NightshadeC2 Botnet Exploits ‘UAC Prompt Bombing’ to Evade Windows Defender

Cybersecurity

A new botnet named NightshadeC2 has emerged, employing a technique known as “UAC Prompt Bombing” to bypass Windows Defender and compromise endpoint security systems.

In August 2025, eSentire’s Threat Response Unit (TRU) identified NightshadeC2, highlighting a significant advancement in malware evasion techniques.

The botnet possesses advanced functionalities such as reverse shell access, credential theft, keylogging, and remote system control, posing a substantial threat to enterprise security teams globally.

NightshadeC2’s “UAC Prompt Bombing” technique forces users to repeatedly approve User Account Control prompts, exploiting human compliance. Its .NET-based loader continually executes PowerShell commands to add Windows Defender exclusions for the final payload.

When users decline the prompts, the system becomes increasingly unusable due to the persistent appearance of these prompts.

This tactic is particularly effective against malware analysis sandboxes. Systems with disabled Windows Defender services produce non-zero exit codes, trapping automated analysis environments in execution loops, thereby preventing payload delivery.

TRU researchers confirmed the successful bypass of multiple sandbox solutions, including Joe Sandbox, CAPEv2, Hatching Triage, and Any.Run using this method.

Multi-Variant Architecture

NightshadeC2 operates through both C and Python-based variants, communicating with unidentified Command and Control frameworks.

The C variant primarily uses TCP ports 7777, 33336, 33337, and 443, while Python variants connect through TCP port 80. This strategy enhances the botnet’s resilience against network-based detection systems.

The C variant features capabilities such as reverse shell access, Command Prompt and PowerShell execution, DLL and executable download, system self-deletion, remote control, screen capture, hidden web browser deployment, and extensive keylogging with clipboard content harvesting.

Additionally, certain variants can steal credentials from Gecko and Chromium-based browsers.

The Python variant, believed to be converted using Large Language Models, maintains reduced functionality, focusing on self-deletion, download/execute operations, and reverse shell capabilities. This streamlined approach likely serves as an evasion mechanism, as fewer security vendors on VirusTotal successfully identify Python-based variants.

Distribution and Initial Access Methods

NightshadeC2 spreads through two primary vectors. The first utilizes ClickFix social engineering tactics, presenting victims with fake CAPTCHA verification pages themed around legitimate services like booking.com. Users are instructed to execute malicious commands via the Windows Run Prompt to initiate the infection chain.

The second method involves trojanized versions of legitimate software applications. TRU researchers identified compromised versions of Advanced IP Scanner, Express VPN, HyperSecure VPN, CCleaner, and Everything search utility, exploiting user trust in familiar software brands for initial system compromise.

Upon successful installation, NightshadeC2 establishes persistence using multiple Windows registry mechanisms, including Winlogon, RunOnce, and Active Setup entries.

Initial reconnaissance is performed by querying ip-api.com to gather victim geolocation data and VPN status information, likely avoiding security researcher environments and analysis sandboxes.

NightshadeC2’s keylogging and clipboard harvesting capabilities function through hidden windows with specific class names such as “IsabellaWine.” The malware registers clipboard format listeners and installs low-level keyboard hooks to capture user input across all applications.

Harvested data is stored in hidden log files with variable names like “JohniiDepp” for elevated processes and “LuchiiSvet” (Russian for “RaysLight”) for standard user contexts.

NightshadeC2 implements an extensive command set supporting various malicious operations, including keep-alive mechanisms, reverse shell establishment, file upload/download capabilities, C2 server migration, self-deletion, hidden desktop creation, screen capture functionality, and remote control features enabling copy/paste operations and simulated keyboard/mouse input.

UAC Bypass Techniques

In addition to “UAC Prompt Bombing,” TRU researchers identified two further UAC bypass methods used by NightshadeC2 campaigns.

The first exploits a 2019 vulnerability targeting RPC server behavior implementing UAC features.

The second technique targets systems older than Windows 11, manipulating the DiskCleanup scheduled task through registry modifications and LOLBin (Living Off The Land Binary) processes to escalate privileges without user interaction.

eSentire has developed YARA rules to detect both C and Python variants of NightshadeC2. The security firm recommends several defensive measures, including disabling the Windows Run prompt through Group Policy Objects, deploying Next-Generation Antivirus solutions with Endpoint Detection and Response capabilities, and establishing comprehensive Phishing and Security Awareness Training programs.

The discovery of NightshadeC2 underscores the sophistication of modern malware campaigns and the importance of multi-layered security approaches.

Organizations must remain vigilant against social engineering tactics while maintaining robust endpoint protection and user education programs to defend against these advanced persistent threats.