CrySome RAT Emerges as Advanced .NET Malware with AV Killer and HVNC
Key Takeaways A new and sophisticated .NET-based Remote Access Trojan (RAT), dubbed CrySome, has emerged, designed for extensive control and stealth on compromised Windows systems. CrySome RAT...
Key Takeaways
- A new and sophisticated .NET-based Remote Access Trojan (RAT), dubbed CrySome, has emerged, designed for extensive control and stealth on compromised Windows systems.
- CrySome RAT exhibits extreme persistence by embedding itself within the Windows recovery partition, allowing it to survive factory resets.
- The malware includes an “AVKiller” module that aggressively disables and prevents the reinstallation of major antivirus products, leaving systems highly vulnerable.
- Its “HVNC” module enables attackers to operate an invisible desktop session, facilitating covert data exfiltration and system manipulation without user detection.
- Defenders must implement robust endpoint detection, network blocking, and thorough forensic analysis of recovery partitions to combat this advanced threat.
The cybersecurity landscape faces a formidable new adversary in CrySome RAT, an advanced malware strain engineered for unparalleled stealth, persistence, and comprehensive control over infected systems. Written in C#, this threat specifically targets the .NET framework, granting attackers full remote access to compromised Windows machines.
Table Of Content
CrySome’s capabilities extend far beyond typical remote access tools, encompassing password theft, keystroke logging, and the initiation of hidden desktop sessions. Its design prioritizes long-term access and deep system manipulation via a persistent TCP-based command-and-control channel.
A distinguishing feature setting CrySome apart is its exceptional ability to withstand a complete factory reset. The malware strategically copies itself into the Windows recovery partition, located at C:RecoveryOEM, and alters the offline registry to ensure its execution immediately following a system restore. This sophisticated persistence mechanism means that even after a victim believes their machine has been thoroughly cleansed, the malware silently reactivates, a level of resilience rarely observed in the wild.
Analysts at Cyfirma uncovered CrySome RAT through rigorous static and dynamic analysis of its decompiled code. Their investigation provided critical insights into the malware’s internal architecture and modular design. The research team highlighted CrySome’s modular structure, where an initial bootstrap phase retrieves configuration settings and activates specific functionalities based on the operator’s commands.
Cyfirma researchers further observed that CrySome communicates with its command-and-control server over TCP. Upon establishing a connection, it immediately transmits a detailed profile of the compromised system, including the username, operating system specifics, uptime, country code, and the title of the currently active window.
Aggressive Defense Evasion with AVKiller
CrySome RAT incorporates an aggressive defense evasion toolkit through its “AVKiller” module. This component is designed to neutralize security measures by terminating antivirus processes, disabling security services, blocking attempts to install new antivirus software, and poisoning the system’s hosts file to cut off antivirus update servers. Furthermore, it leverages Image File Execution Options (IFEO) hijacking to prevent security tools from launching altogether.
The AVKiller module specifically targets prominent security products from vendors such as Windows Defender, Kaspersky, CrowdStrike, ESET, Avast, and SentinelOne. Once its destructive work is complete, the infected system is left with minimal to no active protection.
The threat’s reach is further amplified by its Hidden Virtual Network Computing (HVNC) module. This allows attackers to interact with the victim’s machine through an entirely invisible desktop session. Consequently, an attacker can open browsers, access files, and navigate the system without any visible activity appearing on the user’s screen.
When combined with capabilities like keylogging, credential harvesting from Chromium-based browsers, webcam access, screen capture, and SOCKS proxy support for lateral movement, CrySome functions less like a basic remote access tool and more as a comprehensive post-exploitation framework.
Defense Evasion Through the AVKiller Module
A key technical aspect of CrySome RAT is its sophisticated defense evasion implemented via the dedicated AVKiller module. This module maintains hardcoded lists of antivirus process names, security service names, installer-related keywords, and antivirus update server domains.
When activated, a function named ScanAndKillProcesses() continuously scans all active processes on the system, immediately terminating any that match its internal blacklist. This execution occurs in parallel, ensuring that security processes are killed almost instantly upon restart, leaving no window for protection to recover.
Beyond simply terminating processes, the module also exploits the Windows Image File Execution Options (IFEO) registry key. It assigns a fake debugger to targeted security executables. As a result, when a blocked security tool attempts to launch, Windows silently redirects it to a harmless command that performs no action. The security application appears to start, but never actually executes, providing no visible indication to victims that their protection has been neutralized.
The AVKiller module also executes PoisonHostsFile(), which modifies the system’s hosts file to redirect antivirus update domains to 0.0.0.0. This effectively blocks all signature and definition updates. Over time, any security product that might have survived the initial onslaught becomes outdated and significantly less effective.
What You Should Do
- Immediately isolate any system exhibiting indicators of compromise related to CrySome RAT to prevent lateral movement within the network.
- Deploy and configure Endpoint Detection and Response (EDR) tools capable of detecting process injection, unauthorized registry changes, and service abuse across all environments.
- Regularly audit scheduled tasks, Windows services, and Run/RunOnce registry keys for any unauthorized or suspicious entries.
- Block the domain
crysome[.]netand any associated command-and-control infrastructure at the network perimeter. - Enable tamper protection features on all security tools to prevent scripts or policy changes from disabling them.
- Conduct deep forensic examinations of recovery partitions and offline registry hives during any remediation effort to ensure no hidden persistence mechanisms remain.
- Enforce strict application control policies to prevent the execution of unknown or unsigned binaries, particularly from user-writable folders.
- Maintain robust offline backups and verified system images to facilitate complete system recovery in the event of a successful compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.