Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
132
Global rank
154 infographic chevron month
Month rank
136 infographic chevron week
Week rank
0
IOCs

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Trojan
Type
Pakistan
Origin
1 January, 2016
First seen
9 September, 2025
Last seen
Also known as
SEEDOOR
Scarimson

How to analyze Crimson RAT with ANY.RUN

Type
Pakistan
Origin
1 January, 2016
First seen
9 September, 2025
Last seen

IOCs

Hashes
5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6
6b5f7abb7b99d3b1c46097ed1eb474732a125bc31ff429ed1a438beb4b01ac3c
9b4932af4003a11929da44d1181e9c5d9414b2c510cc601accc1691d36a21649
718137900e59dd9dd9f3582bfb6841d27955484b47290b94ec5316317e623aec
538594e61929ba9fd81f7ad21c083078ec86a5cc3fdc4be2207997de0c282d89
2de20700d943981ad1bdb2f6b4d03b7c65633c1a7e1bc504ba20ec5f417eb69b
3c03f68788903ed2359d0476934cdbad8eb7ae4fb7472f25e5f354b25d7880ae
f874ab543bd1876707bb16cb7cc5f807eb039ebce29f6c898545ab12edaec9ff
00e89eddc18f9bbc93c4c8b204ab3010bbb62a4f237a823e7926c4b1cec1067b
70624991f5b2498efc13f22dfcf82103db128f2184010f5d7a3aca8dd1b07920
e5531fcf015db455a4c8fe6cb57fb5c7e179c84bb6b80194527c8ac581e055c9
143d1dd302d05455f6e250e7b745ea2481ac5b780dfb6d8dff15d6cc72f2a144
1f9a47d0d143a31e37c9c10e055103ca6d3632bf29b1d33b76b89810aeaccff4
777679db2c9f756a37f3092b8e3bd0c662cb05ac308f852d457c2cb71b50be96
2db4365498a82081bce864196207c9478da3466167291ff7f36f93c9483fa624
d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
bde269bf69582312c1ec76090991e7369e11dbee47a153af53e49528c8bd1b27
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
886c394c284f3f334c0e385fe36ec1022037585810b9e39629fcbdc2ac4d27e1
Last Seen at

Recent blog posts

post image
What is a Malware Sandbox? Everything SOC Ana...
watchers 187
comments 0
post image
Major Cyber Attacks in October 2025: Phishing...
watchers 2101
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 409
comments 0

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials, and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and the military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other cases, a maldoc can contain a macro that leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about the victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns using the same scenario as Quasar RAT. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson the same as Netwalker is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

HAVE A LOOK AT

LockBit screenshot
LockBit
lockbit
LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.
Read More
Bert Ransomware screenshot
Bert Ransomware is a newly emerged ransomware group that has been active since April 2025. It deploys variants targeting both Windows and Linux systems, focusing on critical sectors like healthcare, technology, and event services across the US, Asia, and Europe.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More