216.73.217.139

From Phishing to Persistence: A CrySome RAT Infection Chain Analysis

· Published 07/07/2026 16:14

Export JSON

Essential information

Published
07/07/2026 16:14
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
amsi bypass browser hijacking credential theft crysome rat living-off-the-land spear-phishing uac bypass windefctl
Related entities
13 indicators, 7 observables, 19 techniques (mitre), 2 malware

Description

A sophisticated multi-stage infection chain was analyzed following successful containment by MDR SOC operations. Initial access occurred through using a logistics rate confirmation lure, delivering CrySome remote access trojan via multiple stages. The attack chain leveraged techniques, ICMLuaUtil COM interface for , and in-memory AMSI patching. WinDefCtl, an open-source Defender disruption tool, was deployed to weaken endpoint protections before the final payload. established persistence through scheduled tasks and provided operators with capabilities including hidden VNC, remote command execution, system reconnaissance, and targeting Chromium-based browsers. The campaign demonstrated modern threat actors' reliance on publicly available tooling combined with legitimate Windows processes to minimize detection while achieving comprehensive system compromise.

External references