CrySome RAT: Multi-Layered Userland Evasion and Post-Exploitation Framework

BLOG APRIL 17, 2026 Threat Research CRYSOME RAT: MULTI-LAYERED USERLAND EVASION AND POST-EXPLOITATION FRAMEWORK IN THIS ARTICLE Overview Threat Distribution & Ecosystem Feature Set Overview Execution Flow & Initialization Mutex-Based Execution Control Execution Path Validation Persistence Mechanisms Registry-Based Persistence Service-Based Persistence Survival Mechanism (Backup Execution) Defense Evasion Strategy 1. Endpoint Protection Disruption 2. IFEO Abuse (Execution Interference) 3. Service Disruption 4. Update Blocking via Hosts File 5. Process Termination Self-Protection Mechanisms Command and Control (C2) Command Capabilities Credential Harvesting Keylogging Remote Control Capabilities HVNC (Hidden Virtual Desktop) RDP Network Communication & System Profiling MITRE ATT&CK Mapping : Detection Logic & Correlation Indicators of Compromise (IOCs) Conclusion Overview CrySome RAT is a .NET-based remote access trojan designed for post-compromise control, credential harvesting, and covert system interaction. The malware prioritizes persistence, defense evasion, and operator control over initial access techniques. The analyzed sample demonstrates multiple persistence mechanisms, including: Registry-based execution (RunOnce) Service-based persistence Watchdog-based self-protection Its evasion strategy focuses on disabling endpoint protections, interfering with security tooling execution, and degrading update mechanisms. Communication with its command-and-control (C2) infrastructure occurs over a custom TCP-based protocol, enabling modular remote operations such as file manipulation, surveillance, proxying, and credential access. Unlike kernel-level threats, CrySome RAT operates primarily in userland, leveraging configuration abuse and native utilities to maintain stealth and control. Threat Distribution & Ecosystem CrySome RAT is actively marketed across underground forums using a subscription-based model, indicating commercialization and ongoing development. Fig 1: A forum post promoting CrysomeRAT for sale. Fig 2 : Selling price through subscription. Cracked versions are also circulating, increasing accessibility and lowering the barrier for adoption by less sophisticated actors. Additionally, the threat actor maintains a public-facing web portal, suggesting an organized distribution model and user onboarding flow. Fig 4 : Publicly available web portal “Crysome[.]net”. Feature Set Overview CrySome RAT provides a broad post-exploitation capability set: Remote command execution (PowerShell) File system manipulation Process control Proxy tunneling (SOCKS5 / reverse proxy) Remote desktop (RDP & HVNC) Audio/video surveillance Credential harvesting Keylogging ⚠️ Note: These features are modular and controlled via the C2 instruction framework. Execution Flow & Initialization Mutex-Based Execution Control CrySome RAT ensures single-instance execution using a mutex: CrysomeClient.InstanceMutex If the mutex exists, execution terminates. Fig 5: Mutex creation Execution Path Validation Before establishing persistence, the malware verifies whether it is executing from a designated path. If not, it copies itself to a preferred location. This behavior ensures: Stable execution path Reduced detection from temporary execution directories Fig 6: Execution Path Validation This staged initialization ensures that persistence and environmental control mechanisms are established before exposing the host to operator-driven commands, reducing the risk of early disruption. Persistence Mechanisms Registry-Based Persistence CrySome RAT establishes persistence via: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce It uses deceptive naming such as: RuntimeBroker Fig 7: Persistence achieved using RunOnce Service-Based Persistence A persistent service is installed: Name: WindowsHealthMonitor Characteristics: Auto-start enabled Recovery options configured Fig 8: Persistence achieved using service Survival Mechanism (Backup Execution) The malware creates: Randomized backup copies Execution triggers for recovery This redundancy mechanism ensures continued execution even if primary persistence artifacts are removed, indicating resilience against partial remediation. Defense Evasion Strategy CrySome RAT employs a multi-stage defense evasion model: 1. Endpoint Protection Disruption Disables Microsoft Defender via: PowerShell commands Registry modification Disables scheduled tasks to prevent recovery Fig 9: Endpoint Protection Disruption 2. IFEO Abuse (Execution Interference) The malware modifies: HKLM\…\Image File Execution Options\ It assigns a Debugger value to security tools, redirecting execution to: cmd.exe /c echo This prevents tools from launching. 3. Service Disruption Uses: sc.exe net.exe To: Stop AV services Disable them on startup Fig 10: List of Targeted AV Disruption & Update Blocking The implementation relies on spawning system utilities (sc.exe , net.exe rather than direct Windows API calls, indicating a preference for living-off-the-land techniques to blend with legitimate administrative activity. 4. Update Blocking via Hosts File Redirects AV update domains → 0.0.0.0 Prevents signature updates 5. Process Termination Enumerates running processes Matches against predefined AV list Terminates in parallel execution Fig 11: Targeted AV Process Termination Fig 12: List of AV Process Process termination appears to be driven by a predefined list of AV-related process names, suggesting static targeting rather than dynamic discovery. Self-Protection Mechanisms File locking to prevent deletion Hidden/system attributes applied Watchdog process monitors main binary Backup replication across locations Fig 13: Self Protection(watchdog, self locking and Hide, Startup) Command and Control (C2) CrySome RAT communicates via persistent custom TCP connections. The communication model is based on a persistent socket connection, where the client maintains an active session with the C2 server to receive tasking in real time. This differs from traditional beaconing malware and enables lower-latency command execution. Upon connection: Client registers System profiling data is sent Command handlers are initialized Fig 14: C2 Instruction Set Handlers Command handling is initialized through a dispatcher mechanism (RegisterHandlers), mapping received instructions to specific functional modules. Command Capabilities Includes: Remote execution (cmd) File operations (filemgr) Proxying (proxy) Surveillance (audio, cam) Remote desktop (rdp, hvnc) Credential theft (cred) Keylogging (keylog) Function naming and modular structure indicate a builder-based architecture, where capabilities are selectively enabled during payload generation. Credential Harvesting CrySome RAT deploys a credential decryption module: Deploys a credential decryption module (abe_decrypt.dll) to the local filesystem and executes it as a standalone component after terminating browser processes to bypass file locks. The module processes browser storage artifacts and outputs structured credential data (e.g., passwords.json, cookies.json) for exfiltration. Fig 15: Browser based Credential Harvesting Fig 16: Credential Harvesting using abe_decrypt.dll Fig 17: Captured victim password(password.json) Keylogging Implements global keylogging using: SetWindowsHookEx (WH_KEYBOARD_LL) Execution model: Continuous message loop: PeekMessage DispatchMessage Fig 18: Keylogging using WH_KEYBOARD_LL Hook Fig 19: Attacker performing Unauthorized keylogging on victim system Remote Control Capabilities HVNC (Hidden Virtual Desktop) The HVNC module operates by creating an alternate desktop context, enabling attacker interaction within an isolated graphical session that is not visible to the active user environment. Fig 20: HVNC Initialization and Handling Fig 21: Attacker performing HVNC on victim system RDP Direct interaction with user desktop Visible to victim Fig 22: RDP Stream initialization and Thread launch Network Communication & System Profiling After connection, the malware collects: Username OS version System uptime Active window GPU details Fig 23: Network communication and Sending Client information Fig 24: System profiling This profiling enables the operator to tailor post-exploitation actions based on host characteristics and user activity context. MITRE ATT&CK Mapping : Tactic Technique ID Technique Name Observed Activity Execution T1059.001 PowerShell Executes PowerShell commands to disable Defender and run payloads Execution T1106 Native API Uses Windows APIs for process creation, injection, and system interaction Persistence T1547.001 Registry Run Keys / Startup Folder Adds entry in RunOnce (RuntimeBroker) for execution at logon Persistence T1543.003 Windows Service Creates persistent service (WindowsHealthMonitor) with auto-restart Persistence T1053.005 Scheduled Task Task creation observed via [artifact: schtasks.exe / TaskCache registry / XML definition] Persistence T1542.003 Boot/Logon Autostart (Recovery) Observed interaction with recovery-related execution paths or offline persistence locations (details omitted for brevity) Defense Evasion T1562.001 Impair Defenses Disables Microsoft Defender and security protections Defense Evasion T1546.012 IFEO Injection Uses IFEO Debugger to block execution of security tools Defense Evasion T1562.004 Disable or Modify System Firewall Firewall or network filtering configuration changes observed via system utilities or registry modifications Defense Evasion T1036 Masquerading Uses deceptive names like RuntimeBroker to appear legitimate Defense Evasion T1222.001 File and Directory Permissions Modification Hides files and directories using attributes Defense Evasion T1564.001 Hidden Files and Directories Sets hidden/system attributes for stealth Credential Access T1555.003 Credentials from Web Browsers Extracts browser credentials via execution of a local decryption module (abe_decrypt.dll) Credential Access T1056.001 Keylogging Uses SetWindowsHookEx for keystroke logging Discovery T1082 System Information Discovery Collects OS, username, uptime, GPU, etc. Discovery T1057 Process Discovery Enumerates running processes Discovery T1010 Application Window Discovery Captures active window title Collection T1113 Screen Capture Captures screenshots Collection T1125 Video Capture Captures webcam data Collection T1123 Audio Capture Records microphone input Command and Control T1071 Application Layer Protocol Communicates with C2 over TCP Command and Control T1090 Proxy Implements SOCKS proxy and reverse tunneling Exfiltration T1041 Exfiltration Over C2 Channel Sends collected data (credentials, system info) to C2 Lateral Movement T1021.001 Remote Desktop Protocol Supports RDP sessions Lateral Movement T1563.002 Remote Service Session Hijacking (HVNC) Uses hidden virtual desktop (HVNC) for control Detection Logic & Correlation High-Confidence Detection Chain: IFEO Debugger registry modification Followed by: Execution of sc.exe or net.exe AND PowerShell-based Defender tampering Medium-Confidence Indicators: Creation of abe_decrypt.dll in temporary directories Followed by browser process termination Low-Confidence Indicators (Contextual): Hidden/system file attributes applied Persistent outbound custom TCP sessions Indicators of Compromise (IOCs) File Hashes (SHA-256) IOC Filename f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d Crysome.Client.exe fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3 Crysome.Server.dll c8836a733b3df2b4bfd861b81e3452a0bc169ffe707f483a06f7ad89a4cc2965 abe_decrypt.dll   Domain :  Indicator Value Crysome[.]net Domain   Conclusion CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control. While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments. Its commercialization and availability in cracked forms significantly increase its threat surface, particularly among lower-tier threat actors. Contributors:   Abhishek Samdole Pandurang Terkar Rudra Pratap