness of standard intrusion detection systems. Persistence mechanisms increase the difficulty of eradication, potentially leading to prolonged compromises. Given the sophistication and stealth of NightshadeC2, European organizations could face data breaches, operational disruptions, and reputational damage if infected.
Mitigation Recommendations
European organizations should implement layered defenses tailored to counter NightshadeC2’s advanced techniques. Specifically, deploy endpoint detection and response (EDR) solutions with behavioral analytics capable of identifying anomalous activities such as UAC prompt bombing and unusual process injections. Enforce strict application whitelisting and integrity monitoring to detect trojanized software installations. Enhance email and web filtering to block ClickFix attack vectors and educate users on social engineering risks. Network defenses should include SSL/TLS inspection where feasible to detect encrypted C2 traffic patterns and employ threat intelligence feeds to identify known NightshadeC2 indicators. Regularly audit and harden User Account Control settings to prevent privilege escalation via UAC bypass. Implement robust patch management to minimize exploitable vulnerabilities, even though no specific exploits are reported, as attackers may leverage other weaknesses. Conduct frequent endpoint and network scans to detect persistence artifacts and unusual system modifications. Finally, establish incident response playbooks specific to botnet infections, including rapid isolation and forensic analysis to limit spread and impact.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
Indicators of Compromise
- ip: 185.149.146.118
- ip: 185.149.146.1
- hash: 03935f58d2d3efb35c1ddaafb6d90b98
- hash: 185fcf0307266e4852432ca35aee0d9a
- hash: 4b139d1e079eb10ffd2543e22ea438dd
- hash: 66b2d356076a39300abc31abfe8cfea8
- hash: 67deffe47d3cd06280a8ed4c45732ad8
- hash: 8193d8266f7e1c6b9224ac9da2fbf990
- hash: 82c7d087f69e5594489ea1be1755e829
- hash: 87f7c07fec9cf5396e09b19b56f9be2c
- hash: a1652546e05709972a040dcf2f452b82
- hash: aa6c3ddf1ca9fccc6e9518a9b004f4ee
- hash: ac77ab1a3f5a3691e23265bc495e84e8
- hash: b8ddd22670522a352a7586303c785d62
- hash: c16d822930acf6e2f788e98966a69d80
- hash: cf4958e8024e9071b540eacee8b3e424
- hash: f8fae59f47f269cb4ee50e701fddc76c
- hash: 02fb82b08fddb0e648c57750a3502b74475f3035
- hash: 1a1fd402595c59e311a265ebe63a30b69361180f
- hash: 29bac75338fd0c4767db87473920677ded49ae5f
- hash: 33c1f41da4df460b8c0b3d5624f9635d3f6f5f9f
- hash: 3f94d8fbe3478cafe5b14db43810ce1f508528ee
- hash: 50c4a056ceff2ab24a0d1756f116e3a5de8c8b2b
- hash: 562e9907f6f6b4ebfc929bf7378e0348ddde1029
- hash: 593b0e04cdfdba94d3cb78f113d8a971fe1deb21
- hash: 861fa0a2edec4b773852029abea4b03ba17f181d
- hash: 8e8a76205809bdbf17b0760a001a5aa1a2ac9e74
- hash: ae1a8e192b8416b72da711dbd8b32eaf80d788e3
- hash: bcaca5c44f6f95aa6ef9c8af59d8d25902bb92cd
- hash: bef2555eaff165cae5f67f9191d7431a14a04180
- hash: ce76704011fa860b129a9a23deffa8c0e129e0c9
- hash: fdda195f3570dcd412db8dc74fb2f804259b331a
- hash: 04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c
- hash: 05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f
- hash: 05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc
- hash: 0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4
- hash: 0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4
- hash: 0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6
- hash: 1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8
- hash: 1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75
- hash: 21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e
- hash: 24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5
- hash: 26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490
- hash: 282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207
- hash: 2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4
- hash: 375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e
- hash: 39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f
- hash: 3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063
- hash: 420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc
- hash: 53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df
- hash: 58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b
- hash: 5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318
- hash: 6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c
- hash: 7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5
- hash: 85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e
- hash: 8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94
- hash: 94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a
- hash: a2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4
- hash: c4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588
- hash: cbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c
- hash: ce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971
- hash: cf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd
- hash: e77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503
- hash: f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be
- ip: 102.135.95.102
- ip: 104.225.129.171
- ip: 178.17.57.102
- ip: 180.178.122.131
- ip: 180.178.189.17
- ip: 185.208.158.250
- ip: 45.11.180.174
- ip: 45.61.136.81
- ip: 64.52.80.82
- ip: 79.132.130.142
- ip: 91.202.233.132
- ip: 91.202.233.250
- ip: 91.202.233.251
- ip: 94.141.122.164
- domain: bikbal.com
- domain: bilaskf.com
- domain: bioakw.com
- domain: bioomx.com
- domain: biosefjk.com
- domain: bkkil.com
- domain: bliokdf.com
- domain: boiksal.com
- domain: programsbookss.com
- domain: tdbfvgwe456yt.com
- hash: 7f3ad607b3701d2c4cfdad04269f0d5e390ab5c2
- hash: 9868b16a166cba78cfb604c04b0b4287bebaed26
- hash: a89d26131172c095f31830ff2e26372bced81dde
- domain: exclusionandautorun.payloadexecutor.run
New Botnet Emerges from the Shadows: NightshadeC2
Description
A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.
AI-Powered Analysis
Technical Analysis
NightshadeC2 is a newly identified botnet campaign characterized by advanced evasion and persistence techniques, targeting Windows environments. It employs sophisticated methods to bypass malware analysis sandboxes and evade detection by Windows Defender, notably using a 'UAC Prompt Bombing' technique to escalate privileges or bypass User Account Control prompts. The botnet is implemented in both C and Python variants, indicating modularity and adaptability. Its capabilities include establishing reverse shells for remote command execution, executing arbitrary files, self-deletion to cover tracks, remote control of infected hosts, screen capture, launching hidden web browsers, and keylogging to harvest sensitive user input. Distribution vectors include ClickFix attacks—likely involving malicious links or payloads delivered via social engineering—and trojanized legitimate software, which increases the likelihood of successful infection by masquerading as trusted applications. Communication with command and control (C2) servers is encrypted, complicating network detection and analysis. NightshadeC2 also gathers victim system information to tailor its operations and employs multiple persistence mechanisms to maintain foothold on compromised machines. The botnet’s sandbox evasion techniques and use of encryption highlight its advanced design aimed at avoiding automated detection and analysis tools. The presence of numerous MITRE ATT&CK technique tags (e.g., T1113, T1056.001, T1547.009) underscores the breadth of tactics used, including credential access, persistence, defense evasion, and command execution. Although no known exploits in the wild are reported, the botnet’s capabilities and stealth features represent a significant threat to targeted environments.
Potential Impact
For European organizations, NightshadeC2 poses a multifaceted threat. Its ability to bypass Windows Defender and sandbox environments means traditional endpoint protection may be insufficient, increasing the risk of undetected compromise. The botnet’s keylogging and screen capture capabilities threaten confidentiality by potentially exposing sensitive corporate data, credentials, and intellectual property. Remote control and reverse shell access enable attackers to manipulate infected systems, potentially disrupting operations or facilitating lateral movement within networks, impacting integrity and availability. The use of trojanized legitimate software as a delivery vector is particularly concerning for European enterprises relying on software supply chains, as it can lead to widespread infections before detection. The encrypted C2 communication complicates network monitoring efforts, reducing the effectiveness of standard intrusion detection systems. Persistence mechanisms increase the difficulty of eradication, potentially leading to prolonged compromises. Given the sophistication and stealth of NightshadeC2, European organizations could face data breaches, operational disruptions, and reputational damage if infected.
Mitigation Recommendations
European organizations should implement layered defenses tailored to counter NightshadeC2’s advanced techniques. Specifically, deploy endpoint detection and response (EDR) solutions with behavioral analytics capable of identifying anomalous activities such as UAC prompt bombing and unusual process injections. Enforce strict application whitelisting and integrity monitoring to detect trojanized software installations. Enhance email and web filtering to block ClickFix attack vectors and educate users on social engineering risks. Network defenses should include SSL/TLS inspection where feasible to detect encrypted C2 traffic patterns and employ threat intelligence feeds to identify known NightshadeC2 indicators. Regularly audit and harden User Account Control settings to prevent privilege escalation via UAC bypass. Implement robust patch management to minimize exploitable vulnerabilities, even though no specific exploits are reported, as attackers may leverage other weaknesses. Conduct frequent endpoint and network scans to detect persistence artifacts and unusual system modifications. Finally, establish incident response playbooks specific to botnet infections, including rapid isolation and forensic analysis to limit spread and impact.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2"]
- Adversary
- null
- Pulse Id
- 68babf81ce8dc0a40f7d42f5
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip185.149.146.118 | — | |
ip185.149.146.1 | — | |
ip102.135.95.102 | — | |
ip104.225.129.171 | — | |
ip178.17.57.102 | — | |
ip180.178.122.131 | — | |
ip180.178.189.17 | — | |
ip185.208.158.250 | — | |
ip45.11.180.174 | — | |
ip45.61.136.81 | — | |
ip64.52.80.82 | — | |
ip79.132.130.142 | — | |
ip91.202.233.132 | — | |
ip91.202.233.250 | — | |
ip91.202.233.251 | — | |
ip94.141.122.164 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash03935f58d2d3efb35c1ddaafb6d90b98 | — | |
hash185fcf0307266e4852432ca35aee0d9a | — | |
hash4b139d1e079eb10ffd2543e22ea438dd | — | |
hash66b2d356076a39300abc31abfe8cfea8 | — | |
hash67deffe47d3cd06280a8ed4c45732ad8 | — | |
hash8193d8266f7e1c6b9224ac9da2fbf990 | — | |
hash82c7d087f69e5594489ea1be1755e829 | — | |
hash87f7c07fec9cf5396e09b19b56f9be2c | — | |
hasha1652546e05709972a040dcf2f452b82 | — | |
hashaa6c3ddf1ca9fccc6e9518a9b004f4ee | — | |
hashac77ab1a3f5a3691e23265bc495e84e8 | — | |
hashb8ddd22670522a352a7586303c785d62 | — | |
hashc16d822930acf6e2f788e98966a69d80 | — | |
hashcf4958e8024e9071b540eacee8b3e424 | — | |
hashf8fae59f47f269cb4ee50e701fddc76c | — | |
hash02fb82b08fddb0e648c57750a3502b74475f3035 | — | |
hash1a1fd402595c59e311a265ebe63a30b69361180f | — | |
hash29bac75338fd0c4767db87473920677ded49ae5f | — | |
hash33c1f41da4df460b8c0b3d5624f9635d3f6f5f9f | — | |
hash3f94d8fbe3478cafe5b14db43810ce1f508528ee | — | |
hash50c4a056ceff2ab24a0d1756f116e3a5de8c8b2b | — | |
hash562e9907f6f6b4ebfc929bf7378e0348ddde1029 | — | |
hash593b0e04cdfdba94d3cb78f113d8a971fe1deb21 | — | |
hash861fa0a2edec4b773852029abea4b03ba17f181d | — | |
hash8e8a76205809bdbf17b0760a001a5aa1a2ac9e74 | — | |
hashae1a8e192b8416b72da711dbd8b32eaf80d788e3 | — | |
hashbcaca5c44f6f95aa6ef9c8af59d8d25902bb92cd | — | |
hashbef2555eaff165cae5f67f9191d7431a14a04180 | — | |
hashce76704011fa860b129a9a23deffa8c0e129e0c9 | — | |
hashfdda195f3570dcd412db8dc74fb2f804259b331a | — | |
hash04a1852aed5734d8aaf97730a7231272f103605a4f83ea8413abe6f8169aee4c | — | |
hash05a4f648099d0b35d6eb4662266b1046d4691bb8e739a4fd4e4e55e69774ef1f | — | |
hash05d2d06143d363c1e41546f14c1d99b082402460ba4e8598667614de996d2fbc | — | |
hash0c08b5f3c24841d5fe02ddebdcf4707a75c790916c3ad4c769108241ddf999e4 | — | |
hash0e9d984f980ceffb846946a8926e1d69abf2d07a6b710b8f8c802026ba3bbdb4 | — | |
hash0fd7eb57f5f9d817dd497c1ce3be0791f5e798077f8dc2c3a4e2b2b0b0bdc2c6 | — | |
hash1178fa21928e5aac0f320e18bfb15603e00d3b8874719f4e74dd4f49db6dc5a8 | — | |
hash1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75 | — | |
hash21497a0eb89f321f971b4346880b43b342df131c431788cff4685c5a5a71b53e | — | |
hash24934295a5824ef8ec8df1df9ee5bc719bb98e9b6b55b2cbbb02498782762cc5 | — | |
hash26a5e18d6ac86a865250452528664d4cde74187d741fcf98370efb34d4219490 | — | |
hash282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207 | — | |
hash2fcb76dfdfcd390658bbc032faafef607804d5d4a2f1c0005f274ab2e06d8af4 | — | |
hash375229df144b3fb0d0560d90b06aa7fe34825886069653a088fa4071476cf63e | — | |
hash39b40746de01af66c0e5ce5888df4c42e474adcdb4301275b1474423d7a0ff1f | — | |
hash3dd877835c04fde3f2d14ce96f23a1c00002fefa9d731e8c4ce3b656aac90063 | — | |
hash420f13538c0c2620eba396e96afdf36430b2618d7d215e96c81444379ab8a7bc | — | |
hash53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df | — | |
hash58d54e2454be3e4e9a8ea86a3f299a7a60529bc12d28394c5bdf8f858400ff7b | — | |
hash5a741df3e4a61b8632f62109a65afc0f297f4ed03cd7e208ffd2ea5e2badf318 | — | |
hash6d62210addb8268d0bd3e6ef0400d54c84e550ccad49f5867fdc51edc0c1db2c | — | |
hash7ce399ae92c3e79a25e9013b2c81fe0add119bda0a65336d1e5c231654db01a5 | — | |
hash85b4d29f2830a3be3a0f51fbe358bea1a35d2a8aaa6a24f5cc1f2e5d2769716e | — | |
hash8940944e4abc600b283703876def0403160a5109abdbcb9e97c488dc3cc59b94 | — | |
hash94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a | — | |
hasha2feb262a667de704e5e08a8a705c69bbcc806e0d52f0f8e3f081a6aa6c8d7b4 | — | |
hashc4fd98db8d8181d949ee4ff47991dda70f73b47c72104aa519150223dd8d3588 | — | |
hashcbee972115b129ed3ce366217321a6f431ab86d9bf61c90ef7d224f1004a672c | — | |
hashce2ad8b6d76ba03c96d9248ac3d22590801e00611244c1942875adf52c154971 | — | |
hashcf0c7e0f3c3ea60da7bfe779f09d32b441d5089c905a5d905253e2f4b2b202fd | — | |
hashe77bc95772ae84e5ecf68c928059cab3e305f92b1518d0ec3f8a7eb6eb728503 | — | |
hashf2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be | — | |
hash7f3ad607b3701d2c4cfdad04269f0d5e390ab5c2 | — | |
hash9868b16a166cba78cfb604c04b0b4287bebaed26 | — | |
hasha89d26131172c095f31830ff2e26372bced81dde | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainbikbal.com | — | |
domainbilaskf.com | — | |
domainbioakw.com | — | |
domainbioomx.com | — | |
domainbiosefjk.com | — | |
domainbkkil.com | — | |
domainbliokdf.com | — | |
domainboiksal.com | — | |
domainprogramsbookss.com | — | |
domaintdbfvgwe456yt.com | — | |
domainexclusionandautorun.payloadexecutor.run | — |
Threat ID: 68baf67a04f80bd19b650c68
Added to database: 9/5/2025, 2:40:58 PM
Last enriched: 10/5/2025, 10:04:13 AM
Last updated: 10/17/2025, 11:00:09 PM
Views: 168
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Hidden links: why your website traffic is declining
MediumCAPI Backdoor: .NET Stealer Targeting Russian Auto-Commerce
MediumRansomware attacks and how victims respond
MediumLastPass Warns Customers It Has Not Been Hacked Amid Phishing Emails
MediumOdyssey Stealer & AMOS Hit macOS Developers with Fake Homebrew Sites
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.