A laughing RAT: CrystalX combines spyware, stealer, and prankware features

Kaspersky researchers identified a new Malware-as-a-Service (MaaS) campaign distributing CrystalX RAT, a versatile Trojan written in Go. Discovered in March 2026 via Telegram, CrystalX combines remote access, spyware, infostealer, and unique prankware capabilities. It targets credentials for platforms like Steam, Discord, and Telegram, alongside browser data using the ChromeElevator utility. The malware employs robust evasion techniques, including anti-debugging, VM detection, and ChaCha20 encryption for C2 communication over WebSockets. While currently distributed anonymously, its MaaS model lowers the barrier for entry for various threat actors. Detection signatures include Backdoor.Win64.CrystalX. Organizations should enforce strict endpoint protection, monitor for suspicious WebSocket traffic, and educate users against downloading unofficial software from Telegram or YouTube channels promoting such tools. Immediate patching and behavioral monitoring are recommended to mitigate credential theft and system compromise risks associated with this evolving threat.

Kaspersky researchers analyze a new CrystalX RAT distributed as MaaS and featuring extensive spyware, stealer, and prankware capabilities.

Kaspersky researchers identified a new Malware-as-a-Service (MaaS) campaign distributing CrystalX RAT, a versatile Trojan written in Go. Discovered in March 2026 via Telegram, CrystalX combines remote access, spyware, infostealer, and unique prankware capabilities. It targets credentials for platforms like Steam, Discord, and Telegram, alongside browser data using the ChromeElevator utility. The malware employs robust evasion techniques, including anti-debugging, VM detection, and ChaCha20 encryption for C2 communication over WebSockets. While currently distributed anonymously, its MaaS model lowers the barrier for entry for various threat actors. Detection signatures include Backdoor.Win64.CrystalX. Organizations should enforce strict endpoint protection, monitor for suspicious WebSocket traffic, and educate users against downloading unofficial software from Telegram or YouTube channels promoting such tools. Immediate patching and behavioral monitoring are recommended to mitigate credential theft and system compromise risks associated with this evolving threat. Kaspersky researchers analyze a new CrystalX RAT distributed as MaaS and featuring extensive spyware, stealer, and prankware capabilities. Introduction In March 2026, we discovered an active campaign promoting previously unknown malware in private Telegram chats. The Trojan was offered as a MaaS (malware‑as‑a‑service) with three subscription tiers. It caught our attention because of its extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available. Most surprisingly, it also includes prankware capabilities: a large set of features designed to trick, annoy, and troll the user. Such a combination of capabilities makes it a rather unique Trojan in its category. Kaspersky’s products detect this threat as Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, Trojan.Win32.Agentb.gen. Technical details Background The new malware was first mentioned in January 2026 in a private Telegram chat for developers of RAT malware. The author actively promoted their creation, called Webcrystal RAT, by attaching screenshots of the web panel. Many users observed that the panel layout was identical to that of the previously known WebRAT (also called Salat Stealer), leading them to label this malware as a copy. Additional similarities included the fact that the RAT was written in Go, and the messages from the bot selling access keys to the control panel closely matched those of the WebRAT bots. After some time, this malware was rebranded and received a new name, CrystalX RAT. Its promotion moved to a corresponding new channel, which is quite busy and features marketing tricks, such as access key draws and polls. Moreover, it expanded beyond Telegram: a special YouTube channel was created, aimed at marketing promotion and already containing a video review of the capabilities of this malware. The builder and anti-debug features By default, the malware control panel provides third parties with an auto‑builder featuring a wide range of configurations, such as selective geoblocking by country, anti‑analysis functions, an executable icon, and others. Each implant is compressed using zlib and then encrypted with ChaCha20 and a hard‑coded 32‑byte key with a 12‑byte nonce. The malware has basic anti‑debugging functionality combined with additional optional capabilities: MITM Check : checking if a proxy is enabled by reading the registry value HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings , blacklisting names of certain processes (Fiddler, Burp Suite, mitmproxy, etc.), and verifying the presence of installed certificates for the corresponding programs VM detect : checking running processes, presence of guest tools, and hardware characteristics Anti-attach loop: an infinite loop checking the debug flag, debug port, hardware breakpoints, and program execution timings Stealth patches : patches for functions such as AmsiScanBuffer , EtwEventWrite , MiniDumpWriteDump Stealer capabilities When launched, the malware establishes a connection to its C2 using a hard‑coded URL over the WebSocket protocol. It performs an initial collection of system information, after which all data is sent in JSON format as plain text. Then the malware executes the stealer function, doing so either once or at predefined intervals depending on the build options. The stealer extracts the victim’s credentials for Steam, Discord, and Telegram from the system. It also gathers data from Chromium‑based browsers using the popular ChromeElevator utility. To do this, it decodes and decompresses the utility using base64 and gunzip and saves it to %TEMP%\svc[rndInt].exe , then creates a directory %TEMP%\co[rndInt] , where the collected data is stored, and finally runs ChromeElevator with all available options. The collected data is exfiltrated to the C2. For Yandex and...