| Malware family | CrySome RAT, a .NET remote access trojan |
| Threat actor | Not named; no confirmed attribution |
| Target / victims | Windows users in freight and logistics roles (single triaged incident) |
| Delivery vector | Spear-phishing email linking to a fake rate confirmation portal |
| Key capabilities | UAC bypass, AMSI patching, Defender tampering, hVNC, remote command execution, credential theft |
| Source | LevelBlue SpiderLabs; CYFIRMA |
TL;DR
LevelBlue’s MDR SOC caught a multi-stage attack that ended with the CrySome RAT. The lure was a fake freight rate confirmation. This CrySome RAT phishing attack turned off Windows defenses, then handed attackers hidden remote control.
How the attack starts
The intrusion opened with a phishing email posing as a freight rate confirmation. It carried a subject line for a Detroit-to-Dallas load. The link pointed to a fake portal that served a batch file instead of a PDF.
That batch file kicked off the chain. According to LevelBlue’s SpiderLabs analysis, the initial lure worked by “masquerading as a logistics rate confirmation document.” As a result, the target expected a normal business file and clicked without suspicion.
Inside the infection chain

The attack used living-off-the-land techniques. Instead of one obvious malware binary, it moved through native Windows tools. First, a loader named ElevatorShellCode.exe checked for admin rights. Next, it tried a UAC bypass through a COM interface.
After that, the loader patched AMSI in memory so PowerShell scanning stopped. Then a second-stage script added Microsoft Defender exclusions and pulled down more files. Each step stayed hidden from the user.
Turning off the alarms
The attackers reused a public tool called WinDefCtl to weaken Microsoft Defender. It ran from a temp folder while posing as svchost.exe. Per the report, the utility “loads the signed kvckiller.sys kernel driver to terminate Microsoft Defender processes.” Meanwhile, a decoy PDF opened on screen to keep the victim calm.
What CrySome RAT does after landing
CrySome RAT is a C# trojan first documented by CYFIRMA in March 2026. It speaks to its command-and-control server over a plain TCP channel. On connect, it sends a host profile that includes the username, OS, and the active window title.
The client is modular. Therefore, operators can switch features on or off through config flags. Supported actions include hidden virtual desktops, keylogging, proxying, and remote command execution.
Persistence is a standout trait. In this incident, the RAT created a scheduled task that relaunched the client every few minutes. CYFIRMA also found that CrySome can survive a factory reset by abusing the Windows recovery partition. Consequently, cleanup is harder than with a typical RAT.
Stealing browser credentials
A dedicated module targets Chromium browsers such as Chrome, Edge, and Brave. It closes the browser, injects a helper DLL, and reads saved passwords and cookies. The stolen data then travels back to the operator for reuse.
Attribution: what we know
No group has been named. LevelBlue confirmed the tools and the full chain, yet it did not confirm the actor. The lure aimed at freight and logistics staff, which suggests a financially motivated crew. Still, treat that read as suspected, not confirmed.
Defense and detection guidance
- Block scripts and executables that run from %TEMP% and other user-writable folders.
- Turn on Microsoft Defender Tamper Protection so policy changes cannot disable it.
- Alert on any svchost.exe process running outside C:\Windows\System32.
- Audit scheduled tasks and RunOnce keys for entries you did not create.
- Flag hidden PowerShell that uses -ExecutionPolicy Bypass or patches AMSI.
- Rotate credentials from a clean device after any suspected hit.
- For CrySome, inspect recovery partitions and offline registry hives during remediation.
This report draws on the primary LevelBlue SpiderLabs write-up and on CYFIRMA’s earlier CrySome analysis. Together, they show one clear lesson. A single freight-themed email can move an attacker from phishing to full, persistent control.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.