CrystalX RAT is a newly identified, advanced Malware‑as‑a‑Service (MaaS) threat that merges spyware, credential theft, and remote access features, enabling attackers to closely monitor and control infected systems.
In March 2026, researchers at Kaspersky uncovered a Telegram‑based campaign advertising a previously unknown MaaS offering sold through three subscription tiers. The malware provides a broad feature set that includes remote access tooling, data and credential theft, keylogging, clipboard manipulation, spyware capabilities, and even built‑in prank functions designed to harass victims. This uncommon combination of surveillance, theft, and nuisance features distinguishes the threat, which Kaspersky tracks as CrystalX RAT along with related variants.
The malware was initially observed in January 2026 under the name Webcrystal RAT, promoted within private Telegram groups. It was later rebranded as CrystalX RAT and expanded its marketing efforts to public platforms such as YouTube. The offering includes a management panel with an automated builder that allows buyers to customize payloads with options like geofencing, anti‑analysis measures, and visual file obfuscation. Payloads are compressed using zlib and encrypted with ChaCha20, while multiple anti‑analysis defenses such as proxy and man‑in‑the‑middle detection, virtual machine checks, anti‑attach loops, and security‑bypass patches complicate detection and reverse engineering.
Once executed, the malware establishes a WebSocket connection to a hard‑coded command‑and‑control server, collects system information, and transmits data in JSON format. It can steal credentials from applications and browsers, although some of these functions are currently undergoing updates. CrystalX also implements keystroke logging and clipboard hijacking, including the ability to inject malicious browser extensions that replace cryptocurrency wallet addresses.
“When launched, the malware establishes a connection to its C2 using a hard‑coded URL over the WebSocket protocol,” Kaspersky noted. “After collecting system information, all data is sent in JSON format, after which the stealer function is executed either once or at scheduled intervals depending on the build configuration.”
The stealer component targets credentials from platforms such as Steam, Discord, and Telegram, along with data from Chromium‑based browsers using the ChromeElevator utility. Collected data is transmitted to the C2 infrastructure, with specific handling routines for Yandex and Opera browsers. At present, the stealer module appears temporarily disabled, likely as part of ongoing development.
Beyond credential theft, CrystalX RAT offers full remote administration capabilities, allowing operators to execute commands, manipulate files, interact with the desktop through VNC, and capture audio and video. A built‑in “Rofl” module provides prank‑style features that let attackers disrupt victims by changing wallpapers, rotating displays, disabling peripherals, swapping mouse buttons, displaying fake system alerts, or forcibly shutting down the system. The malware also supports sending messages directly to victims via a chat window.
Kaspersky researchers noted that while the initial infection vector has not yet been identified, dozens of victims have already been confirmed, primarily in Russia. However, the MaaS platform enforces no geographic restrictions, raising concerns about global spread. The malware remains under active development, and its continued promotion suggests CrystalX RAT infections could increase significantly.
“The wide availability of RATs sustains demand as threat actors seek flexible, feature‑rich platforms,” Kaspersky concluded. “CrystalX RAT exemplifies a highly capable MaaS ecosystem that extends beyond espionage to include credential theft, surveillance, and unique prankware functions.”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
