Introduction
In March 2026, cybersecurity researchers uncovered an active campaign promoting a previously unknown malware through private Telegram chats. This trojan, offered as a Malware-as-a-Service (MaaS) with three subscription tiers, immediately drew attention due to its unusually broad feature set. Alongside standard Remote Access Trojan (RAT) functionality, it includes a stealer, keylogger, clipper, and spyware modules. Most notably, it also incorporates prankware capabilities—a collection of features designed to trick, annoy, and troll users. This unique blend makes CrystalX a standout threat in its category. Kaspersky products detect this malware under the names Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, and Trojan.Win32.Agentb.gen.
Background and Evolution of CrystalX
Initial Discovery and Rebranding
The malware first appeared in January 2026 within a private Telegram chat frequented by RAT developers. The author, actively promoting their creation under the name Webcrystal RAT, shared screenshots of a web control panel. Community members quickly noted that the panel layout closely resembled that of the existing WebRAT (also known as Salat Stealer), leading many to label the new malware as a copycat. Additional similarities included the use of the Go programming language and the messaging style of the bot selling access keys—both nearly identical to those of WebRAT bots.
After a period, the malware underwent rebranding and emerged as CrystalX RAT. Promotion shifted to a dedicated new Telegram channel, which became quite active with marketing gimmicks such as access key giveaways and polls. The author also expanded outreach beyond Telegram by creating a YouTube channel featuring a review video of the malware's capabilities.
Marketing Tactics
The CrystalX promotional campaign employs several aggressive marketing techniques. On Telegram, the channel hosts regular draws for free access keys and conducts polls to engage potential buyers. The accompanying YouTube channel aims to attract a wider audience by demonstrating the malware's features in action. Such tactics underscore the developer's intent to build a customer base and legitimize the tool within underground communities.
Technical Architecture
Builder and Configuration
By default, the malware's control panel includes an auto-builder that allows third parties to customize implants extensively. Options include selective geoblocking by country, anti-analysis functions, and choice of executable icon. Each generated payload is compressed using zlib, then encrypted with the ChaCha20 algorithm employing a hard-coded 32-byte key and a 12-byte nonce. This layered approach complicates detection and analysis.
Anti-Debugging and Evasion
CrystalX incorporates basic anti-debugging functionality combined with several optional evasion capabilities:
- MITM Check: Detects proxy usage by reading the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, blacklisting names of tools like Fiddler, Burp Suite, mitmproxy, and verifying installed certificates for those programs. - VM Detection: Checks running processes, presence of guest tools, and hardware characteristics to identify virtualized environments.
- Anti-Attach Loop: Runs an infinite loop that checks for debug flags, debug ports, hardware breakpoints, and unusual program execution timings.
- Stealth Patches: Applies patches to key Windows API functions such as
AmsiScanBuffer,EtwEventWrite, andMiniDumpWriteDumpto evade security monitoring.
These features collectively hinder analysis and detection by security researchers and automated systems.
Spyware and Data Theft Capabilities
Stealer Module
Upon execution, CrystalX establishes a connection to its command-and-control (C2) server. The stealer module then systematically collects sensitive data from the infected machine, including browser credentials, cookies, saved passwords, cryptocurrency wallet files, and instant messaging app data. A keylogger records all keystrokes, while a clipper monitors clipboard content and can replace cryptocurrency addresses with attacker-controlled ones during paste operations. These features enable both credential theft and real-time financial fraud.
Prankware Functions
What truly sets CrystalX apart is its prankware component—a set of features designed not for monetary gain but for harassment and amusement. These include the ability to remotely open and close the CD/DVD drive, flip the display upside down, change desktop wallpaper to embarrassing images, play random sounds, show fake error messages, and create pop-up windows that mimic system alerts. The attacker can also simulate keyboard activity, move the mouse erratically, or disable input devices temporarily. While seemingly harmless, these pranks can cause significant disruption and distress to the victim, especially in a corporate or educational setting.
Conclusion
CrystalX RAT represents a novel convergence of spyware, stealer, and prankware features under a single MaaS umbrella. Its developer's aggressive marketing on Telegram and YouTube, combined with a robust technical foundation—including anti-debugging measures and strong encryption—make it a formidable threat. The inclusion of prankware capabilities, while unusual, may serve as a distraction technique or simply cater to a niche demand among cybercriminals for tools that inflict psychological harm. Organizations and individuals should remain vigilant and ensure up-to-date security solutions are in place to defend against this multifaceted malware.