Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/CrySome RAT Emerges as Advanced .NET Malware with AV Killer and HVNC
CyberSecurity News

CrySome RAT Emerges as Advanced .NET Malware with AV Killer and HVNC

Key Takeaways A new and sophisticated .NET-based Remote Access Trojan (RAT), dubbed CrySome, has emerged, designed for extensive control and stealth on compromised Windows systems. CrySome RAT...

David kimber
David kimber
March 30, 2026 4 Min Read
34 0

Key Takeaways

  • A new and sophisticated .NET-based Remote Access Trojan (RAT), dubbed CrySome, has emerged, designed for extensive control and stealth on compromised Windows systems.
  • CrySome RAT exhibits extreme persistence by embedding itself within the Windows recovery partition, allowing it to survive factory resets.
  • The malware includes an “AVKiller” module that aggressively disables and prevents the reinstallation of major antivirus products, leaving systems highly vulnerable.
  • Its “HVNC” module enables attackers to operate an invisible desktop session, facilitating covert data exfiltration and system manipulation without user detection.
  • Defenders must implement robust endpoint detection, network blocking, and thorough forensic analysis of recovery partitions to combat this advanced threat.

The cybersecurity landscape faces a formidable new adversary in CrySome RAT, an advanced malware strain engineered for unparalleled stealth, persistence, and comprehensive control over infected systems. Written in C#, this threat specifically targets the .NET framework, granting attackers full remote access to compromised Windows machines.

Table Of Content

  • Key Takeaways
  • Aggressive Defense Evasion with AVKiller
  • Defense Evasion Through the AVKiller Module
  • What You Should Do

CrySome’s capabilities extend far beyond typical remote access tools, encompassing password theft, keystroke logging, and the initiation of hidden desktop sessions. Its design prioritizes long-term access and deep system manipulation via a persistent TCP-based command-and-control channel.

A distinguishing feature setting CrySome apart is its exceptional ability to withstand a complete factory reset. The malware strategically copies itself into the Windows recovery partition, located at C:RecoveryOEM, and alters the offline registry to ensure its execution immediately following a system restore. This sophisticated persistence mechanism means that even after a victim believes their machine has been thoroughly cleansed, the malware silently reactivates, a level of resilience rarely observed in the wild.

Analysts at Cyfirma uncovered CrySome RAT through rigorous static and dynamic analysis of its decompiled code. Their investigation provided critical insights into the malware’s internal architecture and modular design. The research team highlighted CrySome’s modular structure, where an initial bootstrap phase retrieves configuration settings and activates specific functionalities based on the operator’s commands.

Cyfirma researchers further observed that CrySome communicates with its command-and-control server over TCP. Upon establishing a connection, it immediately transmits a detailed profile of the compromised system, including the username, operating system specifics, uptime, country code, and the title of the currently active window.

Aggressive Defense Evasion with AVKiller

CrySome RAT incorporates an aggressive defense evasion toolkit through its “AVKiller” module. This component is designed to neutralize security measures by terminating antivirus processes, disabling security services, blocking attempts to install new antivirus software, and poisoning the system’s hosts file to cut off antivirus update servers. Furthermore, it leverages Image File Execution Options (IFEO) hijacking to prevent security tools from launching altogether.

The AVKiller module specifically targets prominent security products from vendors such as Windows Defender, Kaspersky, CrowdStrike, ESET, Avast, and SentinelOne. Once its destructive work is complete, the infected system is left with minimal to no active protection.

The threat’s reach is further amplified by its Hidden Virtual Network Computing (HVNC) module. This allows attackers to interact with the victim’s machine through an entirely invisible desktop session. Consequently, an attacker can open browsers, access files, and navigate the system without any visible activity appearing on the user’s screen.

When combined with capabilities like keylogging, credential harvesting from Chromium-based browsers, webcam access, screen capture, and SOCKS proxy support for lateral movement, CrySome functions less like a basic remote access tool and more as a comprehensive post-exploitation framework.

Defense Evasion Through the AVKiller Module

A key technical aspect of CrySome RAT is its sophisticated defense evasion implemented via the dedicated AVKiller module. This module maintains hardcoded lists of antivirus process names, security service names, installer-related keywords, and antivirus update server domains.

When activated, a function named ScanAndKillProcesses() continuously scans all active processes on the system, immediately terminating any that match its internal blacklist. This execution occurs in parallel, ensuring that security processes are killed almost instantly upon restart, leaving no window for protection to recover.

Beyond simply terminating processes, the module also exploits the Windows Image File Execution Options (IFEO) registry key. It assigns a fake debugger to targeted security executables. As a result, when a blocked security tool attempts to launch, Windows silently redirects it to a harmless command that performs no action. The security application appears to start, but never actually executes, providing no visible indication to victims that their protection has been neutralized.

The AVKiller module also executes PoisonHostsFile(), which modifies the system’s hosts file to redirect antivirus update domains to 0.0.0.0. This effectively blocks all signature and definition updates. Over time, any security product that might have survived the initial onslaught becomes outdated and significantly less effective.

What You Should Do

  • Immediately isolate any system exhibiting indicators of compromise related to CrySome RAT to prevent lateral movement within the network.
  • Deploy and configure Endpoint Detection and Response (EDR) tools capable of detecting process injection, unauthorized registry changes, and service abuse across all environments.
  • Regularly audit scheduled tasks, Windows services, and Run/RunOnce registry keys for any unauthorized or suspicious entries.
  • Block the domain crysome[.]net and any associated command-and-control infrastructure at the network perimeter.
  • Enable tamper protection features on all security tools to prevent scripts or policy changes from disabling them.
  • Conduct deep forensic examinations of recovery partitions and offline registry hives during any remediation effort to ensure no hidden persistence mechanisms remain.
  • Enforce strict application control policies to prevent the execution of unknown or unsigned binaries, particularly from user-writable folders.
  • Maintain robust offline backups and verified system images to facilitate complete system recovery in the event of a successful compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

ClickFix Malware Uses Rundll32, WebDAV to Evade PowerShell Detection

Next Post

North Korean IT Worker Used Stolen Identity and AI in Job Scam

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us