In March 2026, cybersecurity researchers uncovered an active campaign promoting a previously unknown malware strain in private Telegram chats. Called CrystalX (originally Webcrystal RAT), this Trojan is sold as a malware-as-a-service (MaaS) with three subscription tiers. Its most striking characteristic is the combination of standard remote access trojan (RAT) functions—such as a stealer, keylogger, and clipper—with an extensive set of prankware features designed to annoy and troll users. This unusual mix makes CrystalX a distinctive threat in the current malware landscape. Kaspersky products detect it under names like Backdoor.Win64.CrystalX.*, Trojan.Win64.Agent.*, and Trojan.Win32.Agentb.gen. Below, we explore the malware's origins, capabilities, and unique traits through a series of frequently asked questions.
What is CrystalX malware and how was it discovered?
CrystalX is a remote access trojan (RAT) that first appeared in January 2026 within a private Telegram channel for RAT developers. The author promoted it under the name Webcrystal RAT, sharing screenshots of its web-based control panel. Observers quickly noted striking similarities to the existing WebRAT (also known as Salat Stealer)—including a nearly identical panel layout, the use of Go programming language, and matching bot messages for selling access keys. These similarities led many to label CrystalX a copycat. After some time, the malware was rebranded as CrystalX RAT and moved to a dedicated Telegram channel, which now actively markets it through access key giveaways, polls, and even a YouTube channel featuring video demonstrations of its capabilities. The initial discovery of the active campaign occurred in March 2026, when Kaspersky researchers identified the malware being promoted and analyzed its technical features.
What unique combination of features does CrystalX offer?
CrystalX stands out because it bundles capabilities from multiple threat categories into a single package. Besides standard RAT functions like remote shell and file management, it includes a stealer module that harvests credentials, a keylogger, a clipper (for hijacking cryptocurrency addresses), and spyware-like surveillance features. Most unexpectedly, it also offers a large set of prankware capabilities—tools designed to trick, annoy, or troll the user, such as fake error messages, screen manipulation, and other disruptive antics. This blend of serious data theft tools and playful but malicious tricks is highly unusual for a single Trojan. The malware is available as a malware-as-a-service (MaaS) with three subscription tiers, giving attackers flexible access to this diverse arsenal. The combination makes CrystalX particularly dangerous for victims and challenging for defenders because it can both steal sensitive data and cause irritating, distracting behavior that may go unreported.
How is CrystalX distributed and marketed?
CrystalX is primarily distributed through a private Telegram channel dedicated to the malware, where the author actively promotes it using marketing techniques such as access key draws, polls, and user interactions. The malware is sold as a MaaS product with three subscription tiers, each offering different levels of access to the control panel and features. Additionally, the author expanded promotion to YouTube by creating a channel that hosts a video review of CrystalX's capabilities. These efforts suggest a sophisticated, profit-driven approach to spreading the Trojan. The control panel itself includes an auto-builder that allows third-party actors to generate customized implants, choosing options like geoblocking by country, anti-analysis functions, and executable icons. Each implant is compressed with zlib and encrypted using ChaCha20 with a hard-coded 32-byte key and 12-byte nonce. This ease of customization and distribution makes CrystalX accessible even to less technically skilled criminals.
What anti-analysis and anti-debugging capabilities does CrystalX have?
CrystalX incorporates several layers of anti-analysis and anti-debugging features to evade detection and hinder investigation. By default, the builder offers optional anti-analysis functions, including:
- MITM Check: Reads the registry key
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settingsto detect proxy usage, then blacklists processes like Fiddler, Burp Suite, and mitmproxy, and checks for installed certificates from these tools. - VM Detect: Examines running processes, the presence of guest tools, and hardware characteristics to identify virtual machines.
- Anti-attach loop: Runs an infinite loop that verifies debug flags, debug ports, hardware breakpoints, and program execution timings to prevent debugging.
- Stealth patches: Applies patches to functions such as
AmsiScanBuffer,EtwEventWrite, andMiniDumpWriteDumpto bypass security monitoring and crash dump analysis.
These capabilities make CrystalX more resilient against automated analysis and manual reverse engineering, increasing its chances of remaining undetected on compromised systems.
What are the stealer and data theft capabilities of CrystalX?
Upon execution, CrystalX establishes a connection to its command-and-control (C2) server and begins collecting sensitive data. Its stealer module is designed to harvest credentials from web browsers (such as saved login details and cookies), cryptocurrency wallets, FTP clients, and other applications. The keylogger component records keystrokes to capture passwords, messages, or other typed input. A clipper monitors clipboard content for cryptocurrency addresses and replaces them with the attacker's address, enabling theft of funds during transactions. The spyware features allow surveillance of the victim's screen, microphone, and webcam, as well as location tracking. Unlike many RATs that focus solely on remote control, CrystalX emphasizes data exfiltration. All stolen data is transmitted to the panel accessed by the attacker, who can then monetize it through direct theft or selling credentials. The inclusion of prankware does not diminish these serious theft capabilities; rather, it may serve to distract victims from the ongoing data breach.
How does CrystalX compare to other RAT malware and how is it detected?
CrystalX closely resembles WebRAT (Salat Stealer) in its panel design, Go language base, and marketing bot messages, leading experts to view it as a rebranded or copied version. However, its inclusion of prankware sets it apart from typical RATs, making it a hybrid threat that combines espionage and harassment. Unlike many modern RATs that are written in .NET or C++, CrystalX is compiled in Go, which can complicate static analysis and signature-based detection. Kaspersky detects CrystalX under multiple signatures: Backdoor.Win64.CrystalX.* for the backdoor component, Trojan.Win64.Agent.* and Trojan.Win32.Agentb.gen for variant trojans. The detection names reflect the malware's diverse capabilities. Organizations and individuals should employ layered defenses, including endpoint protection, network monitoring, and user awareness training to mitigate the risk of infection. The malware's evolution from Webcrystal RAT shows how threat actors can quickly adapt existing codebases to create new, more dangerous tools.