Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
24 distinct techniques documented for this family, organized by ATT&CK tactic.
The intrusion began with a phishing email impersonating a legitimate freight rate confirmation. The email, sent from loadofferstender@gmail.com with the subject "DETROIT, MI to DALLAS, TX" , directed the recipient to hxxps://signindat[.]com, a website hosting a fake rate confirmation portal.
...a multi-layered persistence design composed of registry startup entries, scheduled tasks...
CrySome RAT establishes persistence by creating a scheduled task named CrysomeLoader , which executes the current client executable every five minutes using schtasks.exe.
Static analysis of the batch file shows that it immediately launches a hidden PowerShell process with -ExecutionPolicy Bypass, patches AMSI in memory, downloads the next-stage payload (ElevatorShellCode.exe), writes it to %TEMP%\es.exe, and executes it in a hidden window.
...a multi-layered persistence design composed of registry startup entries, scheduled tasks...
...a multi-layered persistence design composed of registry startup entries, scheduled tasks...
CrySome RAT establishes persistence by creating a scheduled task named CrysomeLoader , which executes the current client executable every five minutes using schtasks.exe.
Upon receiving a credential request from the C2 server, the client terminates running browser processes, writes an embedded abe_decrypt.dll to disk, injects the DLL into the target browser process
CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC).
CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC).
...creates the command-and-control channel and ensures persistence before prompting a continuous network loop for packet processing...
Once AMSI protections have been bypassed, the loader downloads stage.ps1 from the attacker-controlled infrastructure and immediately executes it in memory using IEX
Once host defenses were weakened, CrySome RAT established persistent remote access to the compromised system. The malware provided the operator with capabilities including hidden virtual network computing (hVNC), remote command execution (RCE), system reconnaissance, and credential theft.
followed by an in-memory Antimalware Scan Interface (AMSI) patch that bypassed AMSI scanning for subsequent PowerShell execution... the actor then targeted host defenses by executing WinDefCtl... leveraging Image File Execution Options (IFEO) manipulation and a kernel driver ( kvckiller.sys ) to interfere with Microsoft Defender components
20 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular remote access trojan used as the final payload in a multi-stage phishing-driven intrusion. It establishes persistence, enables remote command execution, system reconnaissance, file management, proxying, HVNC, keylogging, credential theft from Chromium-based browsers, and defense evasion including AV/EDR tampering.
A modular, userland-focused remote access trojan/post-exploitation framework designed for persistence, evasion, surveillance, and operator control, with capabilities including keylogging, credential harvesting, RDP, and HVNC.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.