Crypto24 Campaign Shows Operational Maturity, with Custom Tooling & EDR Evasion

Trend Micro researchers report that Crypto24 ransomware operators have conducted highly coordinated attacks targeting organizations across Asia, Europe, and the U.S. Victims span multiple industries, including financial services, entertainment, manufacturing, and technology. Trend Micro's analysts and researchers noted that “the threat actor operates with a high level of coordination, frequently launching attacks during off-peak hours to evade detection and maximize impact.” The group combines widely used administrative tools with purpose-built malware to maintain stealth and persistence. Trend Micro warns, “Unlike more conventional groups, the threat actor demonstrates a high level of operational maturity, skillfully combining legitimate tools (PSExec, AnyDesk) alongside custom malware, which allows them to blend in with normal IT operations while executing precision attacks during off-peak hours,” adding, “Crypto24 attacks demonstrate that threat actors have studied our security stacks, identified systematic weaknesses, and built purpose-designed tools to exploit them.”

Initial compromise tactics involve the use of “net.exe” to create and reactivate administrative accounts, many of which are added to both the “Administrators” and “Remote Desktop Users” groups. These accounts allow elevated and remote access while blending in with legitimate users. Reconnaissance is performed using WMIC, “net user,” and “net localgroup” to collect system, domain, and privilege details. Persistence is maintained through scheduled tasks and services created via “sc.exe,” which deploys both the ransomware and the “WinMainSvc.dll” keylogger. For evasion, “svchost.exe” is used to run services, and RDP is enabled through registry edits and firewall modifications using “reg.exe” and “netsh.exe.”

A critical capability involves Crypto24’s deployment of RealBlindingEDR, which disables callback functions in EDR products by targeting drivers associated with over two dozen security vendors, including Citrix, Kaspersky, Malwarebytes, Sentinel, Sophos, Symantec, and Trend Micro. The tool is executed with flags to selectively disable protections for each driver. The operators achieve privilege escalation using “runas.exe” and PSExec with stolen or escalated credentials, enabling remote execution of commands and broader movement within the network. They also installed the keylogger “WinMainSvc.dll” via batch scripts and registered it as a persistent Windows service. Alongside this, a patched version of “termsrv.dll” is used to facilitate simultaneous RDP sessions. TightVNC, an open-source remote desktop software, was later installed for GUI-based access, and registry/GPO modifications were re-applied to maintain RDP capabilities across reboots or remediation attempts.

The final stage of the attack chain included the use of GPO to execute Trend Micro’s legitimate uninstaller ("XBCUninstaller.exe") to disable EDR protections. This was performed using “gpscript.exe” and batch files hosted on internal shares. With security tooling removed, the ransomware component “MSRuntime.dll” was deployed and executed via a new service. Indicators of encryption and ransom note delivery followed shortly after. Earlier, a test file was created and uploaded to Google Drive to verify exfiltration success, followed by the upload of captured keystrokes and session activity. This use of native cloud tools for exfiltration allowed data theft operations to remain low-noise and covert. The attack breakdown and techniques demonstration reinforce Trend Micro's assessment of the operator's operational maturity and methodical planning—characteristics Trend Micro emphasized as being “uncommon in commodity ransomware.”