Ddos 
Initial Access Vector | Image: TRU
Recently, the eSentire Threat Response Unit (TRU) identified a new botnet family dubbed NightshadeC2, deployed through a loader that combines social engineering, Windows Defender exclusions, and clever evasion tactics. Most notably, the malware employs a technique TRU calls “UAC Prompt Bombing” to force user compliance and bypass sandbox environments.
According to TRU, “NightshadeC2 is being deployed via a loader that employs a simple yet highly effective technique to bypass malware analysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as ‘UAC Prompt Bombing’.”
NightshadeC2 operators are leveraging ClickFix attacks, where victims are shown a fake CAPTCHA and instructed to run a malicious command in the Windows Run Prompt. TRU also observed infections spread through trojanized versions of legitimate software such as Advanced IP Scanner, Express VPN, HyperSecure VPN, CCleaner, and Everything.
The second-stage PowerShell script decrypts a .NET loader, which attempts to add an exclusion in Windows Defender for the final payload before it even touches disk. If the PowerShell command fails, the loader retries in a loop, creating a barrage of UAC prompts that the victim must eventually accept to regain usability.
TRU explains, “If the PowerShell process returns any exit code other than 0, the while loop continues executing, effectively forcing the user to approve the User Account Control (UAC) prompt or face system usability issues.”
This tactic also traps malware sandboxes where Windows Defender is disabled, producing non-zero exit codes and preventing payload delivery. TRU confirmed bypasses against multiple sandbox products, including Joe Sandbox, CAPEv2, Hatching Triage, and Any.Run.
The C variant of NightshadeC2 communicates over TCP ports 7777, 33336, 33337, and 443, while the Python variant uses port 80. Core features include:
- Reverse shell via Command Prompt/PowerShell
- Download and execute DLL or EXE
- Screen capture and hidden browser launching
- Remote control with simulated keyboard/mouse input
- Keylogging and clipboard capture
- Credential theft from Chromium and Gecko-based browsers
TRU noted that the Python variant has reduced functionality—limited to reverse shell, download/execute, and self-deletion—but may evade detection due to lower antivirus coverage.
Persistence is achieved through multiple registry keys (Winlogon, RunOnce, and Active Setup). Once active, the malware fingerprints victims by collecting external IP, OS version, MachineGuid, username, and domain.
Captured keystrokes and clipboard data are logged to hidden files, with filenames depending on privilege level. In one case, elevated systems used %LOCALAPPDATA%\JohniiDepp, while non-elevated systems used %LOCALAPPDATA%\LuchiiSvet (“RaysLight” in Russian).
Some variants fetch their C2 servers via Steam profile metadata, allowing attackers to rotate infrastructure dynamically. TRU observed one sample using the Steam Community URL to resolve to programsbookss[.]com.
The C2 protocol begins with RC4-encrypted handshakes, then transmits victim fingerprints and receives commands, such as file uploads, downloads, reverse shells, and remote desktop actions.
Beyond UAC Prompt Bombing, TRU also identified two UAC bypass methods:
- A 2019 RPC server abuse technique for privilege escalation.
- A loader-based bypass that detects OS versions older than Windows 11, launching LOLBin processes to gain elevation and add Defender exclusions without repeated prompts.
TRU warns, “A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop.”
Organizations should remain vigilant against ClickFix-style lures, scrutinize trojanized software sources, and monitor for suspicious UAC prompts and Defender exclusion changes.
Related Posts:
- Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
- Windows Update Is Causing Unexpected UAC Prompts and App Installation Issues
- Annoying browser “download bomb” reappears in Chrome
- Beware of LinkedIn: Ducktail Malware’s Sneaky ZIP Attack Revealed
- FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
Donate