CrystalX Malware-as-a-Service Spreads via Telegram With Stealer, RAT Tools
Hackers are actively promoting a new malware-as-a-service (MaaS) platform called CrystalX RAT through private Telegram channels, offering cybercriminals a powerful toolkit that combines remote access, data theft, surveillance, and even prank-based disruption features.
Security researchers identified the campaign in March 2026, noting that the malware is being sold under a subscription model with three pricing tiers.
What makes CrystalX stand out is its unusually broad feature set, blending traditional RAT capabilities with stealer, keylogger, clipper, spyware, and prankware functions an uncommon combination in today’s threat landscape.
Early users quickly pointed out similarities with the known WebRAT (also called Salat Stealer), including identical panel layouts, Go-based development, and similar bot-driven sales mechanisms.

CrystalX RAT was first observed in January 2026 under the name “Webcrystal RAT” in a private Telegram group focused on malware development.
The malware was later rebranded as CrystalX RAT and relaunched with more aggressive promotion. Threat actors now advertise it via dedicated Telegram channels featuring giveaways, polls, and access key promotions.
A YouTube channel has also been set up to showcase its capabilities, signaling a shift toward more structured cybercriminal marketing.
The MaaS platform provides an automated builder that allows buyers to customize malware payloads. Options include geofencing, anti-analysis features, and executable customization.
Each payload is compressed using zlib and encrypted with ChaCha20. The malware includes multiple anti-analysis techniques, such as:
- Detection of proxy tools like Fiddler or Burp Suite via registry checks.
- Virtual machine detection using process and hardware inspection.
- Anti-debugging loops that monitor execution anomalies.
- Patching of security-related functions like AMSI and ETW.
These features are designed to evade detection and hinder security analysis.

The malware stores collected data in temporary directories before exfiltrating it in JSON format. For browsers like Yandex and Opera, it uses custom decryption routines directly on the infected system.
Interestingly, current samples lack active stealer functionality, suggesting the developers are updating this module before redeployment.
CrystalX includes a real-time keylogger that streams user keystrokes directly to the attacker. It also features a clipboard hijacker capable of replacing cryptocurrency wallet addresses with attacker-controlled ones.

The clipper works by injecting a malicious browser extension into Chrome or Edge. This extension monitors clipboard activity and swaps wallet addresses using dynamically generated scripts, making it particularly dangerous for crypto users.
The RAT enables full system control, allowing attackers to execute commands, upload files, and browse the file system. It also includes a built-in VNC module for live screen monitoring and interaction.
Additional surveillance capabilities include:
- Microphone audio capture.
- Webcam video streaming.
- Input blocking to prevent user interference.
These features make CrystalX a comprehensive espionage tool.
One of the most unusual aspects of CrystalX is its “Rofl” module, which allows attackers to troll victims. Functions include:
- Rotating the screen or changing wallpapers.
- Swapping mouse buttons.
- Displaying fake messages or notifications.
- Disabling system components like Task Manager.
- Forcing shutdowns or simulating system crashes.
Attackers can even initiate a chat window with victims, blending harassment with control.
Although current infections appear concentrated in Russia, the MaaS platform has no geographic restrictions. Researchers have already observed multiple new versions of the malware, indicating active development.
With its expanding feature set and aggressive promotion strategy, CrystalX RAT is likely to attract more cybercriminals in the coming months, increasing the risk of global infections.