Threat Advisory

CrySome RAT Grants Persistent Remote Access and Control

Threat: Malware
Threat Actor Name: Watchdog
Targeted Region: Global
Alias: Thief Libra
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CrySome is a feature-rich remote access trojan (RAT) developed in C# for ecosystem, designed to establish and maintain persistent command-and-control channels over TCP while enabling full-spectrum remote operations on compromised systems. Its deeply integrated persistence, AV killer, and anti-removal architecture set it apart from standard RAT functionality such as command execution, file manipulation, surveillance, and credential theft. A defining characteristic of CrySome is its ability to survive system resets by leveraging recovery partition abuse and offline registry modification, allowing execution to be re-established even after a factory reset.

This is coupled with multi-layered persistence mechanisms including scheduled tasks, Windows services with recovery policies, watchdog processes, redundant binary placement, and registry-based execution triggers. It also incorporates aggressive defense evasion through its AVKiller module, which systematically disables security products, blocks updates, and prevents reinstallation attempts. The malware's use of recovery partition abuse, offline registry modification, and multi-layered persistence mechanisms makes remediation significantly more complex, allowing it to survive even system resets.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CrySome is a feature-rich remote access trojan (RAT) developed in C# for ecosystem, designed to establish and maintain persistent command-and-control channels over TCP while enabling full-spectrum remote operations on compromised systems. Its deeply integrated persistence, AV killer, and anti-removal architecture set it apart from standard RAT functionality such as command execution, file manipulation, surveillance, and credential theft. A defining characteristic of CrySome is its ability to survive system resets by leveraging recovery partition abuse and offline registry modification, allowing execution to be re-established even after a factory reset.

This is coupled with multi-layered persistence mechanisms including scheduled tasks, Windows services with recovery policies, watchdog processes, redundant binary placement, and registry-based execution triggers. It also incorporates aggressive defense evasion through its AVKiller module, which systematically disables security products, blocks updates, and prevents reinstallation attempts. The malware's use of recovery partition abuse, offline registry modification, and multi-layered persistence mechanisms makes remediation significantly more complex, allowing it to survive even system resets.[emaillocker id="1283"]

Its integrated AVKiller and defense evasion techniques demonstrate a deliberate effort to neutralize endpoint protection and maintain long-term access. Combined with HVNC, credential theft, and remote-control capabilities, CrySome represents a mature and operational threat capable of sustained covert operations and broad system compromise.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Persistence T1053.005 Scheduled Task/Job Scheduled Task
Persistence T1505.003 Server Software Component Web Shell
Persistence T1543.003 Create or Modify System Process Windows Service
Persistence T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder
Defence Evasion T1027.002 Obfuscated Files or Information Software Packing
Defence Evasion T1036.005 Masquerading Match Legitimate Resource Name or Location
Defence Evasion T1070.004 Indicator Removal File Deletion
Credential access T1555.003 Credentials from Password Stores Credentials from Web Browsers
Command and control T1071.001 Application Layer Protocol Web Protocols
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Impact B0022 Remote Access
Persistence F0012 Registry Run Keys / Startup Folder
Defense Evasion F0004 Disable or Evade Security Tools
Discovery E1082 System Information Discovery
Discovery E1083 File and Directory Discovery
Anti-Static Analysis B0032 Executable Code Obfuscation
Execution B0023 Install Additional Program

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu