New malicious program CrystalX RAT hijacks data and manipulates user screens on Windows

Conceito de ataque cibernético. Alerta de malware, vírus

Conceito de ataque cibernético. Alerta de malware, vírus -Summit Art Creations/shutterstock.com

Pesquisadores from information security have mapped the operation of a new cybercrime platform classified as malware as a service. The program, called CrystalX RAT, integrates tools for remote device control, silent extraction of credentials and replacement of financial transaction addresses. Especialistas from the company Kaspersky tracked the commercialization of the tool, which has been gaining traction in the underground market since January 2026 through sales channels structured in Telegram and video demonstrations published on YouTube.

The business model adopted by the developers allows individuals with different levels of technical knowledge to rent the malicious infrastructure by paying subscriptions divided into categories. The platform provides buyers with a control panel based on a simplified navigation interface, accompanied by an automatic builder of executable files. Essa centralized architecture facilitates customization of attacker code for targeted attack campaigns against specific targets.

virus – MR SOCCER/Shutterstock.com

Arquitetura remote control and system monitoring

The main remote access module grants the operator almost complete control over the infected machine. The tool allows the direct execution of commands in the Windows line interpreter, which makes it possible to change deep operating system settings. Attackers can upload new malicious payloads and download sensitive documents while freely browsing hard drive directories. Integration with the VNC protocol guarantees viewing of the user’s screen in real time.

Espionage moves towards capturing physical media connected to the computer. The program activates the device’s microphone and camera to record audio and video of the environment without triggering operating light indicators. Durante shared access sessions, the administration panel provides blocking buttons that paralyze the user’s physical inputs. The feature prevents the victim from interrupting the cybercriminal’s actions when trying to use the mouse or keyboard. A built-in keylogger records all keystrokes and transmits keystroke reports to the command server.

Foco in browsers and replacement of virtual wallets

The CrystalX RAT information theft framework directs its efforts towards extracting data stored in browsers based on the Chromium project. The list of priority targets includes recent versions of Chrome, as well as Yandex and Opera. The data collection process goes beyond browsers and reaches the session files of communication and entertainment applications such as Steam, Discord and Telegram. The specific module for massive password extraction is temporarily deactivated by the developers, who promise to reactivate it in future code updates.

The component known as clipper acts silently to continuously monitor the operating system’s clipboard. The central objective of this function is to identify text patterns that correspond to cryptocurrency wallet addresses. Assim software detects a compatible sequence during a copying process, it automatically replaces it with the wallet controlled by the attacker. The victim completes the financial transaction without noticing the change in the data pasted into the destination field.

Para To ensure the security of stolen information during transit to command and control servers, the developers implemented robust layers of encryption. The payloads generated by the control panel undergo a compression process with the zlib library and are protected by the ChaCha20 algorithm. Communication between the infected machine and the server occurs via the WebSocket protocol. Essa technical choice establishes a bidirectional and persistent connection, which eliminates the need for constant reconnections and guarantees stability even in networks with signal fluctuations. At the time of initial infection, the malware transmits a complete hardware inventory for tracking purposes.

Visual Disturbance Ferramentas and Direct Interactions

CrystalX RAT’s difference in the underground market lies in the integration of a vast set of disruption tools, technically classified as prankware. Operators gain the ability to change the desktop wallpaper and reverse the monitor display orientation instantly. The control panel also offers commands to remap mouse buttons, temporarily disable keyboard operation, and force the computer to shut down abruptly. Essas actions cause immediate confusion on the user’s desktop.

See Also
  1. Talisca displays private jet and luxury car after playing at Fenerbahçe
  2. Bungie ends support for Destiny 2 in June 2026 after nine years
  3. Company schedules official presentation of Motorola Edge 70 Pro in the Indian market with extreme screen and powerful battery
  4. Leonardo Jardim regrets Pedro’s absence from the World Cup and focuses on Palmeiras on Saturday
  5. Amazon cuts the price of the MacBook Air M4 to $999 and intensifies competition in the notebook market
  6. Fundação Getúlio Vargas fails lawyer with dwarfism in exams for competition for delegate
  7. Sony releases definitive Ark and 2XKO redemption for PlayStation 5 users without requiring subscription
  8. Artemis 2.0 smart watch teaches Python programming to children aged nine and up
  9. Sony releases Ark and 2XKO trial for free for PS5 players with no subscription required
  10. Android 17 Beta 3 system introduces floating windows for apps with usage restrictions
  11. New technique maps fractionated magma under Yellowstone and rules out risk of giant eruption
  12. Xiaomi starts sales of the POCO X8 Pro smartphone in the Brazilian market with 6,500 mAh battery and gifts

The platform makes it possible to send text messages that open interactive dialog windows on the compromised machine’s screen. The feature establishes a direct, unsolicited chat channel between the attacker and the victim. The operator has permissions to hide desktop icons, remove the taskbar from the screen, and block Gerenciador from Tarefas and Prompt from Comando from opening. The mouse cursor also undergoes remote manipulation, moving autonomously across the screen.

The presence of these trolling functions serves two strategic purposes in the commercialization of the software. The first involves attracting buyers with a less technical profile, who are looking for tools for virtual harassment or demonstrations of force. The second purpose has a tactical nature, as visual disturbances serve as a smoke screen. The clutter generated in the interface distracts the user while the file stealing and data extraction modules operate in the background.

Mecanismos of evasion and commercialization on platforms

Especialistas in cybersecurity identified deep structural similarities between the new threat and a previous malicious program, known in the market as WebRAT or Salat Stealer. Ambas tools share the same interface design in the admin panel and use source code developed in the Go programming language. The automated sales system, operated through bots, also follows the same operating pattern. Após received criticism in clandestine forums about copying the code, the developers carried out a redesign of the visual identity and adopted the new commercial name.

Marketing strategy has migrated from obscure platforms to far-reaching networks. The creators run an active channel on Telegram, where they host free license key giveaways and post polls to keep interested criminals engaged. A parallel channel on YouTube serves as a technical showcase, with videos that demonstrate the effectiveness of invasion functions in controlled environments. The malicious program’s automatic executable builder delivers advanced features to make the work of antivirus companies more difficult. Protection options include:

  • Geo-blocking Implementação to restrict code execution to specific regions of the globe.
  • Integração of anti-debugging mechanisms that stop technical analysis of software behavior.
  • Sistemas virtual machine detection to prevent execution in security lab environments.
  • Verificação continuously proxies and applies stealth patches that bypass the system’s native defenses.

Essas obfuscation layers protect the malicious file during the critical distribution phase and the first few seconds of execution on the victim’s machine. The technical barrier increases the commercial value of the product among operators who require stealth tools for prolonged campaigns.

Vetores attack and global distribution scenario

Current telemetry records indicate that infection attempts are mostly concentrated in the Rússia territory. The business model adopted by creators, however, does not establish definitive geographic restrictions for license buyers. Essa commercial feature allows CrystalX RAT to reach computers in any country, depending only on the specific objectives of each operator purchasing the service. Researchers are still working to map the initial infection vector used in the most recent campaigns.

The lack of clarity regarding the exact delivery method of the executable file requires increased attention from corporate network administrators and home users. Standard technical advice involves keeping operating systems and everyday applications always up to date with the latest security packages. Adopting advanced monitoring solutions helps identify anomalous behaviors, such as unauthorized remote access attempts and silent modifications to critical system records.

Tags: crystalx ratcybersecuritydata theftKasperskySubscription Malware
See Also
  1. United States classifies PCC and Red Command as terrorist organizations in decision from June 5th
  2. Financial survey shows Gusttavo Lima and Anitta among the most expensive shows in Brazil in October
  3. Conmebol Libertadores: Universidad Católica defeats Boca Juniors 1-0 at Alberto Jose Armando with a great goal from Clemente Montes
  4. Russian drone attack injures 2 on building in Romania and violates NATO airspace
  5. Rare blue micromoon appears over the weekend; next appearance will only be in December 2028
  6. Natália Guimarães addresses beauty standards and female diversity almost 20 years after Miss Universe
  7. Blue Origin’s New Glenn rocket explosion occurs during hotfire test at Cape Canaveral, Florida
  8. San Antonio Spurs lead Oklahoma City Thunder in third quarter and fight to force Game 7
  9. San Antonio Spurs hold off Oklahoma City Thunder and maintain lead in third quarter of playoffs
  10. San Antonio Spurs overcome Oklahoma City Thunder in the third quarter and try to force game seven in the NBA
  11. Thunder vs Spurs NBA: San Antonio Spurs maintain lead over Oklahoma City Thunder 70-60 in the 3rd quarter of the game live
  12. Classification great! Sinisterra scores 3-0 between Cruzeiro and Barcelona SC in the Libertadores
  13. Typhoon Chanmi advances towards Okinawa with great force and approaches Japan in June
  14. Clemente Montes scores a great goal and wakes up the owl in Boca Juniors x Universidad Católica in the Libertadores
  15. With a 4-1 defeat at Junior Barranquilla, Palmeiras advances to the round of 16 of the Libertadores
  16. Matheus Pereira scores a great header and opens the scoring between Cruzeiro x Barcelona SC in Libertadores 2026
  17. Creator of The Witcher 3 releases The Blood of Dawnwalker for consoles and PC in September
  18. Samsung Galaxy A57 5G hits the market with reduced thickness and focus on energy efficiency
  19. Sony’s Break In trademark registration boosts theories about Uncharted in State of Play
  20. Unprecedented heat wave drives record temperatures in several European countries
  21. Anthropic Valuation Reaches $965 Billion and Surpasses OpenAI in AI Race
  22. US court refuses to block Trump’s executive order on mail voting, but allows new challenges
  23. Nintendo Switch 2 reaches 247,880 units sold in Japan, dominating the market from May 18th to 24th
  24. Meta launches Plus subscriptions for Instagram, WhatsApp and Facebook; understand new features and prices
  25. Solar eclipse of 2027 will have a maximum duration of 6 minutes; phenomenon has not been repeated in 157 years