CrySome RAT: Advanced .NET Malware with AV Emerges Killer

The threat landscape now contends with a new and dangerous malware strain, purpose-built for stealth, persistence, and complete control over infected systems.

CrySome RAT is written in C# and targets the .NET ecosystem, giving attackers complete remote control over compromised Windows machines.

From stealing passwords and recording keystrokes to launching invisible desktop sessions, CrySome is designed for long-term access and deep system control over a persistent TCP-based command-and-control channel.

What makes CrySome stand out from other remote access trojans is its ability to survive even a full factory reset.

The malware copies itself into the Windows recovery partition located at C:RecoveryOEM and modifies the offline registry to trigger execution after a system restore.

This means that even when a victim believes their machine has been completely wiped clean, the malware quietly relaunches itself. This level of persistence engineering is rarely seen and places CrySome in a more serious category of threats compared to typical RATs circulating in the wild.

Cyfirma analysts identified the malware after conducting both static and dynamic analysis of its decompiled code, providing a clear look into its internal structure and modular design.

The research team noted that CrySome follows a modular architecture, where a bootstrap phase loads configuration settings and activates specific capabilities based on operator instructions.

Cyfirma researchers also noted that the malware communicates with its command-and-control server over TCP and immediately sends a detailed profile of the infected system upon connection, including the username, operating system details, uptime, country code, and even the title of the currently open window.

The malware also carries an aggressive defense evasion toolkit through its AVKiller module.

This component terminates antivirus processes, disables security services, blocks antivirus installation attempts, poisons the system’s hosts file to cut off AV update servers, and uses Image File Execution Options hijacking to prevent security tools from ever launching.

Major security products from vendors including Windows Defender, Kaspersky, CrowdStrike, ESET, Avast, and SentinelOne are all specifically targeted. Once the AVKiller module finishes its work, the infected system is left with little to no active protection.

The threat’s reach goes even further through its Hidden Virtual Network Computing module, or HVNC, which allows attackers to interact with the victim’s machine through a completely invisible desktop session.

This means an attacker can open browsers, access files, and navigate the system without the user ever seeing any activity on their screen.

Combined with keylogging, credential harvesting from Chromium-based browsers, webcam access, screen capture, and SOCKS proxy support for lateral movement, CrySome functions more like a full post-exploitation framework than a simple remote access tool.

Defense Evasion Through the AVKiller Module

One of the most technically significant aspects of CrySome RAT is how it handles defense evasion through its dedicated AVKiller module.

The module maintains hardcoded lists of antivirus process names, security service names, installer-related keywords, and antivirus update server domains.

When active, a function called ScanAndKillProcesses() runs continuously, scanning all active processes on the system and immediately terminating any that match its internal list.

It uses parallel execution to do this quickly, meaning security processes are killed almost as soon as they restart, leaving no window for protection to recover.

Beyond killing processes, the module also abuses the Windows Image File Execution Options registry key to assign a fake debugger to targeted security executables.

Whenever a blocked tool tries to launch, Windows silently redirects it to a harmless command that does nothing.

The security application appears to start but never actually runs, giving victims no visible sign that their protection has been stopped.

The module also calls PoisonHostsFile(), which rewrites the system’s hosts file to redirect antivirus update domains to 0.0.0.0, blocking signature and definition updates entirely.

Over time, even if a security product manages to survive, it becomes outdated and far less effective.

Security teams and system administrators should take the following steps in response to this threat. Any system showing indicators tied to CrySome RAT should be isolated immediately to stop lateral movement.

Endpoint detection and response tools capable of catching process injection, registry changes, and service abuse should be deployed across all environments.

Scheduled tasks, Windows services, and Run/RunOnce registry keys should be checked regularly for entries that were not authorized. The domain crysome[.]net and any related infrastructure should be blocked at the network level.

Tamper protection should be turned on to prevent scripts or policy changes from disabling security tools.

Recovery partitions and offline registry hives require deep forensic examination during any remediation effort to confirm no hidden persistence survives.

Application control policies should be enforced to stop unknown or unsigned binaries from running, especially from user-writable folders. Finally, offline backups and verified system images should be maintained to support full recovery when needed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.