Back

CrystalX Malware: A New Multifaceted Cyber Threat Emerges

Severity: High (Score: 64.5)

Sources: Cybersecuritynews, Securelist

Summary

In March 2026, a new malware named CrystalX was discovered, marketed as a Malware-as-a-Service (MaaS) on private Telegram channels. This Trojan combines features of a remote access trojan (RAT), credential stealer, keylogger, clipboard hijacker, spyware, and unique prankware tools. The malware was first mentioned in January 2026 and has since evolved, with its promotional efforts expanding to a dedicated YouTube channel. CrystalX establishes a connection to its command and control (C2) server using a hard-coded URL over the WebSocket protocol, collecting system information and exfiltrating data in JSON format. It targets credentials from popular platforms like Steam, Discord, and Telegram, and utilizes a proprietary method for Yandex and Opera browsers. As of the article's publication, the stealer functionality was temporarily disabled, indicating ongoing development. The malware's unique combination of capabilities poses a significant threat to users and organizations alike. Key Points: • CrystalX combines RAT, credential stealing, and prankware features in one package. • The malware is marketed through private Telegram channels and a dedicated YouTube channel. • Current builds of CrystalX lack the stealer functionality, indicating potential future threats.

Key Entities

  • Malware (attack_type)
  • Trojan (attack_type)
  • Russia (country)
  • CrystalX (malware)
  • CrystalX RAT (malware)
  • Salat Stealer (malware)
  • WebRAT (malware)
  • 1A68AE614FB2D8875CB0573E6A721B46 (md5)
  • 2DBE6DE177241C144D06355C381B868C (md5)
  • 47ACCB0ECFE8CCD466752DDE1864F3B0 (md5)
  • 49C74B302BFA32E45B7C1C5780DD0976 (md5)
  • 88C60DF2A1414CBF24430A74AE9836E0 (md5)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Telegram (platform)
  • ChromeElevator (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed