Stealthy CrySome RAT Emerges as Persistent Cyber Threat, Surviving System Resets and Evading Antivirus Defenses

CyberDefender 16 mins0

CrySome is a sophisticated remote access trojan (RAT) built using C# within the .NET framework. At its core, it is designed to provide attackers with persistent, long-term access to compromised systems through a stable TCP-based command-and-control (C2) channel. While many RATs offer basic remote control features, CrySome stands out due to its strong focus on persistence, stealth, and defense evasion.

What makes this malware particularly dangerous is its ability to survive even drastic remediation efforts such as factory resets. It achieves this by abusing the Windows recovery partition and modifying the offline registry, allowing execution to resume even after a system is restored. Combined with layered persistence methods, an aggressive antivirus-killing module, and hidden remote control capabilities, CrySome represents a serious threat in modern cyber operations.

Introduction

This report is based on both static and dynamic analysis of CrySome’s decompiled code. By examining the internal structure rather than treating it as a black box, we gain a clearer understanding of how each module functions and interacts.

CrySome follows a modular design. Initially, it executes a bootstrap phase that loads configuration settings and activates specific features depending on operator preferences. Once initialized, the malware maintains a continuous communication loop with its C2 server. Commands are sent and received using a structured packet system, effectively turning the infected machine into a remotely controlled endpoint.

A key highlight is its persistence strategy. Unlike typical malware that relies on registry keys or startup folders, CrySome integrates deeper system-level techniques, including recovery partition abuse and offline registry manipulation. This ensures the malware remains active even after traditional cleanup methods.

Core Capabilities

CrySome provides attackers with a complete toolkit for system control and surveillance.

It allows execution of shell and PowerShell commands remotely, giving full administrative control. File operations such as upload, download, deletion, and browsing enable both data theft and payload deployment. Process management features allow attackers to monitor running applications and terminate those that may interfere with their activity.

The malware also performs system reconnaissance, collecting details like operating system version, username, uptime, and even the currently active window. This gives attackers real-time insight into user activity.

For surveillance, CrySome supports screenshot capture, microphone recording, webcam access, and keylogging. It can extract stored credentials from Chromium-based browsers, including passwords and cookies.

One of its most advanced features is HVNC (Hidden Virtual Network Computing). This allows attackers to operate a hidden desktop session invisible to the user, significantly reducing detection risk.

Additionally, CrySome includes proxy and reverse proxy capabilities, enabling lateral movement within networks.

Persistence Mechanisms

CrySome uses multiple overlapping techniques to ensure it remains active.

It creates scheduled tasks that run at regular intervals, ensuring execution even if the process is terminated. It also installs itself as a Windows service configured to restart automatically if stopped.

The malware maintains redundant copies of itself in hidden directories, increasing survivability. Registry-based startup entries are used for execution during system boot.

A watchdog process monitors the main process and relaunches it if needed, creating a self-healing mechanism.

Advanced Reset Survival Technique

One of CrySome’s most notable features is its ability to survive factory resets.

It stores a copy of itself in the C:\Recovery\OEM\ directory, which is part of the Windows recovery environment. This location is typically preserved during system resets.

The malware then modifies the offline registry by loading registry hives outside the active OS. It inserts execution commands into the RunOnce key, ensuring the payload executes when the system is reinitialized.

This approach allows CrySome to bypass traditional remediation efforts, making it extremely difficult to remove completely.

Self-Protection Features

CrySome actively defends itself against removal.

It locks its own file to prevent deletion, marks itself as a hidden system file, and uses security descriptors to restrict process access. In some cases, it can mark itself as a critical process, which may trigger a system crash (BSOD) if terminated.

These techniques significantly increase resistance against both manual removal and automated security tools.

AVKiller and Defense Evasion

The AVKiller module is designed to neutralize security software.

It continuously scans for antivirus processes and terminates them. It disables security services and prevents them from restarting. It also blocks installation attempts of security tools by killing installer processes.

CrySome modifies the system’s hosts file to block antivirus update servers, ensuring defenses remain outdated.

It specifically targets Microsoft Defender by disabling real-time monitoring, behavior analysis, cloud protection, and other core components using PowerShell and registry modifications.

Another technique involves abusing the Image File Execution Options (IFEO) mechanism to prevent security tools from launching. Instead of executing normally, targeted applications are redirected to a dummy command, effectively neutralizing them.

Defence Evasion code in malware, Source : Cyfirma

Static Analysis Overview

CrySome RAT Profile:

  • Malware Name: CrySome RAT
  • Client Executable: Crysome.Client.exe
  • Server Executable: CrySome.Server.exe
  • Language: C# / .NET
  • Packaging: Costura.Fody
  • Debug Path: %TEMP%\Crysome_debug.log
  • First Seen: 20 March 2026

Dynamic Behavior

When executed, the malware spawns additional processes using names that resemble legitimate Windows components, such as RuntimeBroker.exe.

It silently runs commands using tools like PowerShell, registry editors, and service controllers. These actions are performed in the background without user awareness.

This behavior demonstrates the malware’s ability to operate covertly while maintaining control and persistence.

Indicators of Compromise (IOCs)

  • SHA256 (Client):
    f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d
  • SHA256 (Server):
    fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3
  • Domain:
    crysome[.]net

Threat Landscape

CrySome is not just a standalone malware sample—it is part of a broader ecosystem.

The operators maintain a public-facing website where the RAT is marketed and sold. The platform offers subscription-based access with different pricing tiers, making it accessible to a wide range of threat actors.

More concerning is the presence of cracked versions circulating on underground forums and messaging platforms. This increases the likelihood of widespread use, even by less-skilled attackers.

The malware is actively maintained, with updates released as recently as March 2026, indicating ongoing development and support.

Conclusion

CrySome represents a mature and highly capable remote access trojan. Its layered persistence mechanisms, combined with advanced evasion techniques, make it extremely resilient against detection and removal.

The ability to survive system resets sets it apart from many other threats. With features like HVNC, credential theft, and network pivoting, it provides attackers with long-term, covert control over compromised systems.

Organizations must treat this threat seriously, as traditional security measures may not be sufficient to detect or remove it completely.

Recommendations

Organizations should immediately isolate systems showing signs of compromise. Deploy advanced endpoint detection solutions capable of identifying suspicious behavior such as registry manipulation and service abuse.

Regular audits of scheduled tasks, startup entries, and services are essential. Monitoring and blocking suspicious domains like crysome[.]net should be enforced.

Security solutions must have tamper protection enabled to prevent disabling via scripts. Deep forensic analysis of recovery partitions is also necessary during incident response.

Maintaining secure backups and enforcing application control policies can further reduce risk.

YARA Rule

import "hash"rule CrySome_RAT
{
meta:
description = "Detection of CrySome RAT using SHA256 hashes and C2 domain"
author = "CyberP1"
date = "2026-03-25"strings:
$url = "crysome.net"condition:
hash.sha256(0, filesize) == "f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d" or
hash.sha256(0, filesize) == "fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3" or
$url
}

Our Analysis and Opinion

CrySome is a strong example of how modern malware is evolving beyond simple payload execution into fully engineered platforms designed for persistence and operational continuity. What stands out the most is not just the number of features, but how well those features are integrated. This is not experimental or poorly stitched malware—it reflects careful planning and a clear understanding of defensive technologies.

The reset survival technique is particularly notable. Many organizations still rely on system reimaging or factory reset as a last-resort cleanup method. CrySome directly challenges that assumption. By embedding itself into the recovery partition and modifying the offline registry, it effectively bypasses one of the most trusted remediation strategies. This alone elevates the threat level significantly.

Another important aspect is the AVKiller module. Rather than simply disabling one or two security tools, CrySome systematically targets a wide range of solutions. It not only terminates processes but also prevents reinstallations and blocks updates. This shows a shift toward maintaining long-term dominance over the infected system rather than just gaining initial access.

The commercialization of CrySome is equally concerning. The availability of subscription models and cracked versions lowers the barrier to entry. This means that even less experienced attackers can deploy highly advanced capabilities. As a result, threats that were once limited to skilled actors are becoming more widespread.

From a defensive standpoint, this malware highlights the importance of layered security. Traditional antivirus alone is not enough. Organizations need behavioral detection, strong monitoring, and deeper forensic capabilities. Recovery procedures must also evolve to include validation of recovery partitions and offline registry states.

Overall, CrySome reflects a broader trend in cyber threats—persistence is now just as important as access. Attackers are no longer satisfied with short-term control; they are building mechanisms to stay hidden and active for as long as possible. This makes early detection and proactive defense more critical than ever.

CyberDefender