ctipilot.ch

CrySome RAT

tool · tool:crysome-rat single-source

Modular .NET remote-access trojan (documented in prior public reporting) analysed by LevelBlue SpiderLabs (2026-07-06) in a freight-rate-confirmation phishing chain combining an AMSI bypass, ICMLuaUtil UAC bypass and the open-source WinDefCtl Defender-disruption utility, with hidden VNC, command execution and Chromium credential theft.

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-07-08CrySome RAT freight-phishing chain: AMSI bypass, ICMLuaUtil UAC bypass and an open-source Defender-disruption tool
    active-threatsCrySome RAT delivered via freight-rate phishing, chaining AMSI bypass, ICMLuaUtil UAC bypass and WinDefCtl

Where this entity is cited

  • active-threats1

Source distribution

  • levelblue.com1 (100%)

Entries about CrySome RAT (1)

2026-07-08 · view entry permalink →

NOTABLE

CrySome RAT freight-phishing chain: AMSI bypass, ICMLuaUtil UAC bypass and an open-source Defender-disruption tool

LevelBlue SpiderLabs documented a multi-stage infection chain delivering CrySome RAT — a modular .NET remote-access trojan the lab notes has been covered in prior public reporting — through spear-phishing emails impersonating freight-rate confirmations (LevelBlue SpiderLabs, 2026-07-06). Victims reach a fake portal hosting a batch-file downloader that launches PowerShell with an AMSI bypass (T1059.001, T1562.001) to fetch a stage-1 binary, which performs a UAC bypass via the ICMLuaUtil COM interface (T1548.002). Stage 2 adds Microsoft Defender exclusions and drops WinDefCtl — an open-source Defender-disruption utility masquerading as svchost.exe from %TEMP% — to disable real-time protection before launching the RAT. Persistence is a scheduled task ("CrysomeLoader") re-firing every five minutes (T1053.005); the RAT provides hidden VNC, arbitrary command execution and Chromium-browser credential theft, defeating Chrome's App-Bound Encryption via a decryptor DLL (T1555.003). Defender takeaway: the operators combine almost entirely open-source/off-the-shelf components rather than custom development, so — as LevelBlue notes — detecting the individual behavioural stages (AMSI-bypass PowerShell, ICMLuaUtil COM abuse, Defender-exclusion registry writes under Software\Microsoft\Windows Defender\Exclusions, svchost.exe from a non-System32 path) gives multiple disruption points before the RAT establishes; freight/logistics lures make transport-sector helpdesks a natural target, but the chain is theme-agnostic and transferable.

By combining an AMSI bypass, an open-source Defender tampering utility, and the modular CrySome RAT client, the operators minimize custom development while still achieving privilege escalation, defense evasion, persistence, credential theft, and remote access.

The actor then targeted host defenses by executing WinDefCtl, an open-source Defender disruption utility, masquerading as svchost.exe from %TEMP%.

LevelBlue (Trustwave) SpiderLabs 2026-07-06
threat08 Jul 20:35Zsingle-sourceOpen finding ↗