Back

CrystalX RAT: New Malware Combines Data Theft and Prankware Features

Severity: High (Score: 71.0)

Sources: Gbhackers, Bleepingcomputer, Cybersecuritynews, Kaspersky, Mashable

Summary

In March 2026, cybersecurity researchers discovered CrystalX RAT, a new malware-as-a-service (MaaS) being promoted in private Telegram channels. This malware offers a wide range of capabilities, including remote access, data theft, keylogging, and unique prankware features designed to disrupt and mock victims. CrystalX RAT can steal credentials from platforms like Steam, Discord, and Telegram, and manipulate clipboard contents to facilitate cryptocurrency theft. The malware was first identified in January 2026 as WebCrystal RAT before being rebranded. It operates on a subscription model with three tiers, making it accessible to less skilled cybercriminals. The malware connects to its command-and-control server via WebSocket and has been noted for its user-friendly interface. As of the latest reports, the initial infection vector remains unknown, but the malware is actively evolving, with new versions being detected. Victims are primarily located in Russia, and the threat is expected to grow. Key Points: • CrystalX RAT combines data theft and prankware features, making it a unique threat. • The malware is marketed as a MaaS, allowing less skilled attackers to access its capabilities. • Initial infection vector is unknown, but it is rapidly evolving with new versions detected.

Key Entities

  • Malware (attack_type)
  • Trojan (attack_type)
  • Russia (country)
  • CrystalRAT (malware)
  • CrystalX (malware)
  • CrystalX RAT (malware)
  • Salat Stealer (malware)
  • WebCrystal RAT (malware)
  • 1A68AE614FB2D8875CB0573E6A721B46 (md5)
  • 2DBE6DE177241C144D06355C381B868C (md5)
  • 47ACCB0ECFE8CCD466752DDE1864F3B0 (md5)
  • 49C74B302BFA32E45B7C1C5780DD0976 (md5)
  • 88C60DF2A1414CBF24430A74AE9836E0 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056.001 - Keylogging (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • Chromium-based Browsers (platform)
  • Discord (platform)
  • Opera (platform)
  • Steam (platform)
  • Telegram (platform)
  • Google Chrome (tool)
  • Yandex (tool)
  • ChromeElevator (tool)
  • VNC (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed