From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
Essential information
- Published
- 07/07/2026 16:14
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- amsi bypass browser hijacking credential theft crysome rat living-off-the-land spear-phishing uac bypass windefctl
- Related entities
- 13 indicators, 7 observables, 19 techniques (mitre), 2 malware
Description
A sophisticated multi-stage infection chain was analyzed following successful containment by MDR SOC operations. Initial access occurred through spear-phishing using a logistics rate confirmation lure, delivering CrySome remote access trojan via multiple stages. The attack chain leveraged living-off-the-land techniques, ICMLuaUtil COM interface for UAC bypass, and in-memory AMSI patching. WinDefCtl, an open-source Defender disruption tool, was deployed to weaken endpoint protections before the final payload. CrySome RAT established persistence through scheduled tasks and provided operators with capabilities including hidden VNC, remote command execution, system reconnaissance, and credential theft targeting Chromium-based browsers. The campaign demonstrated modern threat actors' reliance on publicly available tooling combined with legitimate Windows processes to minimize detection while achieving comprehensive system compromise.