3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
CROCUS RAT

CROCUS RAT

ID: a1532a72862ef57d39753da10c242ef701894
Crimeware RAT Spyware/Stealer
Threat types: Malware
Unknown
Updated: 2026-03-30
Created: 2026-03-30
Progress: 75% Completeness: 68% Freshness: 90%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

CROCUS RAT is a newly surfaced Windows remote access trojan publicly advertised in March 2026 by the handle shinyenigma. Open sources currently support its existence as a commercially sold crimeware tool with HVNC, keylogging, credential theft, wallet-data theft, and remote PowerShell capabilities, but not yet a mature public campaign record.


Technique Technique name Tactics Evidence
T1497 Virtualization/Sandbox Evasion TA0005 TA0007
  • 2026-03-13 — Seller advertises 'anti-VM' as part of normal/advanced installation options. · ref
T1059.001 PowerShell TA0002
  • 2026-03-13 — Seller advertises a remote PowerShell terminal, supporting PowerShell-enabled post-compromise execution. · ref
T1056.001 Keylogging TA0006 TA0009
  • 2026-03-13 — Seller explicitly lists keylogger functionality. · ref
T1555 Credentials from Password Stores TA0006
  • 2026-03-13 — Seller claims browser data recovery including passwords and credit cards. · ref
T1539 Steal Web Session Cookie TA0006
  • 2026-03-13 — Seller claims recovery of browser cookies with app-bound key decryption, consistent with web session theft. · ref
T1005 Data from Local System TA0009
  • 2026-03-13 — Seller advertises collection of screenshots, browser downloads/history, Telegram sessions, Discord tokens, and wallet data from the local system. · ref
T1113 Screen Capture TA0009
  • 2026-03-13 — Seller explicitly lists screenshot grabbing. · ref
T1123 Audio Capture TA0009
  • 2026-03-13 — Seller explicitly lists microphone recording. · ref
T1204 User Execution TA0002
  • 2026-03-30 — INFERENCE (confidence: medium): Commodity Windows RATs sold in this manner commonly depend on buyer-driven user execution through phishing, lure archives, or trojanized software, although a Crocus-specific delivery chain is not yet public. · ref
T1547 Boot or Logon Autostart Execution TA0003 TA0004
  • 2026-03-30 — INFERENCE (confidence: medium): 'Normal/Advanced installation' wording suggests optional persistence mechanisms even though the exact method is not publicly described. · ref
T1529 System Shutdown/Reboot TA0040
  • 2026-03-13 — Seller lists system shutdown actions including poweroff, restart, logoff, and BSOD. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T04:44:25+00:00

CROCUS RAT — Commercially advertised Windows RAT / HVNC-enabled crimeware

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Malware / Remote Access Trojan (RAT) / Crimeware-for-sale — Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

CROCUS RAT is a newly surfaced Windows remote access trojan publicly advertised in March 2026 by the handle shinyenigma. Publicly available material is limited and currently centers on marketplace-style sales posts rather than incident reporting, malware reverse engineering, or broad victim disclosure.


The advertised feature set positions the malware as a multi-function commodity intrusion tool rather than a narrow single-purpose RAT. Claimed capabilities include file management, remote PowerShell execution, HVNC, webcam and microphone access, browser and wallet data recovery, keylogging, Telegram session theft, Discord token theft, privilege elevation, and anti-VM options. That mix is consistent with a general-purpose access-and-theft operator toolkit.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — CROCUS RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — CROCUS RAT


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T04:48:43+00:00

IOC Appendix — CROCUS RAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T04:48:57+00:00

OSINT Library — CROCUS RAT


2026-03-13 — Hack Forums — “CROCUS RAT (HVNC, Keylogger, stealer and more)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
mega.nz/fil********** Restricted Not integrated
patched.to/Thr**************************************************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–8 of 8 images
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
Showing 4 of 8 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.