NightshadeC2 Botnet Is Using “UAC Prompt Bombing” to Bypass Defenses
Experts at eSentire have reported the discovery of a new botnet known as NightshadeC2, which employs unconventional techniques to evade defenses and sandbox environments. The malware is distributed through counterfeit versions of legitimate programs—such as CCleaner, ExpressVPN, Advanced IP Scanner, and Everything—as well as through the ClickFix scheme, in which victims are tricked into entering a command into the Windows “Run” dialog after passing a fake CAPTCHA.
The defining feature of NightshadeC2 is a tactic researchers have dubbed “UAC Prompt Bombing.” Its loader executes a PowerShell script that attempts to add the malware to Windows Defender’s exclusion list. If the user declines the UAC prompt, the dialog reappears repeatedly, making the system nearly unusable until the user eventually consents. This technique also hinders execution in sandboxes: if Defender is disabled, the script loops indefinitely and the payload never runs, effectively bypassing analysis platforms such as Any.Run, CAPEv2, and Joe Sandbox.
The primary payload of NightshadeC2 is written in C, though simplified Python variants, likely AI-generated, have also been identified. The C variant communicates via ports 7777, 33336, 33337, and 443, while the Python version relies on port 80. A malicious file disguised as updater.exe gathers system details and external IP addresses, communicates with its command server using RC4 encryption, and achieves persistence through registry keys such as Winlogon, RunOnce, and Active Setup.
NightshadeC2 comes equipped with an extensive feature set enabling complete control over infected systems. It provides remote access through reverse shells, launches hidden PowerShell or command-line sessions, downloads and executes DLLs or EXEs, and can even self-delete if required.
The malware also supports full-fledged remote management capabilities: capturing screenshots, simulating user actions, and opening hidden browser sessions (Chrome, Edge, Firefox, Brave) on an isolated desktop. It records keystrokes and clipboard contents, and extracts passwords and cookies from browsers based on Chromium and Gecko. Stolen data is hidden in covert files, with names varying by privilege level (e.g., JohniiDepp, LuchiiSvet). Its keylogger employs a concealed window and standard WinAPI hooks to capture keystrokes and clipboard data. Intruders can manipulate the infected system—copying and pasting text, simulating input, launching browsers, or spawning system windows on a hidden desktop. Some NightshadeC2 variants even retrieve their command-and-control addresses from Steam profiles, allowing operators to rotate servers without updating the malware itself.
Researchers also uncovered two additional methods of bypassing User Account Control (UAC). One exploits an old vulnerability in the RPC server, while the other—embedded in the loader—triggers on pre-Windows 11 systems. In the latter, a combination of reg and schtasks commands launches the malware with elevated privileges and simultaneously adds it to Defender’s exclusion list.
To mitigate risk, experts recommend disabling the “Run” dialog via GPO (Start Menu and Taskbar settings), training employees to recognize phishing and social engineering attempts, and deploying modern EDR or NGAV solutions capable of detecting anomalous malware behavior.
According to researchers, NightshadeC2 represents a versatile tool for backdooring, espionage, and covert control. Its UAC bombing technique, though deceptively simple, proves highly effective at circumventing both user defenses and automated analysis.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
