190/69 Friday, April 3, 2026
Security researchers from Kaspersky have discovered a new malware strain named CrystalRAT (also known as CrystalX), which is being promoted as a Malware-as-a-Service (MaaS) offering via platforms like Telegram and YouTube. Written in Go and showing similarities to earlier threats such as WebRAT, this malware adopts a tiered subscription model to attract cybercriminals of all skill levels-from beginners to professionals-by providing easy access to powerful attack tools through a customizable and user-friendly control panel.
From a technical perspective, CrystalRAT is a highly versatile threat. It functions as a Remote Access Trojan (RAT), allowing attackers to remotely control infected machines in real time via VNC, record video and audio through the webcam and microphone, and operate as an infostealer to harvest sensitive data such as passwords and browser cookies. It also targets data from applications like Steam, Discord, and Telegram. Additional capabilities include a clipper feature that replaces cryptocurrency wallet addresses in the clipboard with attacker-controlled addresses, and a keylogger that captures keystrokes and sends them to a command-and-control (C2) server. To evade detection, the malware encrypts its communications using ChaCha20.
What sets CrystalRAT apart from typical malware is the inclusion of prankware features (listed under a “Rofl” menu), such as flipping the screen, hiding the taskbar, locking the mouse and keyboard, or displaying fake alerts. These features may be used to distract victims while data is being exfiltrated in the background or to harass and potentially extort victims. Users are strongly advised to avoid downloading software from untrusted sources and to be cautious of suspicious links, as this sophisticated malware poses a significant risk of data theft and system compromise.