From Phishing to Persistence: A CrySome RAT Infection Chain Analysis
A structured, multi-stage infection chain delivers the CrySome RAT via a logistics-themed spear-phishing lure. Initial access is achieved through a fake rate confirmation portal that drops a batch file, which chains UAC bypass (ICMLuaUtil COM interface), in-memory AMSI patching, and the open-source WinDefCtl utility to weaken Microsoft Defender before deploying the persistent RAT payload. CrySome RAT provides the operator with remote command execution, credential theft from Chromium browsers, HVNC, keylogging, and persistence via a scheduled task executing every 5 minutes.
- domainsignindat[.]comAttacker-controlled domain hosting the fake rate confirmation phishing portal and all staged payloads (ElevatorShellCode.exe, stage.ps1, update.exe, patch.exe, decoy PDF)
- emailloadofferstender[@]gmail[.]comSender email address used in the spear-phishing lure impersonating a logistics rate confirmation with subject 'DETROIT, MI to DALLAS, TX'
- ip193[.]26[.]115[.]42CrySome RAT C2 server endpoint extracted from embedded ##CRYCFG## configuration blob, communicating on port 5555
- sha25653f1da8a032115aa682749a114f4cfebcb5ef933400a89b4bbfa84f2057222ffSHA-256 hash of ElevatorShellCode.exe — first-stage executable loader performing UAC bypass and AMSI patching before retrieving stage.ps1
- sha256b7ca8fd9ebe0a76f16deea315fac7ee94dcb18e6ac2832b5c4cb562fbc6e0ed3SHA-256 hash of update.exe — WinDefCtl utility downloaded and renamed to svchost.exe in %TEMP% to disable Microsoft Defender via IFEO manipulation and kernel driver
- sha256c380268d493e0cba914ce2bc55faa1d7c050c599893c3196fee01fa745e6466aSHA-256 hash of patch.exe — CrySome RAT client payload written to disk as patch_diag.exe, providing persistent remote access, credential theft, and C2 communication
- sha256ced4407f4ac7e43c1a3010a394d111d2ad1b50a2e95668b4e9cfe739235e67bdSHA-256 hash of stage.ps1 — second-stage PowerShell loader that adds Defender exclusions, deploys WinDefCtl and CrySome RAT, and displays decoy PDF
- sha256ec68666e8f0a3b9870d7177bab684c8dcfb8ca0bc7c8c484a71b2b33ea4e26f4SHA-256 hash of Rate_Confirmation_LD-2026-0847.bat — initial batch file payload downloaded from phishing site
- sha256ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8SHA-256 hash of kvckiller.sys — kernel driver loaded by WinDefCtl to terminate Microsoft Defender processes and services
- urlhxxps://signindat[.]com/ElevatorShellCode[.]exeURL for downloading ElevatorShellCode.exe first-stage loader, saved to %TEMP%\es.exe
- urlhxxps://signindat[.]com/patch[.]exeURL for downloading CrySome RAT client payload, saved to %TEMP%\patch_diag.exe
- urlhxxps://signindat[.]com/Rate_Confirmation_LD-2026-0847[.]pdfURL for downloading decoy freight rate confirmation PDF displayed to victim while malware executes in background
- urlhxxps://signindat[.]com/stage[.]ps1URL for downloading stage.ps1, the second-stage PowerShell loader retrieved in-memory by ElevatorShellCode.exe via IEX
- urlhxxps://signindat[.]com/update[.]exeURL for downloading WinDefCtl utility, saved to %TEMP%\svchost.exe and executed with 'kill' argument
Detection / Hunteropenrouter
What Happened
Attackers sent fake shipping and logistics emails to trick employees into visiting a fraudulent website that looked like a freight rate confirmation portal. When the victim tried to download what they thought was a confirmation document, they instead received a malicious program that quietly installed itself on their computer. The malware used several techniques to disable security software, including a publicly available tool designed to turn off Microsoft Defender. Once installed, the malware gave the attackers remote control of the computer, allowed them to steal saved passwords from web browsers, and set itself to restart automatically every five minutes so it would survive reboots. Organizations should train employees to be suspicious of unexpected email attachments and links, monitor for security software being disabled, and ensure endpoints have robust protection that can detect these multi-stage attacks.
Key Takeaways
- Multi-stage infection chain delivers CrySome RAT via logistics-themed spear-phishing directing users to a fake rate confirmation portal on signindat[.]com
- Attacker leverages ICMLuaUtil COM interface UAC bypass and in-memory AMSI patching to escalate privileges and evade detection before downloading subsequent payloads
- Open-source WinDefCtl utility is repurposed to disable Microsoft Defender via IFEO manipulation and a kernel driver (kvckiller.sys), reducing custom development effort
- CrySome RAT establishes persistence via a scheduled task (CrysomeLoader) running every 5 minutes and includes a credential theft module injecting abe_decrypt.dll into Chromium-based browsers
- Embedded ##CRYCFG## configuration blob reveals C2 endpoint 193.26.115[.]42:5555, campaign group identifier, and enabled capabilities including HVNC, keylogging, and AV tampering
Affected Systems
- Microsoft Windows endpoints with Microsoft Defender enabled
- Chromium-based browsers (Chrome, Microsoft Edge, Brave) for credential theft targeting
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Spear-phishing email from [email protected] impersonates a logistics rate confirmation, directing victim to signindat[.]com fake portal
- Execution: User downloads Rate_Confirmation_LD-2026-0847.bat which launches hidden PowerShell, patches AMSI, downloads ElevatorShellCode.exe to %TEMP%\es.exe
- Privilege Escalation: ElevatorShellCode.exe attempts ICMLuaUtil COM interface UAC bypass, then constructs inline PowerShell to patch AMSI and download stage.ps1 in-memory via IEX
- Defense Evasion: stage.ps1 adds Microsoft Defender exclusions for %TEMP% and payload paths, downloads WinDefCtl as svchost.exe, executes it with 'kill' argument to disable Defender via IFEO manipulation and kvckiller.sys kernel driver
- Persistence & C2: stage.ps1 downloads CrySome RAT (patch.exe) to %TEMP%\patch_diag.exe, launches it hidden; RAT creates CrysomeLoader scheduled task (every 5 min) and beacons to C2 at 193.26.115[.]42:5555
- Credential Theft: CrySome RAT injects abe_decrypt.dll into Chromium-based browsers to extract passwords.json and cookies.json for exfiltration to C2
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides detailed behavioral recommendations and IOC listings but does not include formal detection rules (YARA, Sigma, Snort/Suricata, KQL, SPL, or EQL). Detection guidance is provided as prose recommendations for monitoring PowerShell execution, Defender configuration changes, IFEO modifications, and browser credential theft indicators.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The attack chain involves multiple LOTL techniques (PowerShell, schtasks, registry modifications) that EDR should capture, but the AMSI patching and Defender disabling via WinDefCtl kernel driver may blind EDR before the final payload executes. Process injection into browsers and IFEO manipulation are detectable if EDR telemetry is collected before defenses are impaired. |
| Network Visibility | Medium | All payload downloads originate from a single domain (signindat[.]com) over HTTPS, and C2 communication goes to 193.26.115[.]42:5555. Network monitoring could detect these connections, but TLS encryption limits payload inspection. |
| Detection Difficulty | Moderate | The multi-stage chain provides multiple detection opportunities through behavioral monitoring (PowerShell with bypass flags, Defender exclusions, svchost.exe from %TEMP%, IFEO changes, scheduled task creation). However, the early AMSI patch and Defender disruption may degrade or disable signature-based and behavior-based detections before the RAT deploys, requiring pre-emptive telemetry collection and alerting on the initial stages. |
Required Log Sources
- Windows Security Event Logs (Process Creation - Sysmon Event ID 1 or equivalent)
- PowerShell Script Block Logging (Event ID 4104)
- Microsoft Defender operational logs and exclusion changes
- Windows Registry modification logs (Sysmon Event ID 12/13/14)
- Scheduled Task creation logs (Sysmon Event ID 1 for schtasks.exe, Event ID 4698)
- Network connection logs (Sysmon Event ID 3 or firewall/proxy logs)
- Image File Execution Options registry change monitoring
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for svchost.exe processes executing from non-standard directories such as %TEMP% or user profile paths, which would indicate masquerading behavior consistent with T1036.005 | Sysmon Event ID 1 (Process Creation) with Image path filtering for svchost.exe outside C:\Windows\System32 | Defense Evasion | Low — legitimate svchost.exe instances should only execute from System32; any other path is highly suspicious |
| Consider hunting for PowerShell processes launched with -ExecutionPolicy Bypass and hidden window flags that subsequently download content from external hosts, consistent with T1059.001 staging behavior | Sysmon Event ID 1 (Process Creation) with command line parsing, Event ID 3 (Network Connection) from powershell.exe, PowerShell Script Block Logging Event ID 4104 | Execution | Medium — legitimate administrative scripts may use bypass flags; correlate with network downloads and IEX usage to reduce noise |
| Consider hunting for modifications to Image File Execution Options registry keys targeting security software process names, which would indicate IFEO injection attempts to disable antivirus tools | Sysmon Event ID 12/13 (Registry Event) targeting HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ subkeys | Defense Evasion | Low — IFEO Debugger entries for security software processes are highly anomalous and rarely legitimate |
| Consider hunting for scheduled tasks created with names matching known malware persistence patterns or executing binaries from %TEMP% directories at frequent intervals | Windows Task Scheduler logs, Sysmon Event ID 1 for schtasks.exe with /create arguments, Event ID 4698 for task registration | Persistence | Low to Medium — legitimate software may create scheduled tasks, but tasks executing from %TEMP% at 5-minute intervals are suspicious |
| Consider hunting for browser process termination followed by DLL injection or creation of credential-related files (passwords.json, cookies.json) in temp directories, indicating browser credential theft | Sysmon Event ID 1 (Process Termination of browser processes), Event ID 7 (Image Load for abe_decrypt.dll), Event ID 11 (File Creation for passwords.json/cookies.json in temp paths) | Credential Access | Low — the combination of browser termination, DLL injection, and credential file creation is a strong indicator of malicious credential theft |
Control Gaps
- Signature-based antivirus may fail to detect the infection chain after AMSI is patched in memory and Defender is disabled via WinDefCtl kernel driver
- If EDR relies on AMSI for PowerShell content inspection, the early AMSI bypass will blind script content analysis for subsequent stages
- Network-based detection alone cannot inspect TLS-encrypted payload downloads from signindat[.]com or C2 traffic to 193.26.115[.]42:5555
- Defender exclusion additions via Add-MpPreference may not trigger alerts in environments without monitoring of security configuration changes
- IFEO registry modifications targeting security software may not be monitored in environments without registry-level Sysmon or equivalent telemetry
Key Behavioral Indicators
- svchost.exe executing from %TEMP% or any path other than C:\Windows\System32
- PowerShell processes with -ExecutionPolicy Bypass and -WindowStyle Hidden flags followed by IEX or network downloads
- Add-MpPreference or Set-MpPreference commands adding exclusions for %TEMP% paths or disabling real-time monitoring
- Scheduled task named 'CrysomeLoader' executing from %TEMP%\patch_diag.exe at 5-minute intervals
- Creation of abe_decrypt.dll in %TEMP% followed by browser process injection
- IFEO Debugger registry entries set for security software process names (MsMpEng.exe, avp.exe, ekrn.exe, etc.)
- kvckiller.sys kernel driver loaded and creating service named 'wsftprm'
- xeno_diag.log file creation in %TEMP% recording malware staging activity
False Positive Assessment
Low — the combination of svchost.exe from %TEMP%, IFEO modifications targeting security software, AMSI patching, and the specific scheduled task name 'CrysomeLoader' provides high-fidelity detection opportunities with minimal legitimate use cases. The AMSI bypass and Defender exclusion additions may have moderate false positive risk in environments with aggressive administrative scripting, but the overall chain of behaviors is highly indicative of malicious activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the domain signindat[.]com and IP 193.26.115[.]42 at network perimeter controls (firewall, proxy, DNS sinkhole) if applicable to your environment.
- Consider searching endpoint telemetry for the listed SHA-256 hashes, the scheduled task name 'CrysomeLoader', and the file artifacts (patch_diag.exe, abe_decrypt.dll, xeno_diag.log) in %TEMP% directories across your fleet.
- If your EDR supports host isolation, consider isolating any systems showing indicators of compromise related to this campaign pending forensic investigation.
- Consider reviewing email security gateway logs for messages from [email protected] or with subjects matching logistics rate confirmation themes, and purge any matching messages from user mailboxes.
Infrastructure Hardening
- Consider implementing network-level blocking for the C2 IP 193.26.115[.]42 and domain signindat[.]com if your firewall or DNS filtering supports it.
- Evaluate whether your endpoint protection can detect and prevent IFEO registry modifications targeting security software processes, and consider enabling registry protection features where available.
- Consider deploying Sysmon or equivalent endpoint telemetry if not already in place, with configuration to capture process creation, network connections, registry modifications, and DLL loading events.
- If supported by your environment, consider enabling Attack Surface Reduction (ASR) rules in Microsoft Defender to block executable content from email and prevent credential theft from browser credential stores.
User Protection
- Consider enabling or enforcing tamper protection for Microsoft Defender to make it more difficult for tools like WinDefCtl to disable protections via registry modifications.
- Evaluate whether your EDR or endpoint protection can alert on svchost.exe executing from non-standard paths, and consider blocking such executions where supported.
- Consider implementing application allow-listing or path-based restrictions to prevent execution of binaries from %TEMP% directories if compatible with your operational requirements.
- If your browser management supports it, consider enabling enhanced protection features for Chromium-based browsers to detect credential theft attempts.
Security Awareness
- Consider incorporating logistics and freight-themed phishing lures into existing security awareness training programs, as this campaign specifically targets transportation and logistics workflows.
- Remind employees to verify unexpected email attachments and links through alternative communication channels before interacting with them, especially for documents claiming to be rate confirmations or shipping notices.
- Consider educating users on the risk of downloading documents from unfamiliar web portals, particularly when the downloaded file type differs from what was expected (e.g., a .bat file instead of a PDF).
MITRE ATT&CK Mapping
Initial Access
Execution
Privilege Escalation
Defense Evasion
Command and Control
Additional IOCs
- Urls:
hxxps://signindat[.]com/ElevatorShellCode.exe- URL for downloading ElevatorShellCode.exe first-stage loader, saved to %TEMP%\es.exehxxps://signindat[.]com/update.exe- URL for downloading WinDefCtl utility, saved to %TEMP%\svchost.exe and executed with 'kill' argumenthxxps://signindat[.]com/patch.exe- URL for downloading CrySome RAT client payload, saved to %TEMP%\patch_diag.exehxxps://signindat[.]com/Rate_Confirmation_LD-2026-0847.pdf- URL for downloading decoy freight rate confirmation PDF displayed to victim while malware executes in background
- Registry Keys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\- IFEO registry path modified by WinDefCtl to add Debugger entries for security software processes (PSUAMain.exe, avp.exe, avpui.exe, ekrn.exe), redirecting their execution to systray.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender- Defender policy registry path modified by CrySome RAT AVKiller module to disable AntiSpyware, real-time monitoring, behavior monitoring, tamper protection, and Spynet reporting
- File Paths:
%TEMP%\patch_diag.exe- Disk path where CrySome RAT client (patch.exe) is written and launched as a hidden process; also added to Defender exclusions%TEMP%\svchost.exe- Disk path where WinDefCtl (update.exe) is written and renamed to masquerade as legitimate svchost.exe; anomalous execution location%TEMP%\es.exe- Disk path where ElevatorShellCode.exe is written by the initial batch file and executed in a hidden window%TEMP%\abe_decrypt.dll- Embedded DLL dropped by CrySome RAT credential theft module and injected into Chromium-based browser processes to extract passwords and cookies%TEMP%\xeno_diag.log- Diagnostic log file created by stage.ps1 recording execution details, download status, and errors; references 'Xeno' likely tied to XenoRAT reuseC:\Windows\System32\drivers\kvckiller.sys- Kernel driver deployed by WinDefCtl to terminate Microsoft Defender processes via IOCTL 0x22201C on device \.\Warsaw_PM
- Command Lines:
- Purpose: Initial batch file launches hidden PowerShell with execution policy bypass to patch AMSI and download first-stage loader | Tools:
powershell.exe| Stage: Initial Access |powershell -ep bypass -w hidden -c - Purpose: CrySome RAT persistence via scheduled task creation running every 5 minutes | Tools:
schtasks.exe| Stage: Persistence |schtasks.exe /create /tn "CrysomeLoader" /tr <processPath> /sc minute /mo 5 /f - Purpose: CrySome RAT AVKiller module disables multiple Defender protections via PowerShell | Tools:
powershell.exe| Stage: Defense Evasion |Set-MpPreference -DisableRealtimeMonitoring $true -DisableIOAVProtection $true - Purpose: CrySome RAT remote command execution handler launches hidden Base64-encoded PowerShell commands | Tools:
powershell.exe| Stage: Execution |powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand - Purpose: WinDefCtl executed with kill argument to disable Microsoft Defender via IFEO and kernel driver | Tools:
svchost.exe (renamed WinDefCtl)| Stage: Defense Evasion |Start-Process <path> -ArgumentList 'kill'
- Purpose: Initial batch file launches hidden PowerShell with execution policy bypass to patch AMSI and download first-stage loader | Tools:
- Other:
CrysomeLoader- Scheduled task name created by CrySome RAT for persistence, executing the client binary every 5 minutesgrp_8ycFGmG- Campaign group identifier found in CrySome RAT embedded ##CRYCFG## configuration blob##CRYCFG##- Configuration marker used by CrySome RAT to delimit its embedded configuration blob containing C2 endpoint, group ID, and enabled capabilities