The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

CrystalX RAT Emerges as Multi-Functional MaaS Platform with Espionage, Theft, and Disruption Capabilities

Apr 13, 2026 3:08:43 PM / by The Hivemind

CRYSTALX2026Verticals Targeted: Cryptocurrency, Gaming, Social Messaging, Enterprise Systems
Regions Targeted: Russia
Related Families: WebRAT (aka Salat Stealer)

Executive Summary

CrystalX RAT is a newly identified malware-as-a-service (MaaS) platform combining traditional remote access, credential theft, and surveillance capabilities with disruptive prankware features, signaling a shift toward multi-purpose, user-impacting cybercrime tooling. It has been observed targeting consumer endpoints, cryptocurrency users, gaming and messaging platforms, and general enterprise users across Russia, with the potential for global reach.

Key Takeaways

  • CrystalX is distributed via a Telegram-based MaaS ecosystem with tiered subscriptions and active marketing campaigns.
  • The malware combines RAT, stealer, keylogger, clipper, spyware, and prankware into a single modular platform.
  • It employs anti-analysis techniques including VM detection, MITM checks, and AMSI/ETW patching.
  • The RAT is actively developed and rebranded from earlier tooling resembling WebRAT, also known as Salat Stealer.

What is CrystalX?

Kaspersky researchers recently identified an emerging malware campaign centered on CrystalX RAT, a multi-functional trojan marketed through private Telegram channels. Initially introduced as Webcrystal RAT in January 2026, the malware was later rebranded and promoted more aggressively through dedicated Telegram and YouTube channels.

CrystalX operates under a MaaS model, offering access to a web-based control panel and builder with customizable configurations. The platform stands out due to its hybrid functionality, blending traditional cybercrime objectives such as credential theft and surveillance with unconventional prankware capabilities designed to harass or disrupt victims.

Technical Capabilities

Builder and Evasion Techniques

The CrystalX control panel provides an automated builder allowing operators to configure payloads with options such as geofencing, custom icons, and anti-analysis features. Payloads are compressed using zlib and encrypted with ChaCha20 using a hardcoded key and nonce.

Anti-analysis mechanisms include:

  • MITM detection via registry checks and process blacklisting
  • Virtual machine detection through process and hardware inspection
  • Anti-debugging loops monitoring execution anomalies
  • Memory patching of security-related APIs including AMSI and ETW

These features indicate moderate sophistication and an intent to evade both automated and analyst-driven detection.

Data Theft and Credential Access

Upon execution, the malware establishes a WebSocket connection to a hardcoded C2 server and transmits system information in JSON format. The stealer module targets credentials from:

  • Steam
  • Discord
  • Telegram
  • Chromium-based browsers via ChromeElevator

Data is staged in temporary directories and exfiltrated to the C2. Notably, the stealer component has been temporarily disabled in some builds, likely to allow for updates or enhancements.

Keylogging and Clipboard Manipulation

CrystalX includes real-time keylogging capabilities, transmitting captured input directly to the C2 for reconstruction. Additionally, it features clipboard monitoring and manipulation, enabling attackers to intercept and replace copied data.

A notable feature is browser-based clipper injection, where malicious scripts are deployed via the Chrome DevTools Protocol. These scripts detect cryptocurrency wallet addresses and replace them with attacker-controlled values, targeting assets such as Bitcoin, Monero, and Dogecoin.

Remote Access and Surveillance

The RAT component provides extensive remote control functionality, including:

  • Command execution via cmd.exe
  • File upload/download and filesystem browsing
  • Built-in VNC for live screen control
  • Microphone and webcam access

 

Operators can also disable user input during sessions, ensuring uninterrupted control of the victim system.

Prankware and Disruption Features

A unique aspect of CrystalX is its “Rofl” module, which includes disruptive commands such as:

  • Rotating display orientation
  • Swapping mouse buttons
  • Hiding desktop icons and disabling system utilities
  • Simulating system crashes or shutdowns
  • Cursor manipulation and forced UI interactions

While these features may appear trivial, they can significantly degrade user experience, potentially serving psychological or harassment objectives.

Infrastructure and Distribution

CrystalX is actively marketed through Telegram channels, leveraging tactics such as giveaways, polls, and promotional videos to attract buyers.

The infrastructure includes:

  • Web-based control panels
  • Bot-driven key distribution
  • Expansion into social media platforms for visibility

The malware shows clear lineage to WebRAT, sharing similarities in codebase, panel design, and distribution methods.

Impact and Targeting

While observed infections have primarily occurred in Russia, the MaaS model and lack of geographic restrictions suggest global applicability. The combination of espionage, financial theft, and disruption capabilities makes CrystalX suitable for a wide range of threat actors, from low-level cybercriminals to more organized groups. The platform’s modularity and ongoing development indicate it will likely evolve, potentially reintroducing enhanced stealer functionality and expanding its feature set.

Analyst Commentary

CrystalX RAT represents a notable evolution in commodity malware, blending traditional cybercrime tooling with user-targeted disruption features. Its MaaS distribution lowers the barrier to entry for attackers, while its versatility increases its operational value. The inclusion of prankware alongside surveillance and theft capabilities reflects a shift toward multi-objective malware, where financial gain, access persistence, and user disruption coexist within a single framework. This type of rapidly evolving MaaS ecosystem presents a persistent detection challenge. Frequent rebranding, modular builds, and ongoing feature updates mean that new variants often exhibit low or inconsistent detection across traditional security engines, particularly in early distribution phases.

PolySwarm directly addresses this visibility gap. By aggregating verdicts from dozens of security engines, PolySwarm enables analysts to identify low-consensus and emerging threats like CrystalX before signatures converge. Instead of relying on a single vendor’s detection timeline, defenders can immediately spot outlier detections, analyze suspicious payloads, and track variant evolution as it happens.

IOCs

PolySwarm has multiple samples of CrystalX.

 

e08610b28e637679feaf243622adf3386a04bd24c915fe64c908d4d68b9fd203

33d2ede41373ccb57c46aa7f608f7b8610cff511500eaa80c24427a1de11bcb0

4049b11974d4b950885ae93bc9af3c9352b70a064b373fab60f4c99542f71b20

3b85ecfe621924eba4d16d5993b2beece2a07fbedc7ef15850bcfdd44c4f39f9

912fcd1ba138a8af6ada02a5d62a5a918ff06d4618c041dbf075a60ea37d4d09

 

Click here to view all samples of CrystalX in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Remote Access Trojan, MaaS malware, crypto clipper, keylogger trojan, Webcrystal RAT, CrystalX RAT, Telegram malware

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More