CrySome is a feature-rich remote access trojan (RAT) developed in C# for ecosystem, designed to establish and maintain persistent command-and-control channels over TCP while enabling full-spectrum remote operations on compromised systems. Its deeply integrated persistence, AV killer, and anti-removal architecture set it apart from standard RAT functionality such as command execution, file manipulation, surveillance, and credential theft. A defining characteristic of CrySome is its ability to survive system resets by leveraging recovery partition abuse and offline registry modification, allowing execution to be re-established even after a factory reset.
This is coupled with multi-layered persistence mechanisms including scheduled tasks, Windows services with recovery policies, watchdog processes, redundant binary placement, and registry-based execution triggers. It also incorporates aggressive defense evasion through its AVKiller module, which systematically disables security products, blocks updates, and prevents reinstallation attempts. The malware's use of recovery partition abuse, offline registry modification, and multi-layered persistence mechanisms makes remediation significantly more complex, allowing it to survive even system resets.[/subscribe_to_unlock_form]
CrySome is a feature-rich remote access trojan (RAT) developed in C# for ecosystem, designed to establish and maintain persistent command-and-control channels over TCP while enabling full-spectrum remote operations on compromised systems. Its deeply integrated persistence, AV killer, and anti-removal architecture set it apart from standard RAT functionality such as command execution, file manipulation, surveillance, and credential theft. A defining characteristic of CrySome is its ability to survive system resets by leveraging recovery partition abuse and offline registry modification, allowing execution to be re-established even after a factory reset.
This is coupled with multi-layered persistence mechanisms including scheduled tasks, Windows services with recovery policies, watchdog processes, redundant binary placement, and registry-based execution triggers. It also incorporates aggressive defense evasion through its AVKiller module, which systematically disables security products, blocks updates, and prevents reinstallation attempts. The malware's use of recovery partition abuse, offline registry modification, and multi-layered persistence mechanisms makes remediation significantly more complex, allowing it to survive even system resets.[emaillocker id="1283"]
Its integrated AVKiller and defense evasion techniques demonstrate a deliberate effort to neutralize endpoint protection and maintain long-term access. Combined with HVNC, credential theft, and remote-control capabilities, CrySome represents a mature and operational threat capable of sustained covert operations and broad system compromise.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Persistence | T1505.003 | Server Software Component | Web Shell |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defence Evasion | T1036.005 | Masquerading | Match Legitimate Resource Name or Location |
| Defence Evasion | T1070.004 | Indicator Removal | File Deletion |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| Discovery | E1082 | System Information Discovery |
| Discovery | E1083 | File and Directory Discovery |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| Execution | B0023 | Install Additional Program |
The following reports contain further technical details:
[/emaillocker]