{
  "name": "From Phishing to Persistence: A CrySome RAT Infection Chain Analysis",
  "slug": "from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis",
  "description": "A sophisticated multi-stage infection chain was analyzed following successful containment by MDR SOC operations. Initial access occurred through spear-phishing using a logistics rate confirmation lure, delivering CrySome remote access trojan via multiple stages. The attack chain leveraged living-off-the-land techniques, ICMLuaUtil COM interface for UAC bypass, and in-memory AMSI patching. WinDefCtl, an open-source Defender disruption tool, was deployed to weaken endpoint protections before the final payload. CrySome RAT established persistence through scheduled tasks and provided operators with capabilities including hidden VNC, remote command execution, system reconnaissance, and credential theft targeting Chromium-based browsers. The campaign demonstrated modern threat actors' reliance on publicly available tooling combined with legitimate Windows processes to minimize detection while achieving comprehensive system compromise.",
  "published": "2026-07-07T14:14:56.048000+00:00",
  "created_at": "2026-07-07T14:46:51.583000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-07-07T14:46:51.583000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "amsi bypass",
    "browser hijacking",
    "credential theft",
    "crysome rat",
    "living-off-the-land",
    "spear-phishing",
    "uac bypass",
    "windefctl"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "a78a9f10-03c5-4814-9189-fd79b6ed4c4f",
        "name": "c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466a"
      },
      {
        "id": "2f097d3d-b003-4892-ad5a-414c9ade9e7a",
        "name": "ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8"
      },
      {
        "id": "ff340fcf-6a66-4644-b72e-ea19db9bc34c",
        "name": "https://signindat.com/patch.exe"
      },
      {
        "id": "2d2b7898-22d1-4ecd-904b-5cd4a32fddab",
        "name": "signindat.com"
      },
      {
        "id": "e578d9ba-c248-4bf7-a010-c3618ec63d6b",
        "name": "https://signindat.com"
      },
      {
        "id": "a2d4f639-732b-4166-afa9-20d40de0e669",
        "name": "https://signindat.com/ElevatorShellCode.exe"
      },
      {
        "id": "a8c61861-7fed-4d2c-b9fd-b65782a7b3b1",
        "name": "https://signindat.com/Rate_Confirmation_LD-2026-0847.pdf"
      },
      {
        "id": "32cd144f-e1c3-4ebb-a8fa-9a607478fecc",
        "name": "b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3"
      },
      {
        "id": "7e3f4384-dfac-46f5-a10a-c0c6548959c2",
        "name": "53f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ff"
      },
      {
        "id": "b178a7d5-162e-41d5-b206-8925744cf784",
        "name": "ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4"
      },
      {
        "id": "5d60eaf7-88f6-43ae-808e-ece923b41379",
        "name": "https://signindat.com/stage.ps1"
      },
      {
        "id": "6464cb01-6542-4b4a-9d2e-90cff8c988df",
        "name": "https://signindat.com/update.exe"
      },
      {
        "id": "0930ee2c-f7f7-4f41-b30e-0463eab6f628",
        "name": "ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bd"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "d048ac4b-dd28-4c66-b62b-fe25cefef481",
        "name": "T1548.002"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "b5dc6e7c-2905-466a-ace6-42fbc26626b9",
        "name": "T1546.012"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "malware": [
      {
        "id": "4b401c11-10e3-42f7-8e9e-e034f733289a",
        "name": "CrySome RAT",
        "slug": "crysome-rat"
      },
      {
        "id": "a0c16304-cb84-45ad-b3d5-3fe363e25b10",
        "name": "WinDefCtl"
      }
    ],
    "observables": [
      {
        "id": "01fc640f-2aa6-4663-8bae-959cb5cbb262",
        "name": "signindat.com"
      },
      {
        "id": "fa6e3051-2288-419b-9b3a-e0753995e2a0",
        "name": "https://signindat.com"
      },
      {
        "id": "9d8e4580-990d-42f5-afa2-072080e234af",
        "name": "https://signindat.com/patch.exe"
      },
      {
        "id": "f69ebb68-98a1-45a1-8f8e-7b093a2c5597",
        "name": "https://signindat.com/update.exe"
      },
      {
        "id": "bc398880-9b1f-4cf3-b080-c2d2cf82ff72",
        "name": "https://signindat.com/stage.ps1"
      },
      {
        "id": "78d8f245-7579-4da0-9a1b-f0cff533fcb7",
        "name": "https://signindat.com/ElevatorShellCode.exe"
      },
      {
        "id": "36a0d110-0c2b-4748-8c56-4e2e76a80ed4",
        "name": "https://signindat.com/Rate_Confirmation_LD-2026-0847.pdf"
      }
    ]
  },
  "external_refs": [
    {
      "id": "445f355f-ddb0-4349-94f6-6a10acaceb82",
      "standard_id": "external-reference--a2503323-6b42-5911-af0c-7eac7ec3db4b",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.levelblue.com/blogs/spiderlabs-blog/from-phishing-to-persistence-a-crysome-rat-infection-chain-analysis",
      "hash": null,
      "external_id": null,
      "created": "2026-07-07T14:46:49.660Z",
      "modified": "2026-07-07T14:46:49.660Z",
      "createdById": null
    },
    {
      "id": "0518e106-9a54-4cef-aef0-8959be7df344",
      "standard_id": "external-reference--d0ffd46e-af6e-56a7-a32a-310b33dca182",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a4d09e0fbf878666b3d5afd",
      "hash": null,
      "external_id": "6a4d09e0fbf878666b3d5afd",
      "created": "2026-07-07T14:46:49.636Z",
      "modified": "2026-07-07T14:46:49.636Z",
      "createdById": null
    }
  ]
}