Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

CrystalX RAT

CrystalX RAT is a remote access trojan offered as a malware-as-a-service platform. It was first observed in January 2026 under the name Webcrystal RAT and was later rebranded as CrystalX RAT. Kaspersky reported active promotion in private Telegram groups, a dedicated Telegram channel, and YouTube, with the malware sold in three subscription tiers. Researchers noted similarities to WebRAT/Salat Stealer, including a Go-based implementation and similar sales messaging.

The malware combines RAT, spyware, stealer, keylogging, clipboard hijacking, crypto-clipper, and prankware functionality. Its builder allows customization including country-based geoblocking, anti-analysis settings, and executable appearance. Payloads are compressed with zlib and encrypted with ChaCha20. Anti-analysis and evasion features include proxy and man-in-the-middle checks, VM detection, anti-attach loops, process blacklists for tools such as Fiddler, Burp Suite, and mitmproxy, and stealth patching of functions including AmsiScanBuffer, EtwEventWrite, and MiniDumpWriteDump. It communicates with a hard-coded command-and-control URL over WebSocket and sends initial host information to the C2 in plaintext JSON.

CrystalX RAT can steal credentials from Steam, Discord, and Telegram, and collect data from Chromium-based browsers using ChromeElevator. It also includes dedicated theft routines for Yandex and Opera. Kaspersky reported that the stealer component was disabled in current builds at the time of reporting, likely while being updated. The malware includes a real-time keylogger, clipboard read/modify capability, and browser-extension injection to replace cryptocurrency wallet addresses. Reported targeted wallet formats include Bitcoin, Litecoin, Monero, Avalanche, and Dogecoin.

For remote access, CrystalX RAT allows operators to upload files, execute commands via cmd.exe, browse drives and the file system, and control the victim desktop through built-in VNC. It can block user input and capture microphone audio and camera video in the background. It also contains a prankware module named "Rofl" that can change wallpapers, rotate the display, swap mouse buttons, disable peripherals, hide desktop icons, disable system tools, display fake or custom notifications, move or shake the cursor, trigger shutdowns, and open a bidirectional chat window with the victim.

The initial infection vector is not yet known. Kaspersky reported dozens of victims, mainly in Russia, but assessed that the service has no geographic restrictions and could spread globally as development and promotion continue. Reported infrastructure includes webcrystal[.]lol, webcrystal[.]sbs, and crystalxrat[.]top. Reported sample hashes include 47ACCB0ECFE8CCD466752DDE1864F3B0, 2DBE6DE177241C144D06355C381B868C, 49C74B302BFA32E45B7C1C5780DD0976, 88C60DF2A1414CBF24430A74AE9836E0, E540E9797E3B814BFE0A82155DFE135D, and 1A68AE614FB2D8875CB0573E6A721B46.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

T1059.003Windows Command ShellEvidence2

The remote access module can be used to execute commands via CMD, upload/download files, browse the file system, and control the machine in real time via built-in VNC.

Stealth

4 techniques
T1027.013Encrypted/Encoded FileEvidence1

The generated payloads are zlib-compressed and encrypted with the ChaCha20 symmetric stream cipher for protection.

T1497Virtualization/Sandbox EvasionEvidence2

It uses anti-debugging techniques such as proxy and MITM checks, VM detection, anti-attach loops, and stealth patches that bypass security functions, making analysis and detection more difficult.

T1497.001System ChecksEvidence2

the malware provides a user-friendly control panel and an automated builder tool that supports customization options, including geoblocking, executable customization, and anti-analysis features (anti-debugging, VM detection, proxy detection, etc.)

T1622Debugger EvasionEvidence3

It uses anti-debugging techniques such as proxy and MITM checks, VM detection, anti-attach loops, and stealth patches that bypass security functions, making analysis and detection more difficult.

Credential Access

2 techniques
T1056.001KeyloggingEvidence3

The RAT includes a keylogger that streams keystrokes in real time

T1555Credentials from Password StoresEvidence3

The stealer extracts the victim’s credentials for Steam, Discord, and Telegram from the system. It also gathers data from Chromium‑based browsers using the popular ChromeElevator utility.

Discovery

5 techniques
T1082System Information DiscoveryEvidence3

It performs an initial collection of system information, after which all data is sent in JSON format as plain text.

T1083File and Directory DiscoveryEvidence3

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

T1497Virtualization/Sandbox EvasionEvidence2

It uses anti-debugging techniques such as proxy and MITM checks, VM detection, anti-attach loops, and stealth patches that bypass security functions, making analysis and detection more difficult.

T1497.001System ChecksEvidence2

the malware provides a user-friendly control panel and an automated builder tool that supports customization options, including geoblocking, executable customization, and anti-analysis features (anti-debugging, VM detection, proxy detection, etc.)

T1622Debugger EvasionEvidence3

It uses anti-debugging techniques such as proxy and MITM checks, VM detection, anti-attach loops, and stealth patches that bypass security functions, making analysis and detection more difficult.

Collection

7 techniques
T1056.001KeyloggingEvidence3

The RAT includes a keylogger that streams keystrokes in real time

T1113Screen CaptureEvidence1

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

T1115Clipboard DataEvidence3

The RAT includes a keylogger that streams keystrokes in real time and a clipper that can alter clipboard data

T1123Audio CaptureEvidence3

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

T1125Video CaptureEvidence3

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

T1185Browser Session HijackingEvidence1

The RAT includes a keylogger that streams keystrokes in real time and a clipper that can alter clipboard data or inject malicious browser extensions to replace crypto wallet addresses.

T1560Archive Collected DataEvidence1

it decodes and decompresses the utility using base64 and gunzip and saves it to %TEMP%\svc[rndInt].exe, then creates a directory %TEMP%\co[rndInt], where the collected data is stored

Command and Control

4 techniques
T1071Application Layer ProtocolEvidence1

When launched, the malware establishes a connection to its C2 using a hard‑coded URL over the WebSocket protocol.

T1071.001Web ProtocolsEvidence2

The malware connects to the command-and-control (C2) via WebSocket and sends info about the host for profiling and infection tracking.

T1105Ingress Tool TransferEvidence2

The remote access module can be used to execute commands via CMD, upload/download files, browse the file system, and control the machine in real time via built-in VNC.

T1219Remote Access ToolsEvidence3

It also enables full remote access, allowing attackers to run commands, manage files, control the screen via VNC, and capture audio and video.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

The collected data is exfiltrated to the C2.

Other

1 technique
T1562Impair DefensesEvidence1

Stealth patches: patches for functions such as AmsiScanBuffer, EtwEventWrite, MiniDumpWriteDump

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
6 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app3 months ago
domain●●●●●●●●●●●●View more in app3 months ago
hash.md5●●●●●●●●●●●●View more in app3 months ago
hash.md5●●●●●●●●●●●●View more in app3 months ago
hash.md5●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
kaspersky ruNews
May 6, 2026
Как VoidStealer обходит защиту Chrome и ворует сессии и данные | Блог Касперского

Удаленный троян доступа, упомянутый в связанном материале как вредонос, ворующий криптовалюту.

Read more
security affairsNews
Apr 3, 2026
CrystalX RAT: new MaaS malware combines spyware, stealer, and remote access

A malware-as-a-service remote access trojan that combines spyware, credential theft, keylogging, clipboard hijacking, browser extension injection for crypto theft, and full remote control capabilities including command execution, file management, VNC screen control, and audio/video capture. It also includes anti-analysis features and prankware functions.

Read more
securelistNews
Apr 1, 2026
An analysis of CrystalX commercial RAT with prankware features | Securelist

A malware-as-a-service remote access trojan written in Go that provides remote control, credential theft, keylogging, clipboard manipulation, browser clipper injection, VNC-like access, microphone/camera capture, anti-analysis features, and prankware capabilities.

Read more
blueteamsecNews
May 8, 2023
An analysis of CrystalX commercial RAT with prankware features - Infosec.Pub

A newly analyzed malware-as-a-service remote access trojan with spyware, credential/data stealing, and prankware capabilities.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.