A structured, multi-stage infection chain delivers the CrySome RAT via a logistics-themed spear-phishing lure. Initial access is achieved through a fake rate confirmation portal that drops a batch file, which chains UAC bypass (ICMLuaUtil COM interface), in-memory AMSI patching, and the open-source WinDefCtl utility to weaken Microsoft Defender before deploying the persistent RAT payload. CrySome RAT provides the operator with remote command execution, credential theft from Chromium browsers, HVNC, keylogging, and persistence via a scheduled task executing every 5 minutes.