Back

CrystalX RAT: New Malware-as-a-Service Threatens Users with Data Theft and Pranks

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers, Kaspersky, Securelist

Summary

In March 2026, security researchers uncovered a new malware campaign promoting CrystalX RAT, a sophisticated Malware-as-a-Service (MaaS) platform marketed through private Telegram channels. This remote access trojan (RAT) combines features such as data theft, surveillance, and prankware, making it a unique threat in the cybercrime landscape. The malware is sold under a subscription model with three tiers, targeting a wide range of cybercriminals, including less-skilled operators. CrystalX RAT can steal credentials from platforms like Steam, Discord, and Telegram, and it includes a clipboard hijacker that can alter cryptocurrency wallet addresses. Additionally, it can disrupt victims' systems through prank features, adding a psychological element to its attacks. The initial infection vector remains unknown, but the malware is actively being developed, with new versions detected. The potential for widespread impact is significant, as the malware is already affecting dozens of victims and is expected to grow in usage. Key Points: • CrystalX RAT combines data theft, surveillance, and prankware features. • The malware is marketed as a subscription-based service on Telegram. • It poses a significant risk to users of Steam, Discord, and cryptocurrency platforms.

Key Entities

  • Malware (attack_type)
  • Trojan (attack_type)
  • Russia (country)
  • CrystalX (malware)
  • CrystalX RAT (malware)
  • Salat Stealer (malware)
  • WebRAT (malware)
  • 1A68AE614FB2D8875CB0573E6A721B46 (md5)
  • 2DBE6DE177241C144D06355C381B868C (md5)
  • 47ACCB0ECFE8CCD466752DDE1864F3B0 (md5)
  • 49C74B302BFA32E45B7C1C5780DD0976 (md5)
  • 88C60DF2A1414CBF24430A74AE9836E0 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Telegram (platform)
  • ChromeElevator (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed