Sophisticated CrystalX RAT Emerges

Summary

Kaspersky has identified CrystalX RAT, a new malware-as-a-service written in Go that combines spyware, information-stealing, and remote access trojaning capabilities. Originally launched as Webcrystal RAT in January with control panel similarities to WebRAT, it has been actively promoted on Telegram and YouTube and features auto-builder options, geoblocking, anti-analysis evasion, and modules for credential harvesting, keylogging, clipboard manipulation, and screen control. Although currently limited to Russia with dozens of confirmed infections, the malware lacks regional restrictions and is actively developed, posing a significant risk for global proliferation.

Full text

A new malware-as-a-service (MaaS) has been promoted on Telegram as combining spyware, stealer, and remote access capabilities, Kaspersky reports. Named CrystalX RAT, it emerged in January, when it was offered as Webcrystal RAT. Featuring a control panel identical to WebRAT, it was later rebranded, and its developer started promoting it both on Telegram and YouTube. The malware control panel offers access to an auto‑builder featuring options such as geo-blocking and anti‑analysis, and allows users to generate compressed and encrypted implants. Written in Go, the RAT establishes a WebSocket connection to its command-and-control (C&C) server immediately after execution, then starts collecting system information. After sending the collected system data, the malware executes an information-stealing module that harvests Discord, Steam, and Telegram credentials, as well as data from Chrome-based browsers. The RAT also packs a keylogger module that instantly sends all user input to the C&C via WebSocket. It also allows operators to read and modify the victim’s clipboard and can inject a malicious clipper into Chrome and Edge, Kaspersky notes.Advertisement. Scroll to continue reading. CrystalX RAT supports multiple remote access commands, allowing operators to upload files, browse files, or execute commands. Courtesy of an integrated VCN, it also enables operators to control the victim’s screen remotely and can capture audio and video streams using the system’s microphone and camera. “Since both the attacker and the victim use the same session, the panel provides a number of buttons to block user input so that the attacker can perform necessary actions unhindered,” Kaspersky explains. The control panel also provides access to a series of separate commands that allow users to prank their victims, the cybersecurity firm says. Using these commands, the operators can change the desktop background, change the screen orientation, shut down the device, remap mouse buttons, disconnect peripherals, display custom notifications, change cursor position chaotically, and disable various GUI components. “Moreover, the attacker can send a message to the victim, after which a dialog window will open in the system, allowing a bidirectional chat,” Kaspersky notes. The cybersecurity firm says CrystalX RAT has already infected dozens of individuals. Although it has been used only in Russia, the MaaS does not have regional restrictions and could soon be used globally. “Moreover, our telemetry has recorded new implant versions, which indicates that this malware is still being actively developed and maintained. Combined with the growing PR campaign for CrystalX RAT, it can be concluded that the number of victims can increase significantly in the near future,” Kaspersky says. Related: New DeepLoad Malware Dropped in ClickFix Attacks Related: Axios NPM Package Breached in North Korean Supply Chain Attack Related: Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach Related: ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Axios NPM Package Breached in North Korean Supply Chain AttackTeamPCP Moves From OSS to AWS EnvironmentsCrewAI Vulnerabilities Expose Devices to HackingExploitation of Critical Fortinet FortiClient EMS Flaw BeginsStrongSwan Flaw Allows Unauthenticated Attackers to Crash VPNsLloyds Data Security Incident Impacts 450,000 IndividualsHuskeys Emerges From Stealth With $8 Million in FundingRussian APT Star Blizzard Adopts DarkSword iOS Exploit Kit Latest News Variance Raises $21.5M for Compliance Investigation Platform Powered by AI AgentsLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingToy Giant Hasbro Hit by CyberattackNew DeepLoad Malware Dropped in ClickFix AttacksExploited Zero-Day Among 21 Vulnerabilities Patched in ChromeFBI Warns of Data Security Risks From China-Made Mobile AppsUS Charges Uranium Crypto Exchange Hacker Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — CrystalX RAT
• malware — Webcrystal RAT

Entities