Stealthy .NET Malware Adds AV Killer, HVNC Features
CrySome RAT is a newly observed, advanced .NET remote access trojan that combines full-featured post‑exploitation tooling with unusually hardened persistence, AV-killing, and anti‑removal logic, making it a serious long‑term threat to Windows environments.
The client component (Crysome.Client.exe) communicates with a TCP‑based C2 operated by CrySome.Server.exe, with debug logging falling back to a Crysome_debug.log path if temp logging fails.
Static analysis of the decompiled client shows a modular architecture with distinct components such as SelfProtect, AVKiller, Survival, and feature‑specific handlers wired through a structured packet protocol.
Execution begins with a bootstrap phase that loads configuration, establishes the C2 channel, and conditionally enables persistence and defense‑evasion modules based on operator‑controlled flags.
According to the report, CrySome is written in C# for the .NET ecosystem and delivered as a single, packed executable using Costura.Fody to embed dependencies, inflating the PE with managed resources and avoiding an external libraries folder.
Once initial setup completes, the client enters a continuous network loop that processes incoming packets, each mapped to a defined command type (for example, RunCommandRequest, StartHvncPacket, StartProxyRequest), effectively exposing a remote API to the attacker.
Core Capabilities and C2 Protocol
The RAT exposes wide‑ranging remote operations, including PowerShell command execution, file upload/download and deletion, process enumeration and killing, and detailed system profiling that captures OS details, user name, uptime, region, and the title of the current foreground window to give operators immediate context on live user activity.

It also supports screen capture, audio and webcam access, global keylogging, Chromium‑based credential and cookie theft, and both conventional remote desktop and hidden virtual desktop (HVNC) sessions for covert interactive control.
Networking is based on a persistent TCP connection, with handlers registered via a central RegisterHandlers() routine that keeps core identity, system‑info, and heartbeat commands always active while selectively enabling higher‑risk capabilities according to configuration.
Feature flags gate access to modules such as file transfer, direct payload download and execution, SOCKS and reverse proxy pivoting, and interactive chat, allowing CrySome to function as a configurable post‑exploitation framework rather than a monolithic implant.
CrySome’s most notable strength lies in its layered persistence design, which combines scheduled tasks, registry startup entries, redundant copies, watchdog processes, Windows services, and recovery‑partition abuse.

A scheduled task named CrySomeLoader can be created via schtasks.exe to relaunch the client every few minutes, while RunOnce registry entries and hidden, system‑flagged binaries under plausible names like RuntimeBroker.exe in AppData paths provide additional footholds.
The Survival component adds a Windows service (WindowsHealthMonitor) configured for auto‑start and automatic restart on failure, plus a reset‑survival path that copies the payload into C:\Recovery\OEM under a random name and uses an offline‑registry batch script to inject RunOnce execution into the mounted hive.
LockOwnFile() opens the current executable with restricted sharing permissions, effectively preventing other processes from modifying or deleting it.

By modifying the offline registry associated with the recovery environment, CrySome can survive factory resets and re‑establish execution after system restoration, a relatively rare but highly resilient persistence technique.
AVKiller, Self‑Protection, and Stealth
The AVKiller module encodes extensive vendor intelligence, including process names, services, installer patterns, and update domains for products such as Microsoft Defender, Kaspersky, Avast, ESET, CrowdStrike, and SentinelOne.
AddStartupRegistry() writes an entry into the RunOnce registry key, pointing to either the primary copy or the current executable.

It repeatedly scans for and terminates known security processes, disables and sets related services to “disabled,” and aggressively kills suspected security installers and their process trees in real time, preventing fresh deployments of endpoint protection.
Hosts‑file poisoning blocks access to antivirus update servers by mapping vendor domains to 0.0.0.0, gradually degrading any surviving defenses, while NeutralizeDefender() layers PowerShell, registry policy, and scheduled‑task tampering to switch off Microsoft Defender’s real‑time, behavioral, script, cloud, and scan capabilities and prevent their recovery.
Further, the malware abuses Image File Execution Options (IFEO) by assigning fake debugger entries (for example, cmd.exe /c echo) to targeted security tools, silently hijacking their launch attempts so they appear to start but perform no action.
InstallResetSurvival() establishes persistence by copying the executable into the C:\Recovery\OEM\ directory and renaming it using a randomly generated filename to avoid detection.

Dynamic analysis shows the client launching under names such as Build.exe and spawning child processes like RuntimeBroker.exe alongside conhost.exe, sc.exe, reg.exe, and powershell.exe to perform background tasks related to service creation, registry manipulation, and persistence setup while staying unobtrusive to end users.
Combined with HVNC‑based hidden desktops, real‑time foreground window tracking, proxy‑driven lateral movement, and full surveillance capabilities, CrySome operates as a mature post‑exploitation platform aimed at durable, stealthy control of compromised Windows systems rather than short‑lived commodity access.
These activities occur silently, with CrySome maintaining hidden execution, legitimate‑looking file and service names, and minimized UI footprint to reduce the likelihood of discovery during normal workstation use.
INDICATORS OF COMPROMISE
| Indicator | Value | Context |
| SHA256 (Client) | f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d | Identifies the CrySome RAT client executable used for initial infection and execution on the victim system |
| SHA256 (Server) | fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3 | Identifies the CrySome RAT server component responsible for command-and-control operations |
| Domain | Crysome[.]net | Showcase or promotional site for the CrySome RAT software, used to demonstrate its capabilities |