Kaspersky's GReAT team has analyzed CrystalX RAT, a newly discovered malware-as-a-service (MaaS) first promoted in private Telegram chats in early 2026. Written in Go and rebranded from 'Webcrystal RAT', it offers three subscription tiers and an extensive feature set: stealer (credentials from Steam, Discord, Telegram, Chromium browsers), keylogger, clipboard hijacker with crypto-wallet substitution via browser extension injection, full remote access with VNC, microphone/camera capture, and anti-analysis techniques including VM detection, MITM proxy checks, and AMSI/ETW patching. Uniquely, it includes a 'Rofl' prankware section allowing attackers to rotate screens, remap mouse buttons, shake the cursor, disable the taskbar, and more. Current infections are concentrated in Russia but the MaaS has no regional restrictions. Active development and a growing PR campaign suggest the victim count may rise significantly.
Sort: