CrySome RAT: Multi-Layered Userland Evasion and Post-Exploitation Framework

    Tuesday, April 21, 2026 In: Threat Research Print

    Date: 04/21/2026

    Severity: High

    Summary

    CrySome RAT represents a modular, userland-focused post-exploitation framework emphasizing persistence, evasion, and operator control(Keylogger, Credential harvesting, RDP, HVNC). While it does not exhibit kernel-level sophistication, its combination of defense evasion techniques and surveillance capabilities makes it effective against poorly monitored environments. Its commercialization and availability in cracked forms significantly increase its threat surface, particularly among lower-tier threat actors.

    Indicators of Compromise (IOC) List

    Domain : 

    http://Crysome.net

    Hash : 

    f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d

    fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3

    c8836a733b3df2b4bfd861b81e3452a0bc169ffe707f483a06f7ad89a4cc2965

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://Crysome.net" or url like "http://Crysome.net" or siteurl like "http://Crysome.net"

    Detection Query 2 :

    sha256hash IN ("fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3","f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d","c8836a733b3df2b4bfd861b81e3452a0bc169ffe707f483a06f7ad89a4cc2965")

    Reference:    

    https://gurucul.com/blog/crysome-rat-multi-layered-userland-evasion-and-post-exploitation-framework/#mutex-based-execution-control


    Tags

    MalwareRATExploitSocial EngineeringThreat ActorCredential HarvestingRDPHVNCKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.