Discovered in early 2026, CrystalX RAT emerged as a versatile malware-as-a-service (MaaS) promoted via private Telegram channels. It combines traditional remote access trojan (RAT) functions with spyware, a stealer, keylogger, clipper, and even prankware modules—designed to annoy or troll victims. Below, we answer key questions about this unique threat.
1. What is CrystalX RAT and how is it distributed?
CrystalX RAT is a Windows backdoor written in Go, sold as a subscription-based MaaS with three tiers. It first appeared in January 2026 on a private Telegram chat for RAT developers, originally named Webcrystal RAT. The author actively promoted it, sharing screenshots of its web panel. Later, it was rebranded to CrystalX RAT and moved to a dedicated Telegram channel with marketing tactics like giveaways and polls. A YouTube channel was also created to showcase its capabilities. Distribution is controlled by a bot that sells access keys to the control panel, and the builder generates customized implants per subscriber.
2. What makes CrystalX unique compared to other RATs?
Unlike typical RATs that focus on remote control or data theft, CrystalX bundles an unusually broad feature set. Alongside standard backdoor functions (file management, shell commands), it includes a keylogger, clipper (to intercept clipboard data), and spyware that can capture screenshots, webcam feeds, and microphone audio. More surprisingly, it adds prankware capabilities: modules that play sounds, change desktop wallpapers, open pop-up messages, or simulate hardware failures. This combination of serious espionage tools and joke-like annoyances makes CrystalX stand out, blurring the line between cybercrime and trolling.
3. How does CrystalX protect itself from analysis and detection?
Each implant is compressed with zlib then encrypted using ChaCha20 with a hardcoded 32-byte key and 12-byte nonce. The malware includes several anti-analysis layers: a MITM check that scans for proxies (e.g., Fiddler, Burp Suite) and their certificates; a VM detect that checks running processes, guest tools, and hardware; an anti-attach loop that continuously monitors debug flags, ports, hardware breakpoints, and execution timing; and stealth patches for security functions such as AmsiScanBuffer, EtwEventWrite, and MiniDumpWriteDump. These measures make debugging and sandboxing difficult.
4. What stealer and spyware capabilities does CrystalX have?
Upon execution, CrystalX connects to its command-and-control server and can exfiltrate a wide range of data. The stealer component targets browser credentials, cookies, autofill data, cryptocurrency wallets, and FTP client passwords. The spyware adds real-time surveillance: it can capture keystrokes (keylogger), monitor clipboard changes (clipper), take screenshots at intervals, record webcam and microphone, and log active window titles. All stolen data is encrypted and sent to the panel. The operator can also download additional files or execute arbitrary commands on the infected machine.
5. What are the prankware features in CrystalX?
Prankware is a distinct set of modules designed to harass or confuse the victim. These include playing random sounds, changing the desktop background to offensive images, opening and closing the CD/DVD tray, displaying fake error messages, simulating system crashes, or flooding the screen with pop-up windows. Some modules can invert colors, mess with mouse settings, or hide the taskbar. While these actions may seem juvenile, they serve to distract the user from the stealthy data theft happening in the background. Together with the spyware, prankware adds a psychological layer to the attack, frustrating the victim and complicating incident response.
6. How is the malware builder configured and delivered?
The control panel provides an auto-builder that lets subscribers customize each implant. Configuration options include geoblocking by country (e.g., skip Russian IPs), anti-analysis toggles (VM detection, proxy checks), an executable icon picker, and persistence mechanisms. The builder compresses the final payload with zlib, encrypts it with ChaCha20 using the hardcoded key/nonce, and wraps it in a loader. This loader may be delivered via phishing emails, malicious downloads, or droppers. Subscribers receive unique access keys via the Telegram bot to control their victims through the web panel.
7. What is the origin and history of CrystalX RAT?
The malware was first reported in January 2026 on a private Telegram group for RAT developers under the name Webcrystal RAT. Many users noted its control panel design closely resembled that of WebRAT (also known as Salat Stealer). Both were written in Go, and the bot messages selling access keys were nearly identical. After criticism, the author rebranded the malware to CrystalX RAT, launched a new Telegram channel, and began aggressive marketing including giveaways, polls, and a YouTube promo video. Despite accusations of being a copy, the author continues to develop the malware, adding features like prankware to differentiate it.
8. How does Kaspersky detect CrystalX RAT?
Kaspersky products detect this threat under several signatures depending on the variant and component. These include Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, and Trojan.Win32.Agentb.gen. Behavioral detection also identifies its malicious activities such as keylogging, clipboard theft, and anti-debugging tricks. Users should keep their security software updated to protect against this evolving threat.