Security researchers have identified a new malware-as-a-service called CrystalX RAT. The program combines functions of remote access, information theft, keystroke capture and cryptocurrency address replacement. Especialistas and Kaspersky detected the tool promoted since January 2026 through dedicated channels on Telegram and demonstration videos on YouTube.
CrystalX RAT operates with a tiered subscription model that allows anyone interested to purchase access for a fee. The platform includes a control panel with a simple interface and an automatic executable builder. Esse feature makes it easy to customize the malware for different operations.
- Geoblocking to limit targets by region
- Anti-debugging mechanisms and virtual machine detection
- Verification of proxies and techniques that hinder analysis
These investigation protection options broaden the appeal among operators with different levels of technical skill.
Remote access and spying features
The remote control module allows you to execute commands in the Windows line interpreter, upload and download files and browse the infected machine’s system. Operators can also view the screen in real time through VNC integration.
Audio and video capture occurs through the device’s microphone and camera. Durante shared access, the panel offers buttons to block user input, which prevents interruptions while the attacker performs actions. The keylogger records all keystrokes and sends the data in real time to the command server.
The CrystalX RAT infostealer focuses on browsers based on Chromium, including versions of Chrome, as well as Yandex and Opera. Harvesting extends to applications such as Steam, Discord and Telegram. The credential theft module is currently temporarily disabled pending future updates.
Clipper mechanism and data protection in transit
The clipper component monitors the clipboard for cryptocurrency wallet address patterns. Quando detects a match, automatically replaces content with attacker-controlled data. Essa exchange occurs without the victim noticing the change in the transfer.
Payloads generated by the builder are compressed with zlib and encrypted with the ChaCha20 algorithm. Communication with the command and control server uses the WebSocket protocol, which maintains a persistent and bidirectional connection. At the time of initial connection, the malware transmits details of the infected system for tracking.
Prankware Features That Set CrystalX RAT Apart
The extensive set of disruption functions represents CrystalX RAT’s main differentiator from other similar malware available on the market. Operators can change the desktop wallpaper and reverse the screen orientation. Outras actions include remapping mouse buttons, temporarily disabling the keyboard and monitor, or forcing the computer to shut down.
The panel allows you to send messages that open an interactive dialog window, enabling direct chat between the attacker and the victim. Além Additionally, it is possible to hide desktop icons, the taskbar, Gerenciador and Prompt. The mouse cursor can also be manipulated remotely.
These prankware features serve both to attract less experienced buyers and to distract the user while other modules operate in the background. The combination of trolling and data theft creates a versatile tool for different cybercriminal profiles.
Similarities to previous malware and rebranding
Analysts noted a strong similarity between CrystalX RAT and WebRAT, also known as Salat Stealer. Ambos share the same dashboard design, code developed in the Go language, and an automated sales system using bots. Após criticism about the copy, those responsible made changes to the visual identity and renamed the tool.
The promotion has migrated to a new channel at Telegram, which includes access key giveaways and polls to engage the public. Paralelamente, a dedicated YouTube channel publishes videos that demonstrate the features in operation. Essa strategy expands reach beyond traditional underground forum circles.
Current distribution and reach of the malware
To date, the identified infection attempts are mainly focused on Rússia. However, the malware-as-a-service model does not impose regional restrictions, which allows the CrystalX RAT to target users in any country. Pesquisadores have not yet detailed the exact infection vector used to distribute the executable.
The absence of accurate information about the initial delivery method makes it difficult to immediately develop specific preventative measures. Usuários must keep operating systems and applications up to date, in addition to adopting reliable security solutions that detect suspicious remote access behavior and unauthorized modifications.
Analysis Protection Technical Details
The automatic builder includes advanced anti-analysis options that raise the stakes for security researchers. Entre They are stealth patches that bypass system protection functions and anti-attach loops that prevent debugging. Essas Technical layers protect malware during distribution and initial execution.
The persistent communication protocol facilitates continuous sending of stolen data without the need for frequent reconnections. Essa architecture contributes to stable operation even in environments with variable connectivity.
CrystalX RAT offers operators a complete set of tools ranging from full machine control to silently extracting sensitive information. The inclusion of visual and interactive disruption functions adds an unusual layer to the current commercial malware ecosystem.