Crimson RAT

Crimson RAT is a custom .NET remote access trojan widely associated with Transparent Tribe/APT36 (also tracked as COPPER FIELDSTONE, Operation Transparent Tribe, ProjectM, Mythic Leopard, and Storm-0156), a Pakistan-linked espionage actor. Public reporting describes it as a long-running espionage tool used primarily against Indian government, military, diplomatic, academic, defense-adjacent, and more recently startup targets, with some reporting also noting activity focused on Afghanistan.

Observed delivery methods include spear-phishing emails with malicious Microsoft Office documents containing VBA macros, weaponized Excel files, ISO container attachments, ZIP archives, and malicious LNK shortcuts. Reported infection chains include macros reconstructing and extracting ZIP payloads to %ALLUSERPROFILE%/ProgramData paths, and ISO/LNK chains that launch batch scripts and PowerShell, display decoy documents, and execute a Crimson RAT payload disguised as an Excel file. Reporting also notes exploitation of WinRAR CVE-2023-38831 in campaigns delivering Crimson RAT, as well as Indian government-themed and startup-themed lures.

Capabilities directly described in the source material include remote command execution; process listing and termination; file system browsing, search, upload/download, and exfiltration; screenshot capture and in some cases live screen streaming; persistence via Windows Registry Run keys and Startup-folder/LNK mechanisms; downloading and executing additional payloads; system reconnaissance; and collection of victim metadata such as machine name, username, OS version, IP/NIC, client ID, and installation path. Broader reporting on the Crimson tooling ecosystem also attributes microphone audio surveillance, webcam capture, keystroke logging, browser password theft, removable-media theft, and USB-worm functionality to related Crimson components managed through the Crimson Server C2.

Technical details in the provided content include use of custom TCP-based C2 on non-standard ports. One analyzed variant using the namespace dhrwarhsav hard-coded C2 IP 107.175.64.209 and attempted connections over ports 6728, 8661, 10614, 14822, and 18443; it used a custom length-prefixed UTF-8 protocol, copied itself for persistence, and set HKCU\Software\Microsoft\Windows\CurrentVersion\Run\_dreb. Another campaign report listed Crimson RAT communications over ports 18661, 20856, 26868, 29261, and 36628. A May 2025 report identified C2 infrastructure at 93.127.133.58:1097. Additional file/path artifacts mentioned in reporting include dhrwarhsav.exe, dorbanvca.exe, Book1.xls, and ProgramData paths such as C:\ProgramData\Edlacar, %ALLUSERPROFILE%\Media-List\tbvrarthsa.zip / tbvrarthsa.exe, and C:\ProgramData\Dacr\macrse.exe.

The malware is described as using evasion and anti-analysis measures including hidden WinForms execution, randomized function names, artificial file-size inflation with junk data, avoidance of certain system directories during traversal, and use of decoy documents to distract victims. Overall, the content consistently characterizes Crimson RAT as a mature espionage-focused RAT central to Transparent Tribe/APT36 operations.