NightshadeC2: A New Botnet Is Using “UAC Prompt Bombing” to Bypass Windows Defender

Cybersecurity researchers identified a highly sophisticated botnet known as NightshadeC2, which employs an innovative technique called UAC Prompt Bombing to bypass Windows Defender and evade detection in malware analysis environments. The botnet is primarily distributed through trojanized versions of legitimate software, including VPN clients, system utilities, and file search applications. Social engineering tactics are used to trick users into executing malicious loaders, which then attempt to add Defender exclusions via PowerShell scripts. If the scripts fail, the botnet repeatedly triggers UAC prompts until the user unwittingly grants administrative privileges, ensuring persistence and operational stealth.
NightshadeC2 exists in two distinct variants. The C Variant offers a full suite of capabilities, including reverse shell access, screen capture, keylogging, clipboard harvesting, credential theft from Chromium- and Gecko-based browsers, and remote control functions that simulate keyboard and mouse activity. It maintains persistence through registry modifications. The Python variant, while more limited, focuses on reverse shell access, payload deployment, and self-deletion, often evading antivirus detection due to its smaller footprint. Communication with command-and-control servers occurs over multiple TCP ports, employing RC4 encryption to transmit victim fingerprints and receive commands such as file uploads, downloads, and remote desktop operations.
Researchers also noted additional UAC bypass methods, including legacy techniques targeting older Windows versions and the use of LOLBin processes for elevation without repeated prompts. Organizations are strongly advised to verify software sources, monitor UAC activity, and ensure robust endpoint defenses to mitigate the espionage and remote-control capabilities of NightshadeC2. The threat underscores the growing sophistication of modern botnets and the critical need for vigilant security practices.