Crimson RAT
Crimson RAT is a custom .NET remote access trojan widely associated with Transparent Tribe, also tracked as APT36, COPPER FIELDSTONE, PROJECTM, and MYTHIC LEOPARD. Public reporting in the provided content consistently describes it as a core espionage tool used primarily against Indian targets, including government, military, diplomatic, academic, education, and startup sectors, with some reporting also noting activity focused on Afghanistan and the broader Indian subcontinent.
Observed delivery vectors in the content include spear-phishing emails with malicious Microsoft Office documents containing VBA macros, OLE-embedded lures, weaponized Excel files, ZIP archives, ISO container files, and malicious LNK shortcuts. Macro-based delivery reconstructed or dropped ZIP archives under %ALLUSERSPROFILE% / C:\ProgramData and executed embedded payloads. OLE-based documents used a fake "View Document" element to induce execution of Crimson RAT disguised as MicrosoftUpdate.exe. In other campaigns, ISO files contained a malicious LNK, decoy document, batch script, and a Crimson RAT payload disguised as an Excel executable; PowerShell was used to suppress security warnings, copy the payload into user application-data paths, and launch it.
Capabilities directly described in the content include remote command execution, process listing and termination, file system browsing, file upload/download and exfiltration, drive and file enumeration, screenshot capture, live screen streaming, system reconnaissance, and downloading/executing additional payloads. Multiple reports also attribute broader surveillance functions to Crimson tooling, including screen monitoring, microphone audio recording, webcam capture, keystroke logging, browser password theft, and removable-media theft. Persistence mechanisms mentioned include Windows Registry Run keys, Startup-folder artifacts, scheduled tasks, and self-copying to configured install paths. Some variants adapt persistence based on detected antivirus products.
The content describes several technical characteristics and variants. SentinelLABS observed multiple .NET Crimson RAT variants compiled between July and September 2022, supporting either 40 or 65 commands, using anti-analysis delays of 61, 180, or 241 seconds, machine-name checks before creating Run-key persistence, malformed function names, dynamic string resolution, and Eazfuscator obfuscation. One analyzed variant used the namespace dhrwarhsav, hard-coded C2 IP 107.175.64.209, and attempted connections over ports 6728, 8661, 10614, 14822, and 18443; it exfiltrated host details including machine name, username, IP, NIC, client ID, OS version, RAT version, and install path, and could download a secondary payload named dorbanvca.exe. Other reported infrastructure and indicators include the C2 domain richa-sharma.ddns[.]net, domains cloud-drive[.]store, drive-phone[.]online, and s1.fileditch[.]ch used in related staging, and a later-reported C2 at 93.127.133.58:1097. Additional non-standard ports reported for Crimson RAT communications include 18661, 20856, 26868, 29261, and 36628. Reported version identifiers include R.S.8.8, R.S.8.9, R.S.8.1, and R.S.8.6.
The provided content also references Crimson Server, a server-side management component used to control Crimson RAT infections and deploy modules such as Thin Client, Main Client, USB Driver, USB Worm, Pass Logger, KeyLogger, and Remover. Associated Crimson tooling supports remote file management, screenshot capture, microphone surveillance, webcam capture, removable-media theft, arbitrary command execution, and credential theft from browsers. High-confidence file and registry artifacts mentioned in the content include dhrwarhsav.exe, dorbanvca.exe, and HKCU\Software\Microsoft\Windows\CurrentVersion\Run_dreb.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
SentinelLABS has been tracking a cluster of malicious documents that stage Crimson RAT, distributed by APT36 (Transparent Tribe).
2024-12-04 ⋅ Microsoft Threat Intelligence Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage Crimson RAT MiniPocket TwoDash Wainscot
Techniques & procedures
29 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
“spread across systems by infecting removable media… USB Worm… infect removable devices with a copy of USBWorm itself”
Based on known behavior of this group, we suspect that the documents have been distributed to targets as attachments to phishing emails.
Execution
6 techniques
Execution
"The script uses PowerShell commands to remove security warnings that would normally alert users about suspicious files."
“execute arbitrary commands… execute commands with COMSPEC and receive the output… This tab allows the attacker to execute arbitrary commands on the remote machine.”
The malicious documents we analyzed stage Crimson RAT using Microsoft Office macros... The macro code executes when the documents are opened... The macros create and decompress an embedded archive file in the %ALLUSERSPROFILE% directory (C:\ProgramData) and execute the Crimson RAT payload within.
"When someone opens what appears to be an Excel spreadsheet, they unknowingly activate a chain of hidden commands that install Crimson RAT..."
Persistence
1 technique
Persistence
Most of the Crimson RAT variants we analyzed evaluate whether they execute at a machine named G551JW or DESKTOP-B83U7C5 and establish persistence by creating a registry key under \SOFTWARE\Microsoft\Windows\CurrentVersion\Run only if the victim’s machine name differs.
Privilege Escalation
1 technique
Privilege Escalation
Most of the Crimson RAT variants we analyzed evaluate whether they execute at a machine named G551JW or DESKTOP-B83U7C5 and establish persistence by creating a registry key under \SOFTWARE\Microsoft\Windows\CurrentVersion\Run only if the victim’s machine name differs.
Stealth
5 techniques
Stealth
Crimson RAT variants implement different obfuscation techniques of varying intensities, for example, simple function name malformation and dynamic string resolution. We observed the use of the Eazfuscator obfuscator... With previous variants of Crimson RAT obfuscated using Crypto Obfuscator...
This lures users to double-click the graphic to view the content, which activates an OLE package that stores and executes Crimson RAT masquerading as an update process (MicrosoftUpdate.exe).
"...file appears artificially inflated to 34 megabytes through embedded junk data... This bloating technique helps bypass signature-based detection systems."
Discovery
6 techniques
Discovery
Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.
Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.
Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.
As an anti-analysis measure, Crimson RAT variants delay their execution for a given time period, for example, 61, 180, or 241 seconds.
Lateral Movement
1 technique
Lateral Movement
Collection
4 techniques
Collection
Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.
Features of Crimson RAT include exfiltrating system information, capturing screenshots, starting and stopping processes, and enumerating files and drives.
Command and Control
4 techniques
Command and Control
The Crimson RAT payloads we analyzed use the richa-sharma.ddns[.]net domain for C2 purposes...
“Crimson RAT connects to its hardcoded C2 server… 93.127.133.58 (port 1097)… direct TCP C2 on rotating ports.”
IOCs tracked for this family
43 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan referenced in Secret Blizzard espionage activity and Snowblind reporting.
Remote access trojan delivered via ISO containers and LNK shortcuts in lure-based campaigns to provide remote control and data theft capability.
Remote access trojan used by Transparent Tribe/APT36 to compromise targets via ISO-delivered payloads; provides remote surveillance and control capabilities including screen monitoring, audio recording, file theft, and system control. Uses evasion such as file-size bloating with junk data and randomized function names; communicates to C2 over a custom TCP protocol on non-standard ports.
Remote access trojan used for surveillance, data exfiltration, and host reconnaissance; delivered via spear-phishing ISO containing a malicious LNK and staged payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.