LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

During a recent security alert, the LevelBlue MDR SOC successfully triaged and contained a structured, multi-stage infection chain designed to deliver the CrySome remote access trojan (RAT). The incident was subsequently analyzed in depth by LevelBlue's Threat Hunting Operations and Research (THOR) team, whose reverse engineering and malware analysis reconstructed the full infection chain and determined that initial access was achieved through a targeted spear-phishing lure masquerading as a logistics rate confirmation document, leveraging expected business workflows to trick the recipient into executing the initial payload.

The attacker chained this initial compromise with living-off-the-land (LOTL) execution, a silent User Account Control (UAC) bypass, and multiple defense-evasion techniques to successfully deploy the persistent RAT payload. By relying on native Windows components and interpreter abuse rather than a single obvious malware binary, the initial stages progressed through legitimate processes while minimizing user-facing indicators.

Privilege escalation was achieved through an ICMLuaUtil COM interface UAC bypass, followed by an in-memory Antimalware Scan Interface (AMSI) patch that bypassed AMSI scanning for subsequent PowerShell execution. The actor then targeted host defenses by executing WinDefCtl, an open-source Defender disruption utility, masquerading as svchost.exe from %TEMP%. According to the project's documented functionality, the tool leverages Image File Execution Options (IFEO) manipulation and a kernel driver (kvckiller.sys) to interfere with Microsoft Defender components before the primary payload is launched.

Once host defenses were weakened, CrySome RAT established persistent remote access to the compromised system. The malware provided the operator with capabilities including hidden virtual network computing (hVNC), remote command execution (RCE), system reconnaissance, and credential theft. A dedicated credential-theft module targeted Chromium-based browsers by terminating active browser processes, injecting abe_decrypt.dll, and extracting stored passwords and session cookies for exfiltration.

 

Initial Access & Infection Overview

The intrusion began with a phishing email impersonating a legitimate freight rate confirmation. The email, sent from loadofferstender@gmail.com with the subject "DETROIT, MI to DALLAS, TX", directed the recipient to hxxps://signindat[.]com, a website hosting a fake rate confirmation portal.

Figure 1. Fake rate confirmation webpage hosted on signindat[.]com.
Figure 1. Fake rate confirmation webpage hosted on signindat[.]com.

Clicking Download Rate Confirmation does not deliver a PDF as expected. Instead, the site downloads a batch file named:

§ Rate_Confirmation_LD-2026-0847.bat

Static analysis of the batch file shows that it immediately launches a hidden PowerShell process with -ExecutionPolicy Bypass, patches AMSI in memory, downloads the next-stage payload (ElevatorShellCode.exe), writes it to %TEMP%\es.exe, and executes it in a hidden window.

Figure 2. Initial batch file responsible for downloading and launching the first-stage payload.
Figure 2. Initial batch file responsible for downloading and launching the first-stage payload.

The batch file performs only a small amount of logic itself; its primary purpose is to establish the initial execution chain by disabling PowerShell scanning and retrieving the first executable loader from the attacker-controlled infrastructure.

 

File Analysis

Stage 1 – ElevatorShellCode.exe

ElevatorShellCode.exe serves as the first executable stage of the infection chain. Rather than containing the primary malware functionality, its purpose is to prepare the host for the next stage by attempting privilege elevation, constructing a hidden PowerShell payload, bypassing AMSI, and retrieving the next-stage PowerShell script entirely in memory.

Figure 3. ElevatorShellCode checks whether it is running with administrative privileges and, if necessary, attempts privilege elevation using the ICMLuaUtil UAC bypass technique before continuing execution.
Figure 3. ElevatorShellCode checks whether it is running with administrative privileges and, if necessary, attempts privilege elevation using the ICMLuaUtil UAC bypass technique before continuing execution.

After the elevation check completes, the loader dynamically constructs an inline PowerShell command instead of embedding a static script. Ghidra strings show the payload being assembled at runtime, including references to the AMSI patching logic and the subsequent download of the next-stage PowerShell script.

Figure 4. Ghidra showing the construction of the inline PowerShell payload responsible for patching AMSI and retrieving the next stage.
Figure 4. Ghidra showing the construction of the inline PowerShell payload responsible for patching AMSI and retrieving the next stage.

The resulting command launches PowerShell with ExecutionPolicy Bypass and a hidden window before disabling AMSI by resolving and patching AmsiScanBuffer in memory. Once AMSI protections have been bypassed, the loader downloads stage.ps1 from the attacker-controlled infrastructure and immediately executes it in memory using IEX, leaving no standalone PowerShell script on disk.

Figure 5. Reconstructed PowerShell payload showing the AMSI bypass, retrieval of stage.ps1, and in-memory execution.
Figure 5. Reconstructed PowerShell payload showing the AMSI bypass, retrieval of stage.ps1, and in-memory execution.

 

Stage 2 – stage.ps1

The PowerShell script downloaded by ElevatorShellCode.exe acts as the second-stage loader responsible for preparing the compromised host for the final payload. Rather than containing the RAT itself, the script gathers basic system information, weakens endpoint protections, deploys additional executables, and presents the victim with a legitimate-looking decoy document while the malware continues executing in the background.

Logging and Environment Checks

The script begins by creating a log file named xeno_diag.log in the user's %TEMP% directory and records basic execution details including the PowerShell version, username, computer name, temporary directory, and whether the process is running with administrative privileges. These log entries provide visibility into the success of each stage and aid troubleshooting if execution fails. While the script references “Xeno”, likely tied to XenoRAT, we believe this script is likely reused with a newer CrySome RAT payload.

Figure 6. Logging functionality within stage.ps1.
Figure 6. Logging functionality within stage.ps1.

During dynamic execution, the script generates xeno_diag.log, confirming each stage of execution and recording download status, process launches, and any errors encountered.

Figure 7. Generated xeno_diag.log captured during sandbox execution
Figure 7. Generated xeno_diag.log captured during sandbox execution.


Microsoft Defender Exclusions

Before deploying additional payloads, the script adds Microsoft Defender exclusions for both its working directory and the executables that will be written to disk.

Specifically, exclusions are created for:

  • %TEMP%
  • %TEMP%\svchost.exe
  • %TEMP%\patch_diag.exe

By excluding both file paths and process paths, subsequent payloads are less likely to be scanned or quarantined before execution.

Figure 8. PowerShell adding Microsoft Defender path and process exclusions
Figure 8. PowerShell adding Microsoft Defender path and process exclusions.

Dedicated to hunting and eradicating the world's most challenging threats.

SpiderLabs

Deployment of WinDefCtl

The next stage downloads update.exe from the attacker-controlled infrastructure using a browser-like User-Agent before saving it as:

§ %TEMP%\svchost.exe

Although the filename resembles a legitimate Windows process, the execution location is anomalous. Rather than a user’s temporary directory, legitimate instances of svchost.exe execute from:

§ C:\Windows\System32\svchost.exe

Figure 9. Downloading and deployment of update.exe
Figure 9. Downloading and deployment of update.exe.

The script immediately executes the renamed binary with the kill argument.

Figure 10. Execution of WinDefCtl using the kill argument
Figure 10. Execution of WinDefCtl using the kill argument.

As discussed in the following section, this executable corresponds to the open-source WinDefCtl utility and is used to weaken Microsoft Defender before the primary RAT is deployed.

Deployment of CrySome RAT

Once the environment has been prepared, the script downloads the primary payload:

§ hxxps://signindat[.]com/patch.exe

The executable is written to:

§ %TEMP%\patch_diag.exe

Afterward, it is launched in a hidden window.

Figure 11. Downloading and execution of the CrySome RAT payload
Figure 11. Downloading and execution of the CrySome RAT payload.

Static analysis and dynamic execution confirm that patch_diag.exe is the CrySome RAT client responsible for persistence, command execution, credential theft, and the remaining post-compromise activity analyzed later in this report.

User Decoy

To reduce user suspicion, the final stage downloads a legitimate-looking freight rate confirmation PDF and saves it to the user's Downloads directory before automatically opening it.

Figure 12. Downloading and displaying of the freight rate confirmation decoy.
Figure 12. Downloading and displaying of the freight rate confirmation decoy.

Figure 13. Decoy PDF presented to the victim
Figure 13. Decoy PDF presented to the victim.

While the user views what appears to be the expected document, the previously launched payloads continue executing in the background, completing the transition from initial access to persistent remote access.

 

Stage 3 – update.exe (WinDefCtl)

As shown in the previous stage, update.exe is downloaded from signindat[.]com, written to the user's %TEMP% directory as svchost.exe, and executed with the kill argument. Renaming the executable to svchost.exe allows it to masquerade as a legitimate Windows process; however, its execution from %TEMP% is anomalous, as the legitimate Windows Service Host executable resides in C:\Windows\System32\svchost.exe.

Based on the file hash and observed behavior, the executable corresponds to WinDefCtl, an open-source utility published by Marek Wesolowski that is designed to disable or interfere with Microsoft Defender. Rather than developing custom defense-evasion functionality, the threat actor repurposes this publicly available tool to weaken endpoint protections before deploying the primary CrySome RAT payload.

According to the project's documentation, the kill mode performs a two-stage operation. First, it bypasses Microsoft Defender Tamper Protection by modifying the IFEO through an offline registry hive workflow. It then loads the signed kvckiller.sys kernel driver to terminate Microsoft Defender processes and stop associated services, preventing them from automatically restarting. By leveraging an existing open-source utility, the threat actor reduces development effort while effectively disabling host protections prior to executing the final payload.

Figure 14. WinDefCtl kill workflow
Figure 14. WinDefCtl kill workflow (Source: Marek Wesolowski, WinDefCtl GitHub repository).

 

Stage 4 – CrySome RAT (patch.exe)

The final executable downloaded by stage.ps1 is patch.exe, the primary CrySome RAT client payload. The script writes the binary to %TEMP%\patch_diag.exe and launches it as a hidden process after the preceding stages have attempted privilege escalation, bypassed AMSI, and weakened Microsoft Defender.

Unlike the earlier components, which primarily prepare the environment for execution, CrySome RAT provides the attacker's long-term access to the compromised host. The client is modular, with dedicated components supporting persistence, defense evasion, RCE, credential theft, file management, proxying, system reconnaissance, remote desktop, HVNC, keylogging, and additional post-compromise functionality.

CrySome RAT has been documented extensively in previous public reporting and reverse engineering analyses. Rather than reproducing those analyses in their entirety, the following sections highlight several representative modules that illustrate the malware's role within the observed infection chain.

Persistence

CrySome RAT establishes persistence by creating a scheduled task named CrysomeLoader, which executes the current client executable every five minutes using schtasks.exe. This ensures the malware is automatically relaunched following user logon or system restart, allowing the attacker to maintain long-term access.

Figure 15. CrySome RAT persistence implementation creating the CrysomeLoader scheduled task, configured to execute the client every five minutes using schtasks.exe.
Figure 15. CrySome RAT persistence implementation creating the CrysomeLoader scheduled task, configured to execute the client every five minutes using schtasks.exe.


Defense Evasion

The AVKiller component contains functionality to disable multiple Microsoft Defender protections through Set-MpPreference, modify Defender-related registry policies, and disable scheduled Defender maintenance tasks. The client also contains a large list of supported antivirus and EDR process names, indicating it was designed to interfere with numerous commercial security products in addition to Microsoft Defender.

Figure 16. AVKiller module disabling Microsoft Defender protections through PowerShell, registry modifications, and scheduled task changes.
Figure 16. AVKiller module disabling Microsoft Defender protections through PowerShell, registry modifications, and scheduled task changes.

Figure 17. Embedded list of antivirus and EDR process names targeted by the AVKiller module, demonstrating support for disabling or interfering with numerous commercial security products.
Figure 17. Embedded list of antivirus and EDR process names targeted by the AVKiller module, demonstrating support for disabling or interfering with numerous commercial security products.


Remote Command Execution

CrySome RAT implements a PowerShell execution handler that launches powershell.exe using -NoProfile, -ExecutionPolicy Bypass, and Base64-encoded commands while suppressing the console window. This enables an operator to execute arbitrary PowerShell commands on the compromised host and return the resulting output to the command-and-control (C2) server.

Figure 18. Command handler implementing remote PowerShell execution using hidden, Base64-encoded commands with -ExecutionPolicy Bypass and returning output to the C2 server.
Figure 18. Command handler implementing remote PowerShell execution using hidden, Base64-encoded commands with -ExecutionPolicy Bypass and returning output to the C2 server.


Credential Theft

Credential collection is implemented through a dedicated browser credential handler targeting Chromium-based browsers including Chrome, Microsoft Edge, and Brave. Upon receiving a credential request from the C2 server, the client terminates running browser processes, writes an embedded abe_decrypt.dll to disk, injects the DLL into the target browser process, and retrieves the resulting passwords.json and cookies.json files before transmitting the collected data back to the operator.

Figure 19. Credential theft handler writing an embedded abe_decrypt.dll to disk and preparing it for injection into Chromium-based browser processes.
Figure 19. Credential theft handler writing an embedded abe_decrypt.dll to disk and preparing it for injection into Chromium-based browser processes.

Figure 20. Browser credential collection routine retrieving decrypted passwords.json and cookies.json files before returning the results to the operator.

Figure 20. Browser credential collection routine retrieving decrypted passwords.json and cookies.json files before returning the results to the operator.


Embedded Configuration

Rather than retrieving configuration from an external source, CrySome RAT stores its operational settings in an embedded ##CRYCFG## configuration blob. During initialization the client parses this configuration to obtain the C2 endpoint (193.26.115[.]42:5555), campaign group identifier (grp_8ycFGmG), persistence settings, parent process spoofing (svchost), and the list of enabled capabilities, including command execution, file management, screen capture, credential theft, keylogging, audio and camera access, proxying, HVNC, and AV tampering.

Figure 21. Embedded CRYCFG configuration containing the CrySome RAT C2 server

Figure 21. Embedded ##CRYCFG## configuration containing the CrySome RAT C2 server (193.26.115[.]42:5555), campaign group id.

 

Summary

While CrySome RAT contains numerous additional capabilities documented in public research, the modules examined here demonstrate the malware's primary role within this intrusion. After the earlier stages establish execution and weaken host defenses, CrySome RAT provides the attacker with persistent remote access, facilitates post-exploitation activities, harvests user credentials, and enables continued C2 access over the compromised system.

 

Recommendations

  • Monitor for PowerShell execution with -ExecutionPolicy Bypass, hidden windows, or in-memory execution (IEX), particularly when followed by network downloads and child process creation.
  • Alert on Microsoft Defender configuration changes, including Add-MpPreference, Set-MpPreference, Defender exclusions, and Image File Execution Options (IFEO) registry modifications.
  • Investigate executables launched from user-writable directories, especially binaries masquerading as legitimate Windows processes (e.g., svchost.exe executing from %TEMP%) and the creation of scheduled tasks that execute payloads from temporary directories.
  • Block or investigate outbound connections to known malicious infrastructure and monitor for staged payload downloads from a single external host.
  • Monitor for browser process termination followed by the creation of abe_decrypt.dll, passwords.json, or cookies.json, which may indicate browser credential theft activity.

 

Conclusion

This intrusion shows how modern malware campaigns increasingly rely on publicly available tooling rather than bespoke malware at every stage. By combining an AMSI bypass, an open-source Defender tampering utility, and the modular CrySome RAT client, the operators minimize custom development while still achieving privilege escalation, defense evasion, persistence, credential theft, and remote access. From a defensive perspective, detecting the individual behaviors throughout the chain, rather than relying solely on malware signatures, provides multiple opportunities to disrupt the intrusion before the final RAT becomes established.

 

Detection Opportunities and Recommendations

Indicators of Compromise (IOCs)

Category

Indicator

Network

signindat[.]com

hxxps://signindat[.]com/ElevatorShellCode.exe

hxxps://signindat[.]com/update.exe

hxxps://signindat[.]com/patch.exe

hxxps://signindat[.]com/stage.ps1

hxxps://signindat[.]com/Rate_Confirmation_LD-2026-0847.pdf

193.26.115[.]42

193.26.115[.]42:5555

Email

loadofferstender@gmail.com

Files (SHA-256)

Rate_Confirmation_LD-2026-0847.bat – ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4

ElevatorShellCode.exe – 53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff

stage.ps1 – ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd

update.exe – b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3

patch.exe – c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a

kvckiller.sys – ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8

Persistence

Scheduled Task: CrysomeLoader

schtasks.exe /create /tn "CrysomeLoader" /tr "C:\Users\<user>\AppData\Local\Temp\patch_diag.exe" /sc minute /mo 5 /f

Registry

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

IFEO Debugger entries for PSUAMain.exe, avp.exe, avpui.exe, and ekrn.exe

Notable Artifacts

svchost.exe executing from %TEMP%

patch_diag.exe

abe_decrypt.dll

passwords.json

cookies.json

xeno_diag.log

 

MITRE ATT&CK Mapping

ATT&CK ID

Technique

Observed Activity

T1566.002

Phishing: Spearphishing Link

Logistics-themed phishing email directing the victim to signindat[.]com.

T1204.002

User Execution: Malicious File

User downloads and executes Rate_Confirmation_LD-2026-0847.bat.

T1059.001

Command and Scripting Interpreter: PowerShell

Hidden PowerShell used for staging, payload download, and execution.

T1548.002

Abuse Elevation Control Mechanism: Bypass User Account Control

ICMLuaUtil COM interface used to bypass UAC.

T1562.001

Impair Defenses

AMSI patching, Defender exclusions (Add-MpPreference), WinDefCtl execution, AVKiller functionality.

T1036.005

Masquerading: Match Legitimate Name or Location

update.exe renamed to svchost.exe and executed from %TEMP%.

T1105

Ingress Tool Transfer

Downloads ElevatorShellCode.exe, stage.ps1, update.exe, patch.exe, and the decoy PDF.

T1053.005

Scheduled Task/Job: Scheduled Task

Creates the CrysomeLoader scheduled task for persistence.

T1546.012

Event Triggered Execution: Image File Execution Options Injection

WinDefCtl modifies IFEO Debugger registry entries to interfere with security software.

T1055

Process Injection

Injects abe_decrypt.dll into Chromium browser processes for credential collection.

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

Extracts saved browser passwords and cookies from Chromium-based browsers.

T1059.001

Command and Scripting Interpreter: PowerShell

CrySomeRAT executes operator-supplied Base64-encoded PowerShell commands.

T1071.001

Application Layer Protocol: Web Protocols

HTTP(S) used to retrieve staged payloads.

T1219

Remote Access Software

CrySomeRAT establishes persistent remote access with features including HVNC, file management, and remote command execution.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo