From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
During a recent security alert, the LevelBlue MDR SOC successfully triaged and contained a structured, multi-stage infection chain designed to deliver the CrySome remote access trojan (RAT). The incident was subsequently analyzed in depth by LevelBlue's Threat Hunting Operations and Research (THOR) team, whose reverse engineering and malware analysis reconstructed the full infection chain and determined that initial access was achieved through a targeted spear-phishing lure masquerading as a logistics rate confirmation document, leveraging expected business workflows to trick the recipient into executing the initial payload.
The attacker chained this initial compromise with living-off-the-land (LOTL) execution, a silent User Account Control (UAC) bypass, and multiple defense-evasion techniques to successfully deploy the persistent RAT payload. By relying on native Windows components and interpreter abuse rather than a single obvious malware binary, the initial stages progressed through legitimate processes while minimizing user-facing indicators.
Privilege escalation was achieved through an ICMLuaUtil COM interface UAC bypass, followed by an in-memory Antimalware Scan Interface (AMSI) patch that bypassed AMSI scanning for subsequent PowerShell execution. The actor then targeted host defenses by executing WinDefCtl, an open-source Defender disruption utility, masquerading as svchost.exe from %TEMP%. According to the project's documented functionality, the tool leverages Image File Execution Options (IFEO) manipulation and a kernel driver (kvckiller.sys) to interfere with Microsoft Defender components before the primary payload is launched.
Once host defenses were weakened, CrySome RAT established persistent remote access to the compromised system. The malware provided the operator with capabilities including hidden virtual network computing (hVNC), remote command execution (RCE), system reconnaissance, and credential theft. A dedicated credential-theft module targeted Chromium-based browsers by terminating active browser processes, injecting abe_decrypt.dll, and extracting stored passwords and session cookies for exfiltration.
Initial Access & Infection Overview
The intrusion began with a phishing email impersonating a legitimate freight rate confirmation. The email, sent from loadofferstender@gmail.com with the subject "DETROIT, MI to DALLAS, TX", directed the recipient to hxxps://signindat[.]com, a website hosting a fake rate confirmation portal.
![Figure 1. Fake rate confirmation webpage hosted on signindat[.]com.](https://www.levelblue.com/hs-fs/hubfs/Blogs/SpiderLab_Blog_Images/Figure%201.%20Fake%20rate%20confirmation%20webpage%20hosted%20on%20signindat%5B.%5Dcom..jpg?width=640&height=486&name=Figure%201.%20Fake%20rate%20confirmation%20webpage%20hosted%20on%20signindat%5B.%5Dcom..jpg)
Figure 1. Fake rate confirmation webpage hosted on signindat[.]com.
Clicking Download Rate Confirmation does not deliver a PDF as expected. Instead, the site downloads a batch file named:
§ Rate_Confirmation_LD-2026-0847.bat
Static analysis of the batch file shows that it immediately launches a hidden PowerShell process with -ExecutionPolicy Bypass, patches AMSI in memory, downloads the next-stage payload (ElevatorShellCode.exe), writes it to %TEMP%\es.exe, and executes it in a hidden window.

Figure 2. Initial batch file responsible for downloading and launching the first-stage payload.
The batch file performs only a small amount of logic itself; its primary purpose is to establish the initial execution chain by disabling PowerShell scanning and retrieving the first executable loader from the attacker-controlled infrastructure.
File Analysis
Stage 1 – ElevatorShellCode.exe
ElevatorShellCode.exe serves as the first executable stage of the infection chain. Rather than containing the primary malware functionality, its purpose is to prepare the host for the next stage by attempting privilege elevation, constructing a hidden PowerShell payload, bypassing AMSI, and retrieving the next-stage PowerShell script entirely in memory.

Figure 3. ElevatorShellCode checks whether it is running with administrative privileges and, if necessary, attempts privilege elevation using the ICMLuaUtil UAC bypass technique before continuing execution.
After the elevation check completes, the loader dynamically constructs an inline PowerShell command instead of embedding a static script. Ghidra strings show the payload being assembled at runtime, including references to the AMSI patching logic and the subsequent download of the next-stage PowerShell script.

Figure 4. Ghidra showing the construction of the inline PowerShell payload responsible for patching AMSI and retrieving the next stage.
The resulting command launches PowerShell with ExecutionPolicy Bypass and a hidden window before disabling AMSI by resolving and patching AmsiScanBuffer in memory. Once AMSI protections have been bypassed, the loader downloads stage.ps1 from the attacker-controlled infrastructure and immediately executes it in memory using IEX, leaving no standalone PowerShell script on disk.

Figure 5. Reconstructed PowerShell payload showing the AMSI bypass, retrieval of stage.ps1, and in-memory execution.
Stage 2 – stage.ps1
The PowerShell script downloaded by ElevatorShellCode.exe acts as the second-stage loader responsible for preparing the compromised host for the final payload. Rather than containing the RAT itself, the script gathers basic system information, weakens endpoint protections, deploys additional executables, and presents the victim with a legitimate-looking decoy document while the malware continues executing in the background.
Logging and Environment Checks
The script begins by creating a log file named xeno_diag.log in the user's %TEMP% directory and records basic execution details including the PowerShell version, username, computer name, temporary directory, and whether the process is running with administrative privileges. These log entries provide visibility into the success of each stage and aid troubleshooting if execution fails. While the script references “Xeno”, likely tied to XenoRAT, we believe this script is likely reused with a newer CrySome RAT payload.

Figure 6. Logging functionality within stage.ps1.
During dynamic execution, the script generates xeno_diag.log, confirming each stage of execution and recording download status, process launches, and any errors encountered.

Figure 7. Generated xeno_diag.log captured during sandbox execution.
Microsoft Defender Exclusions
Before deploying additional payloads, the script adds Microsoft Defender exclusions for both its working directory and the executables that will be written to disk.
Specifically, exclusions are created for:
- %TEMP%
- %TEMP%\svchost.exe
- %TEMP%\patch_diag.exe
By excluding both file paths and process paths, subsequent payloads are less likely to be scanned or quarantined before execution.

Figure 8. PowerShell adding Microsoft Defender path and process exclusions.
Dedicated to hunting and eradicating the world's most challenging threats.
Deployment of WinDefCtl
The next stage downloads update.exe from the attacker-controlled infrastructure using a browser-like User-Agent before saving it as:
§ %TEMP%\svchost.exe
Although the filename resembles a legitimate Windows process, the execution location is anomalous. Rather than a user’s temporary directory, legitimate instances of svchost.exe execute from:
§ C:\Windows\System32\svchost.exe

Figure 9. Downloading and deployment of update.exe.
The script immediately executes the renamed binary with the kill argument.

Figure 10. Execution of WinDefCtl using the kill argument.
As discussed in the following section, this executable corresponds to the open-source WinDefCtl utility and is used to weaken Microsoft Defender before the primary RAT is deployed.
Deployment of CrySome RAT
Once the environment has been prepared, the script downloads the primary payload:
§ hxxps://signindat[.]com/patch.exe
The executable is written to:
§ %TEMP%\patch_diag.exe
Afterward, it is launched in a hidden window.

Figure 11. Downloading and execution of the CrySome RAT payload.
Static analysis and dynamic execution confirm that patch_diag.exe is the CrySome RAT client responsible for persistence, command execution, credential theft, and the remaining post-compromise activity analyzed later in this report.
User Decoy
To reduce user suspicion, the final stage downloads a legitimate-looking freight rate confirmation PDF and saves it to the user's Downloads directory before automatically opening it.

Figure 12. Downloading and displaying of the freight rate confirmation decoy.

Figure 13. Decoy PDF presented to the victim.
While the user views what appears to be the expected document, the previously launched payloads continue executing in the background, completing the transition from initial access to persistent remote access.
Stage 3 – update.exe (WinDefCtl)
As shown in the previous stage, update.exe is downloaded from signindat[.]com, written to the user's %TEMP% directory as svchost.exe, and executed with the kill argument. Renaming the executable to svchost.exe allows it to masquerade as a legitimate Windows process; however, its execution from %TEMP% is anomalous, as the legitimate Windows Service Host executable resides in C:\Windows\System32\svchost.exe.
Based on the file hash and observed behavior, the executable corresponds to WinDefCtl, an open-source utility published by Marek Wesolowski that is designed to disable or interfere with Microsoft Defender. Rather than developing custom defense-evasion functionality, the threat actor repurposes this publicly available tool to weaken endpoint protections before deploying the primary CrySome RAT payload.
According to the project's documentation, the kill mode performs a two-stage operation. First, it bypasses Microsoft Defender Tamper Protection by modifying the IFEO through an offline registry hive workflow. It then loads the signed kvckiller.sys kernel driver to terminate Microsoft Defender processes and stop associated services, preventing them from automatically restarting. By leveraging an existing open-source utility, the threat actor reduces development effort while effectively disabling host protections prior to executing the final payload.

Figure 14. WinDefCtl kill workflow (Source: Marek Wesolowski, WinDefCtl GitHub repository).
Stage 4 – CrySome RAT (patch.exe)
The final executable downloaded by stage.ps1 is patch.exe, the primary CrySome RAT client payload. The script writes the binary to %TEMP%\patch_diag.exe and launches it as a hidden process after the preceding stages have attempted privilege escalation, bypassed AMSI, and weakened Microsoft Defender.
Unlike the earlier components, which primarily prepare the environment for execution, CrySome RAT provides the attacker's long-term access to the compromised host. The client is modular, with dedicated components supporting persistence, defense evasion, RCE, credential theft, file management, proxying, system reconnaissance, remote desktop, HVNC, keylogging, and additional post-compromise functionality.
CrySome RAT has been documented extensively in previous public reporting and reverse engineering analyses. Rather than reproducing those analyses in their entirety, the following sections highlight several representative modules that illustrate the malware's role within the observed infection chain.
Persistence
CrySome RAT establishes persistence by creating a scheduled task named CrysomeLoader, which executes the current client executable every five minutes using schtasks.exe. This ensures the malware is automatically relaunched following user logon or system restart, allowing the attacker to maintain long-term access.

Figure 15. CrySome RAT persistence implementation creating the CrysomeLoader scheduled task, configured to execute the client every five minutes using schtasks.exe.
Defense Evasion
The AVKiller component contains functionality to disable multiple Microsoft Defender protections through Set-MpPreference, modify Defender-related registry policies, and disable scheduled Defender maintenance tasks. The client also contains a large list of supported antivirus and EDR process names, indicating it was designed to interfere with numerous commercial security products in addition to Microsoft Defender.

Figure 16. AVKiller module disabling Microsoft Defender protections through PowerShell, registry modifications, and scheduled task changes.

Figure 17. Embedded list of antivirus and EDR process names targeted by the AVKiller module, demonstrating support for disabling or interfering with numerous commercial security products.
Remote Command Execution
CrySome RAT implements a PowerShell execution handler that launches powershell.exe using -NoProfile, -ExecutionPolicy Bypass, and Base64-encoded commands while suppressing the console window. This enables an operator to execute arbitrary PowerShell commands on the compromised host and return the resulting output to the command-and-control (C2) server.

Figure 18. Command handler implementing remote PowerShell execution using hidden, Base64-encoded commands with -ExecutionPolicy Bypass and returning output to the C2 server.
Credential Theft
Credential collection is implemented through a dedicated browser credential handler targeting Chromium-based browsers including Chrome, Microsoft Edge, and Brave. Upon receiving a credential request from the C2 server, the client terminates running browser processes, writes an embedded abe_decrypt.dll to disk, injects the DLL into the target browser process, and retrieves the resulting passwords.json and cookies.json files before transmitting the collected data back to the operator.

Figure 19. Credential theft handler writing an embedded abe_decrypt.dll to disk and preparing it for injection into Chromium-based browser processes.

Figure 20. Browser credential collection routine retrieving decrypted passwords.json and cookies.json files before returning the results to the operator.
Embedded Configuration
Rather than retrieving configuration from an external source, CrySome RAT stores its operational settings in an embedded ##CRYCFG## configuration blob. During initialization the client parses this configuration to obtain the C2 endpoint (193.26.115[.]42:5555), campaign group identifier (grp_8ycFGmG), persistence settings, parent process spoofing (svchost), and the list of enabled capabilities, including command execution, file management, screen capture, credential theft, keylogging, audio and camera access, proxying, HVNC, and AV tampering.

Figure 21. Embedded ##CRYCFG## configuration containing the CrySome RAT C2 server (193.26.115[.]42:5555), campaign group id.
Summary
While CrySome RAT contains numerous additional capabilities documented in public research, the modules examined here demonstrate the malware's primary role within this intrusion. After the earlier stages establish execution and weaken host defenses, CrySome RAT provides the attacker with persistent remote access, facilitates post-exploitation activities, harvests user credentials, and enables continued C2 access over the compromised system.
Recommendations
- Monitor for PowerShell execution with -ExecutionPolicy Bypass, hidden windows, or in-memory execution (IEX), particularly when followed by network downloads and child process creation.
- Alert on Microsoft Defender configuration changes, including Add-MpPreference, Set-MpPreference, Defender exclusions, and Image File Execution Options (IFEO) registry modifications.
- Investigate executables launched from user-writable directories, especially binaries masquerading as legitimate Windows processes (e.g., svchost.exe executing from %TEMP%) and the creation of scheduled tasks that execute payloads from temporary directories.
- Block or investigate outbound connections to known malicious infrastructure and monitor for staged payload downloads from a single external host.
- Monitor for browser process termination followed by the creation of abe_decrypt.dll, passwords.json, or cookies.json, which may indicate browser credential theft activity.
Conclusion
This intrusion shows how modern malware campaigns increasingly rely on publicly available tooling rather than bespoke malware at every stage. By combining an AMSI bypass, an open-source Defender tampering utility, and the modular CrySome RAT client, the operators minimize custom development while still achieving privilege escalation, defense evasion, persistence, credential theft, and remote access. From a defensive perspective, detecting the individual behaviors throughout the chain, rather than relying solely on malware signatures, provides multiple opportunities to disrupt the intrusion before the final RAT becomes established.
Detection Opportunities and Recommendations
Indicators of Compromise (IOCs)
|
Category |
Indicator |
|
Network |
signindat[.]com |
|
hxxps://signindat[.]com/ElevatorShellCode.exe |
|
|
hxxps://signindat[.]com/update.exe |
|
|
hxxps://signindat[.]com/patch.exe |
|
|
hxxps://signindat[.]com/stage.ps1 |
|
|
hxxps://signindat[.]com/Rate_Confirmation_LD-2026-0847.pdf |
|
|
193.26.115[.]42 |
|
|
193.26.115[.]42:5555 |
|
|
|
loadofferstender@gmail.com |
|
Files (SHA-256) |
Rate_Confirmation_LD-2026-0847.bat – ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4 |
|
ElevatorShellCode.exe – 53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff |
|
|
stage.ps1 – ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd |
|
|
update.exe – b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3 |
|
|
patch.exe – c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a |
|
|
kvckiller.sys – ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8 |
|
|
Persistence |
Scheduled Task: CrysomeLoader |
|
schtasks.exe /create /tn "CrysomeLoader" /tr "C:\Users\<user>\AppData\Local\Temp\patch_diag.exe" /sc minute /mo 5 /f |
|
|
Registry |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ |
|
IFEO Debugger entries for PSUAMain.exe, avp.exe, avpui.exe, and ekrn.exe |
|
|
Notable Artifacts |
svchost.exe executing from %TEMP% |
|
patch_diag.exe |
|
|
abe_decrypt.dll |
|
|
passwords.json |
|
|
cookies.json |
|
|
xeno_diag.log |
MITRE ATT&CK Mapping
|
ATT&CK ID |
Technique |
Observed Activity |
|
T1566.002 |
Phishing: Spearphishing Link |
Logistics-themed phishing email directing the victim to signindat[.]com. |
|
T1204.002 |
User Execution: Malicious File |
User downloads and executes Rate_Confirmation_LD-2026-0847.bat. |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
Hidden PowerShell used for staging, payload download, and execution. |
|
T1548.002 |
Abuse Elevation Control Mechanism: Bypass User Account Control |
ICMLuaUtil COM interface used to bypass UAC. |
|
T1562.001 |
Impair Defenses |
AMSI patching, Defender exclusions (Add-MpPreference), WinDefCtl execution, AVKiller functionality. |
|
T1036.005 |
Masquerading: Match Legitimate Name or Location |
update.exe renamed to svchost.exe and executed from %TEMP%. |
|
T1105 |
Ingress Tool Transfer |
Downloads ElevatorShellCode.exe, stage.ps1, update.exe, patch.exe, and the decoy PDF. |
|
T1053.005 |
Scheduled Task/Job: Scheduled Task |
Creates the CrysomeLoader scheduled task for persistence. |
|
T1546.012 |
Event Triggered Execution: Image File Execution Options Injection |
WinDefCtl modifies IFEO Debugger registry entries to interfere with security software. |
|
T1055 |
Process Injection |
Injects abe_decrypt.dll into Chromium browser processes for credential collection. |
|
T1555.003 |
Credentials from Password Stores: Credentials from Web Browsers |
Extracts saved browser passwords and cookies from Chromium-based browsers. |
|
T1059.001 |
Command and Scripting Interpreter: PowerShell |
CrySomeRAT executes operator-supplied Base64-encoded PowerShell commands. |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
HTTP(S) used to retrieve staged payloads. |
|
T1219 |
Remote Access Software |
CrySomeRAT establishes persistent remote access with features including HVNC, file management, and remote command execution. |
ABOUT LEVELBLUE
LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.
https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/