CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CrystalRAT malware-as-a-service expands with multi-functional capabilities

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A new malware-as-a-service (MaaS) named CrystalRAT is being actively promoted on Telegram and YouTube, offering remote access, data theft, keylogging, clipboard hijacking, and extensive prankware features. The malware, first observed in January 2026, employs a tiered subscription model and shares technical similarities with the Salat Stealer (WebRAT), including Go-based code and a bot-driven sales system. CrystalRAT’s payloads are compressed and encrypted using zlib and ChaCha20, respectively, and communicate with command-and-control (C2) servers via WebSocket. The malware targets Chromium-based browsers, desktop applications (Steam, Discord, Telegram), and includes spyware capabilities such as audio/video capture, real-time keylogging, and wallet address clipper functionality. Despite its prankware features—such as system shutdowns, input device disabling, and desktop manipulation—CrystalRAT remains a potent threat for data exfiltration and espionage.

Timeline

  1. 02.04.2026 02:17 1 articles · 2h ago

    CrystalRAT malware-as-a-service expands to include data theft and prankware features

    A new MaaS named CrystalRAT was first observed in January 2026, with active promotion on Telegram and YouTube. The malware combines RAT, infostealer, keylogger, clipboard hijacker, and spyware capabilities, alongside extensive prankware features designed to disrupt victim systems. Payloads use zlib compression and ChaCha20 encryption, with C2 communication over WebSocket. The infostealer targets Chromium browsers and popular desktop applications, while spyware modules enable audio/video capture, real-time keylogging, and cryptocurrency wallet address interception.

    Show sources
    Open in new tab

Information Snippets

  • CrystalRAT is distributed as a malware-as-a-service (MaaS) with subscriptions promoted via Telegram and YouTube, first observed in January 2026.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • The malware shares technical similarities with Salat Stealer (WebRAT), including Go-based code, panel design, and a bot-based sales system.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • CrystalRAT payloads are compressed using zlib and encrypted with the ChaCha20 symmetric stream cipher before delivery.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • C2 communication occurs via WebSocket, with host profiling and infection tracking data sent to the server.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • The infostealer component targets Chromium-based browsers (via ChromeElevator), Yandex, Opera, and desktop applications such as Steam, Discord, and Telegram.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • Remote access features include command execution via CMD, file upload/download, file system browsing, and real-time VNC-based control.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • Spyware capabilities include audio/video capture from the microphone, real-time keylogging, and clipboard hijacking for cryptocurrency wallet address replacement.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • Prankware features include desktop wallpaper changes, display orientation alterations, forced system shutdowns, mouse button remapping, input device disabling, fake notifications, cursor manipulation, and hiding system components (desktop icons, taskbar, Task Manager, Command Prompt executable).

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources

  • The infostealer module’s data theft capabilities were temporarily disabled for upgrades at the time of analysis.

    First reported: 02.04.2026 02:17
    1 source, 1 article
    Show sources