{ "name": "CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "slug": "crysome-rat-an-advanced-persistent-net-remote-access-trojan", "description": "CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments.", "published": "2026-03-31T14:14:28+00:00", "created_at": "2026-03-31T14:14:28+00:00", "modified_at": "2026-03-31T16:49:27+00:00", "created_at_opencti": "2026-03-31T14:14:28+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ ".net", "2026-03-31", "avkiller", "c++", "credential-theft", "crysome rat", "defense evasion", "hvnc", "persistence", "rat", "remote access", "stealth" ], "related_entities": { "observables": [ { "id": "", "name": "f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d" }, { "id": "", "name": "fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3" } ], "malware": [ { "id": "4b401c11-10e3-42f7-8e9e-e034f733289a", "name": "CrySome RAT", "slug": "crysome-rat" } ], "attack_patterns": [ { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "74d6e294-54d1-4a21-9dfc-df5870f8ec8e", "name": "T1003" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81", "name": "T1123" }, { "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb", "name": "T1070" }, { "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7", "name": "T1555" }, { "id": "ca53b2fa-42a8-45ec-9682-0cf54bf280f3", "name": "T1090" }, { "id": "269fca28-cdea-40b4-ae42-8246ad31a84a", "name": "T1125" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "09124a92-c11f-4571-b35b-ab0bce6dd081", "name": "T1112" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266", "name": "T1134" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" }, { "id": "c5f0558f-48a3-4714-a75c-5193d56360f9", "name": "T1037" }, { "id": "fc699aef-8931-4a79-8f79-9651be9abd50", "name": "T1021" }, { "id": "a7262c61-4567-4a00-8cec-aae6264234a9", "name": "T1218" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" } ], "others": [ { "id": "", "name": "crysome.net" } ] }, "external_refs": [ "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan", "https://otx.alienvault.com/pulse/69cbf2e4685c6f31a7715a5f" ] }