Find notable cyber news and cases, enriched with sources, timelines, and signals.

CrystalRAT Telegram-promoted malware-as-a-service

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The CrystalRAT malware-as-a-service is being promoted on Telegram and YouTube with remote access, data theft, keylogging, and clipboard hijacking, increasing the risk of credential and wallet theft on infected systems. The offer uses a tiered subscription model and adds prankware features that can distract victims while theft modules operate. It also includes a control panel and automated builder that make deployment and customization easier for operators.

Related Happenings

Discord defaults voice and video calls to end-to-end encryption

Security Tool/Service
H score58 First: 19.05.2026 23:37 Last: 19.05.2026 23:37 Sources 1

About this happening: **Discord** has made **end-to-end encryption (E2EE)** the default for **voice and video calls**, strengthening privacy across a widely used communications platform. The rollout wa...

Gremlin stealer modular toolkit evolution

Malware Activity
H score21 First: 15.05.2026 17:19 Last: 15.05.2026 17:19 Sources 1

About this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...

REMUS underground ecosystem shift changes threat-actor operations

Threat Actor Meta
H score6 First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: The **REMUS underground operation** is turning **REMUS** into a continuously updated **MaaS** product, increasing **operational scalability** and monetization risk across undergro...

REMUS infostealer browser-session and password-manager collection expansion

Malware Activity
H score21 First: 15.05.2026 17:02 Last: 15.05.2026 17:02 Sources 1

About this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....

Bluekit alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score25 First: 30.04.2026 21:58 Last: 30.04.2026 21:58 Sources 1

About this happening: Bluekit's **AI-assisted** phishing kit has expanded into an **all-in-one** service, lowering the barrier for cybercriminal operators and signaling a more industrialized phishing m...

Latest development: 25.06.2026 18:00

Bluekit phishing-as-a-service added browser-in-the-middle (BitM) login theft and nearly 70 new hostnames over the past week. Netcraft said the kit now uses the open-source JavaScript library rrweb to serialize the page DOM and stream it over a WebSocket connection, while the live 5-second monitoring system and victim qualification checks remain in use.

Timeline

  1. 02.04.2026 02:17 2 articles · 3mo ago

    CrystalRAT Telegram-promoted malware-as-a-service

    Initial Disclosure

    In **January**, **CrystalRAT** appeared as a **tiered subscription** service and began being marketed on **Telegram**. The early offer centered on selling remote access and data-theft functions as a subscription product.

    Show sources