Pierluigi Paganini
April 03, 2026
In March 2026, Kaspersky researchers uncovered a Telegram-based campaign promoting a previously unknown malware sold as a MaaS with three subscription tiers. The Trojan offers a wide range of features, including RAT capabilities, data theft, keylogging, clipping, spyware, and even prank functions to annoy users. This unusual mix makes it stand out, and Kaspersky detects it as CrystalX and related malware variants.
First seen in January 2026 as Webcrystal RAT, this malware was promoted in private Telegram groups and later rebranded as CrystalX RAT, expanding to YouTube marketing. The malware includes a control panel with an auto-builder that lets attackers customize features like geoblocking, anti-analysis tools, and file appearance. Payloads are compressed with zlib and encrypted using ChaCha20. It uses anti-debugging techniques such as proxy and MITM checks, VM detection, anti-attach loops, and stealth patches that bypass security functions, making analysis and detection more difficult.
Once executed, it connects to a command-and-control server, gathers system data, and can steal credentials from apps and browsers, though this feature is currently being updated. It also includes keylogging and clipboard hijacking, even injecting malicious browser extensions to swap crypto wallet addresses.
“When launched, the malware establishes a connection to its C2 using a hard‑coded URL over the WebSocket protocol. It performs an initial collection of system information, after which all data is sent in JSON format as plain text. Then the malware executes the stealer function, doing so either once or at predefined intervals depending on the build options.” reads the report published by Kaspersky. “The stealer extracts the victim’s credentials for Steam, Discord, and Telegram from the system. It also gathers data from Chromium‑based browsers using the popular ChromeElevator utility.”
Stolen data is sent to the C2, with dedicated routines for Yandex and Opera. The stealer feature is currently disabled, likely for updates. The RAT includes a keylogger that streams keystrokes in real time and a clipper that can alter clipboard data or inject malicious browser extensions to replace crypto wallet addresses. It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.
The malware includes a “Rofl” section with prank features to annoy victims. Attackers can change wallpapers, rotate the screen, swap mouse buttons, disable peripherals, or trigger shutdowns. Other options include hiding icons, disabling system tools, showing fake notifications, and making the cursor move randomly. It also allows sending messages and opening a chat window for direct interaction with the victim.
The researchers pointed out that the initial infection vector remains unclear, but dozens of victims have been affected, mainly in Russia so far. The MaaS has no geographic limits, meaning it could spread globally. Ongoing development and new versions, along with active promotion, suggest CrystalX RAT infections are likely to rise significantly in the near future.
“The sheer variety of available RATs has perpetuated demand, as actors prioritize flexibility of existing malware and its infrastructure.” concludes the report. “Thus, CrystalX RAT represents a highly functional MaaS platform that is not limited to espionage capabilities – spyware, keylogging and remote control – but includes unique stealer and prankware features.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CrystalX RAT)
