News and Analysis

A new and dangerous piece of malware has surfaced in the threat landscape, and it is built to stay hidden, stay running, and stay in control of any system it infects.

CrySome RAT is written in C# and targets the .NET ecosystem, giving attackers complete remote control over compromised Windows machines.

From stealing passwords and recording keystrokes to launching invisible desktop sessions, CrySome is designed for long-term access and deep system control over a persistent TCP-based command-and-control channel.

What makes CrySome stand out from other remote access trojans is its ability to survive even a full factory reset.

The malware copies itself into the Windows recovery partition located at C:\Recovery\OEM and modifies the offline registry to trigger execution after a system restore.

This means that even when a victim believes their machine has been completely wiped clean, the malware quietly relaunches itself. This level of persistence engineering is rarely seen and places CrySome in a more serious category of threats compared to typical RATs circulating in the wild.

Cyfirma analysts identified the malware after conducting both static and dynamic analysis of its decompiled code, providing a clear look into its internal structure and modular design.

The research team noted that CrySome follows a modular architecture, where a bootstrap phase loads configuration settings and activates specific capabilities based on operator instructions.

Cyfirma researchers also noted that the malware communicates with its command-and-control server over TCP and immediately sends a detailed profile of the infected system upon connection, including the username, operating system details, uptime, country code, and even the title of the currently open window.

The malware also carries an aggressive defense evasion toolkit through its AVKiller module.

This component terminates antivirus processes, disables security services, blocks antivirus installation attempts, poisons the system’s hosts file to cut off AV update servers, and uses Image File Execution Options hijacking to prevent security tools from ever launching.

Major security products from vendors including Windows Defender, Kaspersky, CrowdStrike, ESET, Avast, and SentinelOne are all specifically targeted. Once the AVKiller module finishes its work, the infected system is left with little to no active protection.

The threat’s reach goes even further through its Hidden Virtual Network Computing module, or HVNC, which allows attackers to interact with the victim’s machine through a completely invisible desktop session.

This means an attacker can open browsers, access files, and navigate the system without the user ever seeing any activity on their screen.

Combined with keylogging, credential harvesting from Chromium-based browsers, webcam access, screen capture, and SOCKS proxy support for lateral movement, CrySome functions more like a full post-exploitation framework than a simple remote access tool.

Defense Evasion Through the AVKiller Module

One of the most technically significant aspects of CrySome RAT is how it handles defense evasion through its dedicated AVKiller module.

AVKiller AV Process Kill List and ScanAndKillProcesses Function (Source – Cyfirma)

The module maintains hardcoded lists of antivirus process names, security service names, installer-related keywords, and antivirus update server domains.

When active, a function called ScanAndKillProcesses() runs continuously, scanning all active processes on the system and immediately terminating any that match its internal list.

It uses parallel execution to do this quickly, meaning security processes are killed almost as soon as they restart, leaving no window for protection to recover.

Beyond killing processes, the module also abuses the Windows Image File Execution Options registry key to assign a fake debugger to targeted security executables.

Whenever a blocked tool tries to launch, Windows silently redirects it to a harmless command that does nothing.

SetIFEOTraps Function (Source – Cyfirma)

The security application appears to start but never actually runs, giving victims no visible sign that their protection has been stopped.

The module also calls PoisonHostsFile(), which rewrites the system’s hosts file to redirect antivirus update domains to 0.0.0.0, blocking signature and definition updates entirely.

Over time, even if a security product manages to survive, it becomes outdated and far less effective.

PoisonHostsFile Function (Source – Cyfirma)

Security teams and system administrators should take the following steps in response to this threat. Any system showing indicators tied to CrySome RAT should be isolated immediately to stop lateral movement.

Endpoint detection and response tools capable of catching process injection, registry changes, and service abuse should be deployed across all environments.

Scheduled tasks, Windows services, and Run/RunOnce registry keys should be checked regularly for entries that were not authorized. The domain crysome[.]net and any related infrastructure should be blocked at the network level.

Tamper protection should be turned on to prevent scripts or policy changes from disabling security tools.

Recovery partitions and offline registry hives require deep forensic examination during any remediation effort to confirm no hidden persistence survives.

Application control policies should be enforced to stop unknown or unsigned binaries from running, especially from user-writable folders. Finally, offline backups and verified system images should be maintained to support full recovery when needed.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post CrySome RAT Emerges as Advanced .NET Malware With AV Killer and HVNC Capabilities appeared first on Cyber Security News.