top of page

CrySome RAT Campaign Turns a Fake Freight Document Into a Full Remote Access Breach

  • 20 minutes ago
  • 3 min read

A logistics-themed phishing campaign recently pushed the CrySome remote access trojan through a multi-stage Windows infection chain, showing how attackers are blending believable business lures, native system tools, open-source security-disabling utilities, and modular malware to gain persistent control of victim machines.


Researchers with LevelBlue’s SpiderLabs said the incident began with a targeted spear-phishing email disguised as a freight rate confirmation. The message impersonated a routine logistics workflow, sent the victim to a fake rate confirmation portal, and offered what appeared to be a downloadable PDF. Instead, the download delivered a batch file named Rate_Confirmation_LD-2026-0847.bat, kicking off a hidden PowerShell chain designed to bypass security checks and install CrySome RAT.


The attack is notable because it did not rely on one obvious malicious executable. Instead, it moved through several stages, using PowerShell with execution policy bypass, in-memory AMSI patching, a User Account Control bypass tied to the ICMLuaUtil COM interface, and a Defender-disruption tool before launching the final payload.


The first-stage batch file silently started PowerShell, patched Microsoft’s Antimalware Scan Interface in memory, downloaded ElevatorShellCode.exe, saved it as %TEMP%\es.exe, and ran it in a hidden window. From there, the loader attempted privilege elevation, assembled another PowerShell payload at runtime, retrieved stage.ps1 from attacker-controlled infrastructure, and executed it in memory. The goal was clear: keep the chain moving without leaving an easy trail of standalone scripts on disk.


The second-stage script prepared the victim machine for long-term compromise. It logged execution details to xeno_diag.log, added Microsoft Defender exclusions for the temporary directory and dropped executables, downloaded a Defender tampering utility, and then fetched the CrySome RAT payload itself. To keep the victim from getting suspicious, the malware also opened a decoy freight rate confirmation PDF while the real infection continued in the background.


One of the most concerning pieces of the campaign was its use of WinDefCtl, an open-source tool designed to interfere with Microsoft Defender. The attacker downloaded it as update.exe, renamed it to svchost.exe, and executed it from %TEMP%, a location that should immediately look suspicious to defenders because legitimate svchost.exe runs from C:\Windows\System32. According to the analysis, the tool was used in “kill” mode to weaken Defender protections before CrySome RAT was launched.


Once installed as %TEMP%\patch_diag.exe, CrySome RAT gave the operator the kind of access defenders dread. The malware supports persistence, remote command execution, file management, system reconnaissance, hidden virtual network computing, credential theft, keylogging, proxying, screen capture, and access to audio and camera functions. It also created a scheduled task named CrysomeLoader, configured to relaunch the malware every five minutes.


The credential theft module focused on Chromium-based browsers, including Chrome, Microsoft Edge, and Brave. When triggered by the command-and-control server, the RAT could terminate browser processes, inject abe_decrypt.dll, and extract stored passwords and session cookies into JSON files for exfiltration.


The campaign’s command-and-control configuration was embedded inside the malware rather than retrieved from an external service. LevelBlue’s analysis found a configuration blob containing a C2 endpoint, campaign group identifier, persistence settings, parent process spoofing details, and enabled malware capabilities.


For security teams, the broader warning is that commodity and open-source tooling can make malware operations harder to spot when attackers chain them together carefully. A fake business document, a hidden PowerShell command, an AMSI patch, a renamed Defender-disruption tool, and a decoy PDF were enough to move the intrusion from phishing to persistence.


Detection teams should watch for PowerShell launched with -ExecutionPolicy Bypass, hidden windows, in-memory execution through IEX, suspicious Defender exclusions, svchost.exe running from temporary directories, scheduled tasks such as CrysomeLoader, and unexpected browser process termination followed by DLL injection. In this campaign, those signals were the difference between a routine phishing email and a fully developed remote access compromise.

bottom of page