LevelBlue detailed a targeted spear-phishing intrusion that delivered the CrySome RAT through a freight rate confirmation lure, using a malicious batch file to launch hidden PowerShell and retrieve staged payloads from signindat[.]com. The attack chain used the ICMLuaUtil COM interface for a UAC bypass, patched AMSI in memory, and abused the open-source WinDefCtl utility to weaken Microsoft Defender before installing the final payload. CrySome then created persistence with a scheduled task, enabled remote command execution and hVNC access, and stole credentials from Chromium-based browsers by injecting abe_decrypt.dll to extract passwords and cookies for exfiltration. The malware configuration included a command-and-control endpoint at 193.26.115[.]42:5555.
Separately, Exodus Intelligence published technical details on CVE-2025-27727, a patched Windows Installer privilege-escalation flaw in msi.dll that let a low-privileged user coerce the MSI service running as SYSTEM into deleting an arbitrary folder. The bug stemmed from SetEEUIDirectoryAndFilter() registering attacker-controlled paths in the TempPackages registry and CleanupTempPackages() later deleting them without confirming the installer created them. Researchers showed the deletion primitive could be turned into SYSTEM code execution by targeting C:\Config.Msi and planting malicious rollback scripts, and said Microsoft fixed the issue by changing CMsiTransaction::SetEEUIDirectoryAndFilter() so folder deletion is no longer scheduled when the new feature flag is enabled.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
LevelBlue reported analyzing and containing a multi-stage intrusion that delivered the CrySome RAT through a targeted freight-themed spear-phishing campaign. The infection chain used a malicious batch file, hidden PowerShell, an ICMLuaUtil COM-based UAC bypass, AMSI patching, WinDefCtl to weaken Defender, and then deployed the RAT with persistence, hVNC, and browser credential theft capabilities.
Exodus Intelligence published a write-up explaining how the vulnerable call chain involving MsiBeginTransactionW(), SetEEUIDirectoryAndFilter(), and CleanupTempPackages() creates a SYSTEM-privileged arbitrary folder deletion primitive. The post also described abusing deletion of C:\Config.Msi to plant malicious rollback scripts and gain SYSTEM code execution.
Exodus Intelligence says CVE-2025-27727, a logic flaw in the COM interface exposed by Windows Installer's msi.dll, was patched by Microsoft in April 2025. The issue allowed a low-privileged user to cause the MSI service running as SYSTEM to delete an arbitrary folder path via TempPackages registry manipulation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.